Microsoft 365 Unified Audit Log Not Automatically Turned On

[Grubbslinger]

Hello!

I've run into this with a couple of clients now and I was wondering if anyone else had similar issues.

Basically, I was under the impression (based on what I read) that MS was now automatically enabling the Unified Audit Log for Microsoft 365. But there have been a few times where I've had to go to the log, only to find them missing or missing key information (such as Exchange events). I've had one instance where I went to the Audit dashboard and was hit with a message that said something to the effect of 'Start logging stuff' and I was forced to click to turn on the Audit Log. When I look at the info pages though, I get conflicting information about whether the logs are setup automatically when a new tenant is brought online or if you need to go in a turn on configurations.

Anyone dealt with this and have a definitive answer? I love MS Learn but man it can be a labyrinth when looking for a simple answer sometimes.

[Chauke]

If MS is handling it like they handle the shutdown of SMTP, POP and IMAP than it is probably scheduled and will take place over a longer period of time. 

[Szeth]

It's supposed to be enabled by default for organisations that have the right licencing.
That said, i've seen it NOT on for a couple places, my guess is either they didn't have the right licencing when the tenant was stood up, or they were setup before MS made it default for new tenants.
It's normally on the list of things I check within a tenant to make sure it's on

[Nathan McNulty]

Unified Audit Log is enabled on new-ish tenants, but really old tenants may not have it enabled because Microsoft did not change the configuration of existing customers.

Once an E5 license is assigned, there are some changes made to which events are logged to support the advanced unified audit log capabilities (also increases bandwidth of the Office Avitity API), so to be sure everything is covered, but it doesn't necessarily cover all workloads.

It's recommended to create an Audit Policy, select all application events, and target all users (E3-90 days, E5-1 year, or 10 years if paying for the additional SKU). Also, you will need to add MailItemsAccessed and SearchQueryInitiated to all E5 licensed users:

$E5Users | ForEach-Object { Set-Mailbox -Identity $_ -AuditEnabled $true -AuditLogAgeLimit 365 -AuditAdmin @{add="Create","FolderBind","SendAs","SendOnBehalf","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","RecordDelete","Send","UpdateCalendarDelegation","UpdateComplianceTag","UpdateInboxRules","MailItemsAccessed"} -AuditDelegate @{add="Create","FolderBind","SendAs","SendOnBehalf","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","MailItemsAccessed","RecordDelete","UpdateComplianceTag","UpdateInboxRules"} -AuditOwner @{add="Create","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","RecordDelete","Send","UpdateCalendarDelegation","UpdateComplianceTag","UpdateInboxRules","MailItemsAccessed","MailboxLogin","SearchQueryInitiated"}}

[Grubbslinger]

Awesome, thanks for replies. I'm in that MSP life as a security person so I dont control tenant setup unfortunately so I wanted to make sure it gets put into the checklist for new setup.