Windows/Office 365: Enable Exchange Online mailbox auditing

Created: 9-10-21

Updated: 9-10-21

Below are a few PowerShell commands that Adam Gordon made during an ITPro.tv training video and this was written by him and credit is due accordingly. However this was from a video series that is about to be replaced and I’d like to archive this information for future use. Perhaps this helps someone out!

######################################
# Log into O365 Security & Compliance
######################################
Set-ExecutionPolicy RemoteSigned
$UserCreds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

Remove-PSSession $Session
#####################################

# Enable Auditing for a single mailbox
Set-Mailbox “name of mailbox goes here” -AuditEnabled $True

# Enable Audting for all mailboxes
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $True

#Monitor Unified Audit Logs – Is it Enabled?

Get-AdminAuditLogConfig | FL *unified*

#Want to turn on/off logging?

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False

#How about using PowerShell to search the logs?
Search-UnifiedAuditLog -StartDate 8/28/2021 -EndDate 9/23/2021 -UserIds user@domain.suffix -Formatted