Office 365 has the ability to log and audit a lot of actions in your tenant, however much of this logging is not enabled by default but should be by an administrator in my opinion.

Another point to consider is that you have to use Exchange Online PowerShell to enable mailbox audit logging. You can’t use the Office 365 Security & Compliance Center or the Exchange admin center (i.e. the web interface).

After you have connected to Exchange Online using PowerShell, run the following command to view what audit settings are currently enabled for your mailboxes:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | FL Name,Audit*

That should produce a result as shown above. As you can see the AuditEnabled option is current set to False for all mailboxes per:

By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won’t appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

which is detailed here:

https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions

So to turn auditing on for all mailboxes execute the following PowerShell commands.

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

If you wish to modify what events are actually audited you can use the following. Note, there is a separate one for administrators, delegates and owners of the mailboxes:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -Auditadmin @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditdelegate @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditowner @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

You’ll find all the details about these commands here:

Set-mailbox = https://technet.microsoft.com/en-us/library/bb123981(v=exchg.160).aspx

In true PowerShell tradition, when you execute these commands correctly, you’ll just be returned to the command line as shown above.

If we re-examine our mailboxes we now see that auditing is enabled and that more actions are audited as expected.

By default, entries in the mailbox audit log are kept for 90 days. When an entry is older than 90 days, it’s deleted. You can use the Set-Mailbox cmdlet to change this setting so items are kept for a longer (or shorter) period of time like so:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditLogAgeLimit 180

which extends the entry limit retention to 180 days.

So, another way to improve the security of your Office 365 tenant is to enable mailbox auditing and extending the properties that are audited. You can only do this with PowerShell but once you have the the script you can re-run it as many times as you like. The power of PowerShell!

Many people are unaware of the fact that ALL (yes, I said ALL) Exchange Online plans are configured by default, to ONLY retain deleted items for 14 days. Yes, I said ALL Exchange Online plans, and I quote:

“How long deleted items are kept in the Deletions folder depends on the deleted item retention period that is set for the mailbox. An Exchange Online mailbox keeps deleted items for 14 days, by default. Use the Exchange Management Shell, as shown above, to change this setting, to increase the period up to a maximum of 30 days.”

this is from:

https://technet.microsoft.com/en-us/library/dn163584(v=exchg.160).aspx

You will also note that you can extend this to a maximum of 30 days using PowerShell, which is exactly what you should do IMMEDIATLY you add a user account I would suggest.

To do this you firstly need to connect to Exchange Online using PowerShell. Then to view the current retention periods run the following:

that should then display something like:

As you can see from the above, all the mailboxes listed are currently only set to a MAXIMUM of 14 days for retention (which is the default).

To extend this to the maximum of 30 days for ALL plans, execute the following command:

Now when you re-examine all the deletion period for all mailboxes you should see:

they have all been extended to the maximum of 30 days, which should make everyone much happier and provide you the ability to recovered deleted email data out to the maximum period of 30 days for ALL plans. After 30 days however, the deleted data will still be purged and unrecoverable.

If you wish to retain deleted email data beyond the maximum 30 days that can be provisioned generally you’ll need to add the legal hold service to the mailbox and ENABLE it! The legal hold service is available on Exchange Online Plan 2 mailboxes, E3 and E5 suites typically.

To my way of thinking, extending the deleted item retention period of all mailboxes in a tenant is something that should be done immediately and using the above PowerShell commands it is really easy to do. So there should be NO excuse!