How To Turn auditing on or off:

 

From  Learn.microsoft.com

 

https://learn.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide

Verify the auditing status for your organization

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

PowerShellCopy

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing is not turned on.

 Note

Be sure to run the previous command in Exchange Online PowerShell. You can’t use Security & Compliance PowerShell to run this command.

Turn on auditing

If auditing is not turned on for your organization, you can turn it on in the compliance portal or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.

Use the compliance center to turn on auditing

  1. Go to https://compliance.microsoft.com and sign in.
  2. In the left navigation pane of the compliance portal, click Audit.

If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.

Banner on Audit page.

  1. Click the Start recording user and admin activity banner.

It may take up to 60 minutes for the change to take effect.

Use PowerShell to turn on auditing

  1. Connect to Exchange Online PowerShell.
  2. Run the following PowerShell command to turn on auditing.

PowerShellCopy

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

A message is displayed saying that it may take up to 60 minutes for the change to take effect.

Turn off auditing

You have to use Exchange Online PowerShell to turn off auditing.

  1. Connect to Exchange Online PowerShell.
  2. Run the following PowerShell command to turn off auditing.

PowerShellCopy

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

  1. After a while, verify that auditing is turned off (disabled). There are two ways to do this:
    • In Exchange Online PowerShell, run the following command:

PowerShellCopy

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

The value of False for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.

    • Go to the Audit page in the compliance portal.

If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.

Audit records when auditing status is changed

Changes to the auditing status in your organization are themselves audited. This means that audit records are logged when auditing is turned on or turned off. You can search the Exchange admin audit log for these audit records.

To search the Exchange admin audit log for audit records that are generated when turning auditing on or off, run the following command in Exchange Online PowerShell:

PowerShellCopy

Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig -Parameters UnifiedAuditLogIngestionEnabled

Audit records for these events contain information about when the auditing status was changed, the admin who changed it, and the IP address of the computer that was used to make the change. The following screenshots show audit records that correspond to changing the auditing status in your organization.

Audit record for turning on auditing

Audit record for turning on auditing

The value of Confirm in the CmdletParameters property indicates that unified audit logging was turned on in the compliance center or by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet.

Audit record for turning off auditing

Audit record for turning off auditing

The value of Confirm is not included in the CmdletParameters property. This indicates that unified audit logging was turned off by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false command.

For more information about searching the Exchange admin audit log, see Search-AdminAuditLog.


Recommended content

Search the audit log in the Microsoft Purview compliance portal – Microsoft Purview (compliance)

 

Use the Microsoft Purview compliance portal to search the unified audit log to view user and administrator activity in your organization.

Set up Audit (Standard) in Microsoft 365 – Microsoft Purview (compliance)

 

This article describes how to set up Audit (Standard) so you can start searching for auditing activities performed by users and admins in your organization.

Detailed properties in the audit log – Microsoft Purview (compliance)

 

This article provides descriptions of additional properties included when you export results for an Office 365 audit log record.

Give users access to the Security & Compliance Center – Office 365

 

Users need to be assigned permissions in the Microsoft 365 Security & Compliance Center before they can manage any of its security or compliance features.

Show more

Feedback

Submit and view feedback for

This product This page

 View all page feedback

In this article

Show more

English (United States)

Theme

Regards,

 

Kon Belieu

 

Tags:

Comments are closed

Latest Comments

No comments to show.