Enable Audit Logging

Modified on Wed, 27 Apr, 2022 at 12:34 PM

Audit logging track who clicked what, and when. It enables organizations to answer questions such as "Who deleted that shared mailbox?", and "Why doesn't user X have permissions for resource Y anymore?" As you can imagine, this puts significant strain on the cloud servers and is not enabled by default.; the lean state of the Office 365 tenant servers is called "dehydrated", and the enhanced mode is "hydrated". Microsoft do not charge any extra if you do enable it, so here's how to do it!


  • Connect to Exchange Online via PowerShell
  • Enable "OrganizationCustomization"
  • Use the Office 365 admin UI to enable audit logging


PowerShell with Exchange Online Management

If your Office 365 admin account has MFA enabled, you will need to connect using Exchange Online Management - get it at https://www.powershellgallery.com/packages/ExchangeOnlineManagement- see full docs here: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell


For MFA-enabled admin accounts:

Connect-ExchangeOnline -UserPrincipalName admin@companyname.onmicrosoft.com
Enable-OrganizationCustomization
Exit


For non-MFA accounts, launch PowerShell as a local administrator, and run the following commands:

set-executionpolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session
Enable-OrganizationCustomization
Exit


Security & Compliance

(You may need to allow an hour for the PowerShell

Log on to https://security.microsoft.com/ as an administrator


Navigate to Permissions

Under the Roles for both Azure AD and Email, add at least 1 admin user (usually yourself!)


The Microsoft 365 tenant is now enabled for extensive audit logging. Note: logging begins from the time it is enabled.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article