Grubbslinger Posted November 14, 2022 Share Posted November 14, 2022 Hello! I've run into this with a couple of clients now and I was wondering if anyone else had similar issues. Basically, I was under the impression (based on what I read) that MS was now automatically enabling the Unified Audit Log for Microsoft 365. But there have been a few times where I've had to go to the log, only to find them missing or missing key information (such as Exchange events). I've had one instance where I went to the Audit dashboard and was hit with a message that said something to the effect of 'Start logging stuff' and I was forced to click to turn on the Audit Log. When I look at the info pages though, I get conflicting information about whether the logs are setup automatically when a new tenant is brought online or if you need to go in a turn on configurations. Anyone dealt with this and have a definitive answer? I love MS Learn but man it can be a labyrinth when looking for a simple answer sometimes. Link to comment Share on other sites More sharing options...
Chauke Posted November 14, 2022 Share Posted November 14, 2022 If MS is handling it like they handle the shutdown of SMTP, POP and IMAP than it is probably scheduled and will take place over a longer period of time. Link to comment Share on other sites More sharing options...
Szeth Posted November 14, 2022 Share Posted November 14, 2022 It's supposed to be enabled by default for organisations that have the right licencing. That said, i've seen it NOT on for a couple places, my guess is either they didn't have the right licencing when the tenant was stood up, or they were setup before MS made it default for new tenants. It's normally on the list of things I check within a tenant to make sure it's on Link to comment Share on other sites More sharing options...
Nathan McNulty Posted November 15, 2022 Share Posted November 15, 2022 Unified Audit Log is enabled on new-ish tenants, but really old tenants may not have it enabled because Microsoft did not change the configuration of existing customers. Once an E5 license is assigned, there are some changes made to which events are logged to support the advanced unified audit log capabilities (also increases bandwidth of the Office Avitity API), so to be sure everything is covered, but it doesn't necessarily cover all workloads. It's recommended to create an Audit Policy, select all application events, and target all users (E3-90 days, E5-1 year, or 10 years if paying for the additional SKU). Also, you will need to add MailItemsAccessed and SearchQueryInitiated to all E5 licensed users: $E5Users | ForEach-Object { Set-Mailbox -Identity $_ -AuditEnabled $true -AuditLogAgeLimit 365 -AuditAdmin @{add="Create","FolderBind","SendAs","SendOnBehalf","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","RecordDelete","Send","UpdateCalendarDelegation","UpdateComplianceTag","UpdateInboxRules","MailItemsAccessed"} -AuditDelegate @{add="Create","FolderBind","SendAs","SendOnBehalf","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","MailItemsAccessed","RecordDelete","UpdateComplianceTag","UpdateInboxRules"} -AuditOwner @{add="Create","SoftDelete","HardDelete","Update","Move","MoveToDeletedItems","UpdateFolderPermissions","ApplyRecord","RecordDelete","Send","UpdateCalendarDelegation","UpdateComplianceTag","UpdateInboxRules","MailItemsAccessed","MailboxLogin","SearchQueryInitiated"}} 2 Link to comment Share on other sites More sharing options...
Grubbslinger Posted November 16, 2022 Author Share Posted November 16, 2022 Awesome, thanks for replies. I'm in that MSP life as a security person so I dont control tenant setup unfortunately so I wanted to make sure it gets put into the checklist for new setup. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now