Mailbox Auditing Check and Fix [CHK-1003]
This operational and customer check verifies if all relevant settings for audit logging are enabled for each mailbox in the tenant.
Rationale
Audit logging allows monitoring of login attempts on mailboxes and actions within those mailboxes. This enables immediate detection of hacking attempts and insight into malicious behavior in the event of an incident.
Fix
An automated fix is available through Attic. If you prefer to fix it yourself:
-
Identify the mailboxes where audit logging is not correctly configured.
-
Enable the missing audit log settings in the identified mailboxes.
-
This can only be done via PowerShell. The required PowerShell script can be found here.
Impact
Once the fix is applied, all audit settings in all mailboxes will be correctly configured. This ensures that all user activities are logged for each mailbox in the tenant, providing a better understanding in case of possible hacking attempts.
More Information
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
-
CIS M365 5.2 - (L1) Ensure mailbox auditing for all users is Enabled