You may not be aware that by default Office 365 mailbox auditing isn’t turned on. Don’t believe me? Well check out this article, especially the first paragraph:

Enable mailbox auditing in Office 365

which says:

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won’t appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

If you want to check your own tenant then connect to Exchange Online with PowerShell and run this command:

get-mailbox | select userprincipalname,auditenabled

You’ll probably see that all the mailboxes don’t have auditing enabled.

To enable auditing, simply run this command:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

and then run the first command again to verify it is now enabled for all mailboxes.

You also need to appreciate that out of the box, not all items are audited and you may need to adjust these options, also using PowerShell. The options you can audit for are:

Mailbox auditing actions

I’ll cover how to set these in an upcoming article.

I recently wrote an article that shows you how to configure the spam policy in Office 365 using the web interface. If you missed that you can find it here:

Configuring an Office 365 SPAM filtering policy

Doing this multiple times via the web interface is a lot of work. A better approach is to use PowerShell. So once, how have connected to Exchange Online PowerShell, run these two commands:

$policyparams = @{
“name” = “Configured Policy”;
‘Bulkspamaction’ =  ‘movetojmf’;
‘bulkthreshold’ =  ‘7’;
‘highconfidencespamaction’ =  ‘movetojmf’;
‘inlinesafetytipsenabled’ = $true;
‘markasspambulkmail’ = ‘on’;
‘increasescorewithimagelinks’ = ‘off’
‘increasescorewithnumericips’ = ‘on’
‘increasescorewithredirecttootherport’ = ‘on’
‘increasescorewithbizorinfourls’ = ‘on’;
‘markasspamemptymessages’ =’on’;
‘markasspamjavascriptinhtml’ = ‘on’;
‘markasspamframesinhtml’ = ‘on’;
‘markasspamobjecttagsinhtml’ = ‘on’;
‘markasspamembedtagsinhtml’ =’on’;
‘markasspamformtagsinhtml’ = ‘on’;
‘markasspamwebbugsinhtml’ = ‘on’;
‘markasspamsensitivewordlist’ = ‘on’;
‘markasspamspfrecordhardfail’ = ‘on’;
‘markasspamfromaddressauthfail’ = ‘on’;
‘markasspamndrbackscatter’ = ‘on’;
‘phishspamaction’ = ‘movetojmf’;
‘spamaction’ = ‘movetojmf’;
‘zapenabled’ = $true
}

new-hostedcontentfilterpolicy @policyparams

The first basically sets up an array of all the parameters you are going to see into the spam policy. It makes it easier to adjust if you need to.

The second command creates a new policy based off this array that will be called ‘Configured Policy’.

However, after running these two commands you aren’t quite done yet because you have created the policy BUT you actually need to create a rule that uses this policy to do that use the following:

$ruleparams = @{
‘name’ = ‘Configured Recipients’;
‘hostedcontentfilterpolicy’ = ‘Configured Policy’;
## this needs to match the above policy name
‘recipientdomainis’ = ‘domain.com’;
## this needs to match the domains you wish to protect in your tenant
‘Enabled’ = $true
}

New-hostedcontentfilterrule @ruleparams

You’ll need to ensure the policy names match as noted and you include the domains you wish to protect.

Once this has been completed, if you go and look in your Exchange Admin area, under protection and spam filter, you should see a new policy called ‘Configured Recipients’ that was created by the above script commands.