When you set up bulk alerting for mailboxes you may end up enabling alerts for system mailboxes like DiscoverySearchMailbox as shown above. This will mean receiving regular alerts about changes to that mailbox by the system. This basically means Exchange Online is performing some expected administrative process on a mailbox, which triggers a configured alert.
To reduce the noise caused by these alerts you can do the following to disable it:
Firstly connect to Exchange Online using PowerShell. My script for that is here:
https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1
next run the command to find any DiscoverySearchMailbox
get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled
which should give you a result like shown above.
$dsm = get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”}
Run the above command to save the mailbox details to a variable. Then run:
set-mailbox -identity $dsm.alias -AuditEnabled $false
to disable auditing for that mailbox.
if you now re-run
get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled
you should find that the auditing is now disabled for that mailbox as shown above.
CIAOPS 
Hi there,
As per https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide#ID0EABAAA=Mailbox_auditing_actions
If Auditing is enabled by default on the tenant the best way to stop these alerts it to modify your script a bit by making it something like this 🙂
$dsm = get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”}
Set-MailboxAuditBypassAssociation -Identity “$dsm” -AuditByPassEnabled $true
Get-MailboxAuditBypassAssociation -Identity “$dsm” | Format-List AuditByPassEnabled
LikeLike
Hi Nathan, love your alternate approach. Going to try this now
LikeLike