An important part of good security in Microsoft 365 is to ensure you are capturing all the logs available. Exchange Online has a number of actions that can be audited and some may not be enabled in your environment. The list available and what is enabled by default can be found here:
Here is a quick script you can run to display all the audit settings for each mailbox:
Get-OrganizationConfig | Format-List AuditDisabled
$mailboxes=get-mailbox -ResultSize unlimited
foreach ($mailbox in $mailboxes) {
write-host “`nMailbox =”,$mailbox.userprincipalname
write-host (“`— Admin —“)
$mailbox | Select-Object -ExpandProperty AuditAdmin | Sort-Object
write-host (“— Delegate —“)
$mailbox | Select-Object -ExpandProperty AuditDelegate | Sort-Object
write-host (“— Owner —“)
$mailbox | Select-Object -ExpandProperty Auditowner | Sort-Object
}
Just compare the list in the link to what you have configured to ensure everything that is available to you is enabled.
To connect to Exchange online prior to running the above code you can use my script:
https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1
CIAOPS 