Information
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.
Rationale:
Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes. However, only certain mailbox types support default auditing On
User Mailboxes
Shared Mailboxes
Microsoft 365 Group Mailboxes
The remaining mailbox types require auditing be turned on at the mailbox level:
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox
Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.
NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To enable mailbox auditing for all users using PowerShell:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell commands:
$AuditAdmin = @('Copy', 'Create', 'FolderBind', 'HardDelete', 'MessageBind', 'Move', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update', 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules')
$AuditDelegate = @('Create', 'FolderBind', 'HardDelete', 'Move', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update', 'UpdateFolderPermissions', 'UpdateInboxRules')
$AdminOwner = @('Create', 'HardDelete', 'MailboxLogin', 'Move', 'MoveToDeletedItems', 'SoftDelete', 'Update', 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules')
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate -AuditOwner $AuditOwner
Default Value:
Only certain mailbox types support default auditing On:
User Mailboxes
Shared Mailboxes
Microsoft 365 Group Mailboxes
The remaining mailbox types require auditing be turned on at the mailbox level:
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox