From Learn.microsoft.com
Verify the auditing status for your organization
To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:
PowerShellCopy
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing is not turned on.
Note
Be sure to run the previous command in Exchange Online PowerShell. You can’t use Security & Compliance PowerShell to run this command.
Turn on auditing
If auditing is not turned on for your organization, you can turn it on in the compliance portal or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
Use the compliance center to turn on auditing
- Go to https://compliance.microsoft.com and sign in.
- In the left navigation pane of the compliance portal, click Audit.
If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
- Click the Start recording user and admin activity banner.
It may take up to 60 minutes for the change to take effect.
Use PowerShell to turn on auditing
- Connect to Exchange Online PowerShell.
- Run the following PowerShell command to turn on auditing.
PowerShellCopy
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
A message is displayed saying that it may take up to 60 minutes for the change to take effect.
Turn off auditing
You have to use Exchange Online PowerShell to turn off auditing.
- Connect to Exchange Online PowerShell.
- Run the following PowerShell command to turn off auditing.
PowerShellCopy
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
- After a while, verify that auditing is turned off (disabled). There are two ways to do this:
- In Exchange Online PowerShell, run the following command:
PowerShellCopy
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
The value of False for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.
- Go to the Audit page in the compliance portal.
If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
Audit records when auditing status is changed
Changes to the auditing status in your organization are themselves audited. This means that audit records are logged when auditing is turned on or turned off. You can search the Exchange admin audit log for these audit records.
To search the Exchange admin audit log for audit records that are generated when turning auditing on or off, run the following command in Exchange Online PowerShell:
PowerShellCopy
Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig -Parameters UnifiedAuditLogIngestionEnabled
Audit records for these events contain information about when the auditing status was changed, the admin who changed it, and the IP address of the computer that was used to make the change. The following screenshots show audit records that correspond to changing the auditing status in your organization.
Audit record for turning on auditing
The value of Confirm in the CmdletParameters property indicates that unified audit logging was turned on in the compliance center or by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet.
Audit record for turning off auditing
The value of Confirm is not included in the CmdletParameters property. This indicates that unified audit logging was turned off by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false command.
For more information about searching the Exchange admin audit log, see Search-AdminAuditLog.
Recommended content
Search the audit log in the Microsoft Purview compliance portal – Microsoft Purview (compliance)
Use the Microsoft Purview compliance portal to search the unified audit log to view user and administrator activity in your organization.
Set up Audit (Standard) in Microsoft 365 – Microsoft Purview (compliance)
This article describes how to set up Audit (Standard) so you can start searching for auditing activities performed by users and admins in your organization.
Detailed properties in the audit log – Microsoft Purview (compliance)
This article provides descriptions of additional properties included when you export results for an Office 365 audit log record.
Give users access to the Security & Compliance Center – Office 365
Users need to be assigned permissions in the Microsoft 365 Security & Compliance Center before they can manage any of its security or compliance features.
Show more
Feedback
Submit and view feedback for
In this article
- Before you turn auditing on or off
- Verify the auditing status for your organization
- Turn on auditing
- Turn off auditing
Show more
Theme
Regards,
Kon Belieu
Comments are closed