Closed BrentNewland closed 5 months ago
Relevant from https://github.com/o365soa/Scripts/blob/master/Configure-MailboxAuditLogging.ps1
"User mailboxes that do not have M365 Advanced Auditing service plan assigned and have not been explicitly enabled for audit logging
Important note: Only a server-side filter can be used to determine #2. The
AuditEnabled property will always have a value of True, so it requires Exchange to determine
mailboxes that are implicitly True because of global audit logging or explicitly True via
the Set-Mailbox cmdlet"
I've heard different stories from Microsoft, but it's easy to disable and reenable, so I've updated the script.
Closed
From the Microsoft article here https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide#more-information
"If mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the AuditEnabled parameter to $false and then back to $true."
From this article https://office365itpros.com/2020/03/12/mailbox-audit-events-problem/
"With mailbox auditing enabled by default, brand-new E3 mailboxes report AuditEnabled to be $True...
Because mailbox auditing is enabled by default, when Get-Mailbox queries its audit properties, Exchange reports that AuditEnabled is True and the default audit set is present. If you run Set-Mailbox to disable auditing, PowerShell reports that “no settings have been modified.” That’s strange because we just updated AuditEnabled from True to False."
It sounds like it would be safest to first disable audit logging on each mailbox before enabling it.