Enabling Mailbox Audit by Default

Jessie Hernandez · ‎Mar 06 2017

Is there a way of turning on mailbox auditing by default in Exchange Online for newly created mailboxes? It appears that this would be feasable via the "Set-mailboxplan" cmdlet but the actual parameter appears to be reserved for internal use according to the technet article: https://technet.microsoft.com/en-us/library/mt586788(v=exchg.160).aspx.

Any ideas other than turning on Auditing manually everytime a mailbox is enabled?

Cary Siemers · ‎Mar 06 2017

I have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox so that Auditing is turned on.

Nuno Silva · ‎Mar 06 2017

You can create a script to run each time you create a mailbox to do that.

Nuno Silva · ‎Mar 06 2017

Any body know if we enable Mailbox Auditing how much % of storage will be used by Audit logs?

for e.g. If the Mailbox size is 100GB then once we enable Auditing how much size will be consumed by Audit logs?

Jessie Hernandez · ‎Mar 06 2017

Thanks, that's what we are currently doing. I was looking for a way to possibly skip that and let the mailboxplan actually default the parameter to True for any new mailbox.

Vasil Michev · ‎Mar 06 2017

The storage doesnt count against the mailbox quota, it uses the RecoverableItems quota instead.

Vasil Michev · ‎Mar 07 2017

@Vasil Michev thanks

Could you please elaborate more on the same? Recoverable data is also counted against total size of mailbox right?

Vasil Michev · ‎Mar 07 2017

No, you have a separate quota for it:

[21:33:25][O365]# Get-Mailbox vasil | fl *quota*

ProhibitSendQuota            : 99 GB (106,300,440,576 bytes)
ProhibitSendReceiveQuota     : 100 GB (107,374,182,400 bytes)
RecoverableItemsQuota        : 30 GB (32,212,254,720 bytes)
RecoverableItemsWarningQuota : 20 GB (21,474,836,480 bytes)

Read more here: https://technet.microsoft.com/en-us/library/ee364755(v=exchg.160).aspx#RIQuotas

Kamal Ibrahim · ‎Mar 08 2017

I think you need to create script to run everytime you create a mailbox.

Vasil Michev · ‎Mar 08 2017

Thank @Vasil.

My doubts are now cleared. It is time for me to enable auditing for all of our shared mailboxes.

I had not enabled auditing assuming they all are counted against mailbox size etc.

AndrewX · ‎Feb 07 2018

Hi,

Apart from the methods of manually/scheduled/script enabling auditing on new mailboxes, has the "Set-MailboxPlan" or any other Default/Automated methods become available yet?

Vasil Michev · ‎Feb 07 2018

Nope.

brian grant · ‎Feb 06 2019

it is applied by Default now.

AndrewX · ‎Feb 06 2019

Yep finally, great new feature :)

Joshua Bines · ‎Aug 10 2020

Yes you would think that all mailboxes would be enabled with that setting but guess what? turns out they are not! Important to note: some types of mailboxes are missing which could be used as an attack vector.

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwid...

And... log shipping to the O365 unified log is also missing without that setting.

https://office365itpros.com/2020/03/12/exchange-online-mailbox-auditing-default-problem/

It's crazy stuff... when I first looked at this i thought just enable that and move on until I had a security assessment which still recommended enabling the setting on all mailbox in the tenant.

Enabling Mailbox Audit by Default

Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Re: Enabling Mailbox Audit by Default

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Enabling Mailbox Audit by Default