Enabling Mailbox Audit by Default

%3CLINGO-SUB%20id%3D%22lingo-sub-50493%22%20slang%3D%22en-US%22%3EEnabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50493%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20of%20turning%20on%20mailbox%20auditing%20by%20default%20in%20Exchange%20Online%20for%20newly%20created%20mailboxes%3F%20%26nbsp%3BIt%20appears%20that%20this%20would%20be%20feasable%20via%20the%20%22Set-mailboxplan%22%20cmdlet%20but%20the%20actual%20parameter%26nbsp%3Bappears%20to%20be%20reserved%20for%20internal%20use%20according%20to%20the%20technet%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt586788(v%3Dexchg.160).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt586788(v%3Dexchg.160).aspx%3C%2FA%3E.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20other%20than%20turning%20on%20Auditing%20manually%20everytime%20a%20mailbox%20is%20enabled%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-50493%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331891%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331891%22%20slang%3D%22en-US%22%3EYep%20finally%2C%20great%20new%20feature%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331500%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331500%22%20slang%3D%22en-US%22%3E%3CP%3Eit%20is%20applied%20by%20Default%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153515%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153515%22%20slang%3D%22en-US%22%3E%3CP%3ENope.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153500%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153500%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EApart%20from%20the%20methods%20of%20manually%2Fscheduled%2Fscript%20enabling%20auditing%20on%20new%20mailboxes%2C%20has%20the%20%22Set-MailboxPlan%22%20or%20any%20other%20Default%2FAutomated%20methods%20become%20available%20yet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-51721%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-51721%22%20slang%3D%22en-US%22%3EThank%20%40Vasil.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20doubts%20are%20now%20cleared.%20It%20is%20time%20for%20me%20to%20enable%20auditing%20for%20all%20of%20our%20shared%20mailboxes.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20had%20not%20enabled%20auditing%20assuming%20they%20all%20are%20counted%20against%20mailbox%20size%20etc.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-51513%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-51513%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20you%20need%20to%20create%20script%20to%20run%20everytime%20you%20create%20a%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-51240%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-51240%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20you%20have%20a%20separate%20quota%20for%20it%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B21%3A33%3A25%5D%5BO365%5D%23%20Get-Mailbox%20vasil%20%7C%20fl%20*quota*%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EProhibitSendQuota%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%2099%20GB%20(106%2C300%2C440%2C576%20bytes)%3CBR%20%2F%3EProhibitSendReceiveQuota%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20100%20GB%20(107%2C374%2C182%2C400%20bytes)%3CBR%20%2F%3ERecoverableItemsQuota%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%2030%20GB%20(32%2C212%2C254%2C720%20bytes)%3CBR%20%2F%3ERecoverableItemsWarningQuota%20%3A%2020%20GB%20(21%2C474%2C836%2C480%20bytes)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ERead%20more%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee364755(v%3Dexchg.160).aspx%23RIQuotas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee364755(v%3Dexchg.160).aspx%23RIQuotas%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50761%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bthanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20elaborate%20more%20on%20the%20same%3F%20Recoverable%20data%20is%20also%20counted%20against%20total%20size%20of%20mailbox%20right%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50631%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50631%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20storage%20doesnt%20count%20against%20the%20mailbox%20quota%2C%20it%20uses%20the%20RecoverableItems%20quota%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50552%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50552%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20that's%20what%20we%20are%20currently%20doing.%20%26nbsp%3BI%20was%20looking%20for%20a%20way%20to%20possibly%20skip%20that%20and%20let%20the%20mailboxplan%20actually%20default%26nbsp%3Bthe%20parameter%20to%20True%20for%20any%20new%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50537%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50537%22%20slang%3D%22en-US%22%3EAny%20body%20know%20if%20we%20enable%20Mailbox%20Auditing%20how%20much%20%25%20of%20storage%20will%20be%20used%20by%20Audit%20logs%3F%3CBR%20%2F%3E%3CBR%20%2F%3Efor%20e.g.%20If%20the%20Mailbox%20size%20is%20100GB%20then%20once%20we%20enable%20Auditing%20how%20much%20size%20will%20be%20consumed%20by%20Audit%20logs%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50536%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50536%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20create%20a%20script%20to%20run%20each%20time%20you%20create%20a%20mailbox%20to%20do%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50514%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50514%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20to%20run%20the%20Set-Mailbox%20-AuditEnabled%20%24True%20every%20time%20we%20add%20a%20new%20mailbox%20so%20that%20Auditing%20is%20turned%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577877%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Mailbox%20Audit%20by%20Default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577877%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20you%20would%20think%20that%20%3CSTRONG%3Eall%3C%2FSTRONG%3E%20mailboxes%20would%20be%20enabled%20with%20that%20setting%20but%20guess%20what%3F%20turns%20out%20they%20are%20not!%20Important%20to%20note%3A%20some%20types%20of%20mailboxes%20are%20missing%20which%20could%20be%20used%20as%20an%20attack%20vector.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fenable-mailbox-auditing%3Fview%3Do365-worldwide%23supported-mailbox-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fenable-mailbox-auditing%3Fview%3Do365-worldwide%23supported-mailbox-types%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd...%20log%20shipping%20to%20the%20O365%20unified%20log%20is%20also%20missing%20without%20that%20setting.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Foffice365itpros.com%2F2020%2F03%2F12%2Fexchange-online-mailbox-auditing-default-problem%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365itpros.com%2F2020%2F03%2F12%2Fexchange-online-mailbox-auditing-default-problem%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20crazy%20stuff...%20when%20I%20first%20looked%20at%20this%20i%20thought%20just%20enable%20that%20and%20move%20on%20until%20I%20had%20a%20security%20assessment%20which%20still%20recommended%20enabling%20the%20setting%20on%20all%20mailbox%20in%20the%20tenant.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Is there a way of turning on mailbox auditing by default in Exchange Online for newly created mailboxes?  It appears that this would be feasable via the "Set-mailboxplan" cmdlet but the actual parameter appears to be reserved for internal use according to the technet article: https://technet.microsoft.com/en-us/library/mt586788(v=exchg.160).aspx.  

 

Any ideas other than turning on Auditing manually everytime a mailbox is enabled?

14 Replies
Highlighted

I have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox so that Auditing is turned on.

Highlighted

You can create a script to run each time you create a mailbox to do that.

Highlighted
Any body know if we enable Mailbox Auditing how much % of storage will be used by Audit logs?

for e.g. If the Mailbox size is 100GB then once we enable Auditing how much size will be consumed by Audit logs?
Highlighted

Thanks, that's what we are currently doing.  I was looking for a way to possibly skip that and let the mailboxplan actually default the parameter to True for any new mailbox.

Highlighted

The storage doesnt count against the mailbox quota, it uses the RecoverableItems quota instead.

Highlighted

@Vasil Michev thanks

 

Could you please elaborate more on the same? Recoverable data is also counted against total size of mailbox right?

Highlighted

No, you have a separate quota for it:

 

[21:33:25][O365]# Get-Mailbox vasil | fl *quota*


ProhibitSendQuota            : 99 GB (106,300,440,576 bytes)
ProhibitSendReceiveQuota     : 100 GB (107,374,182,400 bytes)
RecoverableItemsQuota        : 30 GB (32,212,254,720 bytes)
RecoverableItemsWarningQuota : 20 GB (21,474,836,480 bytes)

Read more here: https://technet.microsoft.com/en-us/library/ee364755(v=exchg.160).aspx#RIQuotas

Highlighted

I think you need to create script to run everytime you create a mailbox.

Highlighted
Thank @Vasil.

My doubts are now cleared. It is time for me to enable auditing for all of our shared mailboxes.

I had not enabled auditing assuming they all are counted against mailbox size etc.
Highlighted

Hi,

 

Apart from the methods of manually/scheduled/script enabling auditing on new mailboxes, has the "Set-MailboxPlan" or any other Default/Automated methods become available yet?

Highlighted

Nope.

Highlighted

it is applied by Default now.

Highlighted
Yep finally, great new feature :)
Highlighted

Yes you would think that all mailboxes would be enabled with that setting but guess what? turns out they are not! Important to note: some types of mailboxes are missing which could be used as an attack vector. 

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwid...

 

And... log shipping to the O365 unified log is also missing without that setting. 

 

https://office365itpros.com/2020/03/12/exchange-online-mailbox-auditing-default-problem/

 

It's crazy stuff... when I first looked at this i thought just enable that and move on until I had a security assessment which still recommended enabling the setting on all mailbox in the tenant.