Enable Audit Logging

Audit logging track who clicked what, and when. It enables organizations to answer questions such as "Who deleted that shared mailbox?", and "Why doesn't user X have permissions for resource Y anymore?" As you can imagine, this puts significant strain on the cloud servers and is not enabled by default.; the lean state of the Office 365 tenant servers is called "dehydrated", and the enhanced mode is "hydrated". Microsoft do not charge any extra if you do enable it, so here's how to do it!

• Connect to Exchange Online via PowerShell
• Enable "OrganizationCustomization"
• Use the Office 365 admin UI to enable audit logging

PowerShell with Exchange Online Management

If your Office 365 admin account has MFA enabled, you will need to connect using Exchange Online Management - get it at https://www.powershellgallery.com/packages/ExchangeOnlineManagement- see full docs here: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell

For MFA-enabled admin accounts:

Connect-ExchangeOnline -UserPrincipalName admin@companyname.onmicrosoft.com
Enable-OrganizationCustomization
Exit

For non-MFA accounts, launch PowerShell as a local administrator, and run the following commands:

set-executionpolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session
Enable-OrganizationCustomization
Exit

Security & Compliance

(You may need to allow an hour for the PowerShell

Log on to https://security.microsoft.com/ as an administrator

Navigate to Permissions

Under the Roles for both Azure AD and Email, add at least 1 admin user (usually yourself!)

The Microsoft 365 tenant is now enabled for extensive audit logging. Note: logging begins from the time it is enabled.