I am taking care of a few Microsoft 365 tenants and I set up audit logging for all of them.
One of these tenant only provides administrative audit logs but no user audit logs (for example no logs about deleted item from exchange mailbox or downloaded file from OneDrive etc.).
All the tenants use the same licensing (mix of "Microsoft 365 Standard, Essentials, Premium, Exchane Online).
These steps I have done so far for the tenant that shows no user audit logs:
Verified permissions (global admin: check).
tried querying logs via PowerShell, Web UI, http API (all same result - missing user audit logs)
Checked audit log configuration:
Get-AdminAuditLogConfig | select AdminAuditLogEnabled, UnifiedAuditLogIngestionEnabled
(both give a "true")
Checked organization config:
Get-OrganizationConfig | select AuditDisabled
(Result: False)
Checked auditing enabled on mailbox level:
Get-Mailbox -ResultSize Unlimited | select Name,AuditEnabled
(all give AuditEnabled = true besides DiscoverySearchMailbox but that's false on all my tenants)
Checked if any mailbox has an audit bypass association:
Get-MailboxAuditBypassAssociation | ft Name, AuditByPassEnabled
(all false)
Checked auditing options on mailbox level:
get-mailbox -ResultSize Unlimited | select Name, AuditAdmin, AuditDelegate, AuditOwner
(each mailbox shows all of the data that the other tenants have assigned, too:
Update,
MoveToDeletedItems,
SoftDelete,
HardDelete,
SendAs,
SendOnBehalf,
Create,
UpdateFolderPermissions,
UpdateInboxRules,
UpdateCalendarDelegation,
ApplyRecord)
Additionally I tried:
Disabling auditing on org level and audit log configuration (the ones I verified earlier), waited for one hour, turned both on again, waited another hour.
No difference. Still no user audit logs.
