Enable Mailbox Auditing For All Users


My notes for Mailbox Auditing say that Microsoft Defender for Office 365 P1 is required. After some light searching, I cannot confirm this is true. Microsoft changes policies so please confirm before using this recipe.

Mailbox Auditing - On By Default

Mailbox auditing for Microsoft 365 Organizations should be on by default for the following mailbox types:

To confirm mailbox auditing is enabled, we check that the -AuditDisabled is set to False. This is a bit odd at first but think of it as a double negative; “Not Disabled” = “Enabled”.

First connect to Exchange Online:


Then check the value of the AuditDisabled switch.

Get-OrganizationConfig | Select-Object -Property AuditDisabled

If auditing is enabled, you will see that AuditDisabled is set to False:

Get-OrganizationConfig | Select-Object -Property AuditDisabled

Mailboxes That Need Auditing Enabled

If auditing is required for any of the following mailbox types, you must manually enable it:

To enable auditing for these mailbox types use a routine like this:

Get-ExoMailbox -RecipientTypeDetails DiscoveryMailbox | Set-Mailbox -AuditEnabled $True

To verify this worked, use the -PropertySet Audit with the Get-ExoMailbox command.

Get-ExoMailbox -PropertySet Audit -RecipientTypeDetails DiscoveryMailbox | Select-Object -Property AuditEnabled



Microsoft Mailbox Auditing Learn article.