Enable auditing for SharePoint, OneDrive, and Microsoft Entra ID

You can enable auditing using Purview or Defender.

Turn on auditing in Defender

Open Microsoft 365 Defender and log in with your Microsoft 365 admin account.
Scroll down and click Audit in the sidebar.
Click Start recording user and admin activities.
If Defender displays a pop-up asking if you want to update your organisation settings, click Yes.
Click Turn On.

Note: If you do not see the Start recording user and admin activities button, auditing for SharePoint, OneDrive, and Microsoft Entra ID is already enabled on the account.

Alternatively, get to Microsoft 365 Defender through the Microsoft 365 portal:

Go to the Microsoft 365 portal and log in with your Microsoft 365 admin account.
Click the Admin app.
Scroll down to Admin centers in the sidebar and click Security.
You might need to click Show all to expand the sidebar and display all administration options.

Turn on auditing in Purview

To turn on auditing using Microsoft 365 Purview:

Open Microsoft 365 Purview and log in with your Microsoft 365 admin account.
Scroll down and click Audit in the side navbar.
Click Start recording user and admin activities.

Note: If you do not see the Start recording user and admin activities button, auditing for SharePoint, OneDrive, and Microsoft Entra ID is already enabled on the account.

Enable auditing for on-premises Exchange servers

Exchange auditing is typically enabled by default. However, on-premises Exchange servers that were set up before January 2019 might not have this enabled.

Following these instructions will enable logging of:

Administrator actions.
Send, create, update, and delete actions in all mailboxes.

To enable auditing on your Exchange server:

Open Windows PowerShell on your local system.

PowerShell commands

Create a credential object for your Microsoft 365 admin account:

$UserCredential = Get-Credential

Enter your Microsoft 365 username and password and click OK.

Open the credentials prompt for Office 365:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -
ConnectionUri https://outlook.office365.com/powershell-liveid/ -
Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Enable the admin audit log:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Get all mailboxes:

$Mailboxes = (Get-Mailbox)

Group mailboxes by what is enabled:

$Group = $Mailboxes | Group-Object AuditEnabled,AuditDelegate | Select-Object
  "Name","Count",@{Name="Account"; Expression={ $_.Group.Identity }}
$Group | Format-Table -AutoSize

Audit everything from every mailbox:

Get-Mailbox).Identity | % { Set-Mailbox -Identity $_ -AuditDelegate SendAs,SendOnBehalf,Create,Update,SoftDelete,HardDelete
  -AuditEnabled $true }

Note: If you have a large number of mailboxes, consider filtering the target mailbox into smaller batches.

If new accounts are added in the future, you will need to run this command again to ensure that new mailboxes are audited.

Disconnect PowerShell

When you are finished, disconnect the remote PowerShell session:

Remove-PSSession $Session

Failure to disconnect could use up all your available remote PowerShell sessions, forcing you to wait for the sessions to expire.