Forum Discussion
Issues with Mailbox audit for users (Security Score)
Without being able to see the output of the cmdlets it's hard to guess. First of all, "users" doesnt necessarily translate to mailboxes. The Identity parameter is unreliable when used against large lists of objects, as you can have multiple entries. Try something like the UPN or PrimarySMTPAddress instead.
Next, you might have some mailboxes with errors, you should get Warning messages when you try to run cmdlets against those. Some mailbox types do not show in the Get-Mailbox output unless you specifically include the recipient type, however this shouldnt be an issue if you are comparing via the same syntax.
I tried checking the different mailbox types and thought that was hopeful. I then realized I'd already taken care of all the shared mailboxes and they show as true on the auditenabled.
I ran this:
(get-mailbox -filter {auditenabled -eq $true}|select userprincipalname, auditenabled).count and came up with a count of 212. We did delete a mailbox today so that could account for the difference between 212 and 213.
There is no date on the score for this field, so I'm leaning towards this being a timing issue. Somethings seem to update daily on the o365 security score, but not all. I'm going to see what happens and if it comes back with the reduced number of users before I continue to chase my tail on this.
if anyone else has seen something similar please speak up.
Yeah, dont expect secure score to immediately reflect on the changes you make.