Enabling O365 Audit logging can be very useful for security and compliance.   The audit logs will record user and admin activities in Office 365, and you can search the Office 365 audit log.  Once enabled, you can also use the Microsoft Office 365 Management APIs to ingest the data into your security information and event management (SIEM) tool.

Enable Auditing for O365 (Exchange Online)

  1. Open Windows Powershell (as administrator) on your local machine.
  2. Connect to O365 with the following commands.  Enter your O365 user account with access to manage exchange.
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
  3. To enable the admin audit log, run the following command:
    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
  4. To audit everything from every mailbox, run the following command:
    (Get-Mailbox).Identity | % { Set-Mailbox -Identity $_ -AuditDelegate SendAs,SendOnBehalf,Create,Update,SoftDelete,HardDelete -AuditEnabled $true }
    Note: May need to use the property (get-mailbox -resultsize unlimited) depending on size limits.
  5. Update your onboarding process or schedule this process to run as new users mailboxes will need this enabled.

Related: Enable Auditing for SharePoint Online, OneDrive, and Azure AD