Audit logging track who clicked what, and when. It enables organizations to answer questions such as "Who deleted that shared mailbox?", and "Why doesn't user X have permissions for resource Y anymore?" As you can imagine, this puts significant strain on the cloud servers and is not enabled by default.; the lean state of the Office 365 tenant servers is called "dehydrated", and the enhanced mode is "hydrated". Microsoft do not charge any extra if you do enable it, so here's how to do it!
- Connect to Exchange Online via PowerShell
- Enable "OrganizationCustomization"
- Use the Office 365 admin UI to enable audit logging
PowerShell
If your Office 365 admin account has MFA enabled, you will need to connect using Exchange Online Powershell - see https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell
For non-MFA accounts, launch PowerShell as a local administrator, and run the following commands:
set-executionpolicy unrestricted(When prompted, choose "A" for All)
$UserCredential = Get-Credential(Enter the credentials for an administrator of the Office 365 tenant where you want to enable the audit logging)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session(Wait while the command are imported)
Enable-OrganizationCustomization ExitSecurity & Compliance
(You may need to allow an hour for the PowerShell
Log on to https://protection.office.com as an administrator
Navigate to Search > Audit
Click the button "Turn on auditing"
Navigate to Permissions
Specify the eDiscovery Manager (usually yourself!)
The Office 365 tenant is now enabled for extensive audit logging. Note: logging begins from the time it is enabled.