Introduction #
Since January 2019, Microsoft has been enabling mailbox auditing logging by default for all tenants. This means that certain actions performed by mailbox owners, delegates and admins are automatically logged and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log.
When enabled, the following benefits apply:
- Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.
- You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).
- When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor add new actions on mailboxes.
- You have a consistent mailbox auditing policy across your organization (because you’re auditing the same actions for all mailboxes).
Although enabled by default, it can be disabled. This can occur if a technician disables it, or if you onboard a new customer where the previous provider had disabled it.
This setting ensures allows you to check and enforce that mailbox auditing on by default is enabled or disabled, if you prefer (though not recommended).
Additional Information #
It’s important to note that even when mailbox auditing on by default is enabled, individual mailboxes can override the setting with custom mailbox specific audit actions. This setting does not check the individual mailboxes for this condition. So although the setting is enabled, some mailboxes may log different actions.
To understand this properly, please refer to this KB from Microsoft – Manage mailbox auditing – Microsoft Purview (compliance) | Microsoft Learn
User Impact #
Low
Mailbox auditing has no user impact, however it will impact tenant administrators if the audit actions are not being logged and they require access to audit log information for a mailbox.
Parameters #
Mailbox auditing on by default – Enabled/Disabled
Specifies whether mailbox auditing on by default should be enabled or disabled
Admin Portal Reference #
This setting cannot be configured through the admin portal.
PowerShell Reference #
Get-OrganizationConfig | Format-List AuditDisabled
Set-OrganizationConfig -AuditDisabled $parameter
If Action is set to Notify #
MSPMagic will report the setting as compliant if the parameter matches the configured value in the tenant.
MSPMagic will report the setting as non-compliant if the parameter does not match the configured value in the tenant.
If Action is set to Enforce #
MSPMagic will report the setting as compliant if the parameter matches the configured value in the tenant.
MSPMagic will report the setting as compliant-fixed if the parameter does not match the configured value in the tenant and was able to update it.