You may not be aware that by default Office 365 mailbox auditing isn’t turned on. Don’t believe me? Well check out this article, especially the first paragraph:
In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.
If you want to check your own tenant then connect to Exchange Online with PowerShell and run this command:
get-mailbox | select userprincipalname,auditenabled
You’ll probably see that all the mailboxes don’t have auditing enabled.
To enable auditing, simply run this command:
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true
and then run the first command again to verify it is now enabled for all mailboxes.
You also need to appreciate that out of the box, not all items are audited and you may need to adjust these options, also using PowerShell. The options you can audit for are:
I’ll cover how to set these in an upcoming article.