Back to Blog

Secure and Manage Office 365 with PowerShell- The CIS Approach Part 2

Part 2: Audit

This is the second blog in a multi part series helping admins, service providers, consultants and security admins to check and achieve a level of security control in Office 365. Part 1 of this series covered the basic PowerShell commands for Authentication through CIS, here we will talk about ‘Audit’.

Need for Office 365 Automation

Many of the above are technical people, who require some amount of automation here because

  1. May be frustrated with the myriad UIs from Microsoft,
  2. Have multiple tenants to secure
  3. Consider this a repeating task (which it should be)

To this end we will show you how to complete these tasks in PowerShell, which will allow you to script these checks and remediations. Alternately, you can skip laborious manual Office 365 PowerShell configurations by using advanced automation solutions like Octiga for achieving same results in a few clicks.

First steps

Connect to Remote PowerShell

The following connections are required to run scripts in this blog


Enable Org Customisations

If you have never run PowerShell against a tenant before then you will have to enable organisation customisations via PowerShell


Unified Audit Log (UAL)

Reason:  Microsoft funnel many different log sources into one unified log for easy triage and investigation.

Mailbox Audit – Basic and Advanced


Since this is configurable you should ensure that all types of activities are being audited for each mailbox.  Even if misconfiguration has not occurred, it may also be the case that it is not only default anyway because Microsoft applies this audit capability differently to different licence types. More info here


The above will show the audit enabled status for all mailboxes under the field auditEnabled

The final three fields in the output show the default event types that are being audit.  (See Remediate Advanced)

Remediate Basic

Remediate Advanced

Notice in the above check that we show the audit events types that are being audited by default.  This Microsoft article shows us that this set can be altered and updated.  

The below code can be updated to include any mailbox action which you wish to audit.  The full list can be found in the above link.  Note If you do not have an E5 licence, or an E5 Compliance Add-On licence, then the following actions may not be possible and should be removed:

[Send, SearchQueryInitiated, MailItemsAccessed]

Advanced Auditing (E5 and Advanced Add-On)

Advanced audit allows for increase audit retention and logs additional event types, fast event delivery among other things.

Advance Audit is available with E5 licences or through an add on (see here)

We need to ensure it is set up correctly so when the times comes to need it you aren’t left kicking yourself.  

Assigning Advanced Audit Licences

If you have purchased the required licence you must ensure they are allocated to the required users.  One mistake we often see is companies purchasing licences and then failing to allocate them, let alone configure them.  

The following script will identify any unallocated M365_ADVANCED_AUDITING service plan

Advanced Audit Events

Advanced audit logs additional mail box events (Send, MailAccessItem, SearchQueryInitiatedExchange/SharePoint) which can be crucial when investigating mail breaches

Check and Remediate

The following  script will setup advanced audit event logging for all users who have been assigned the advanced audit licence.

Advanced Retention Periods

Once Unified Audit Logging is turned on it will use a default audit storage retention policy.  Without advanced audit licence this will be 90 days.  Once advanced audit licence is activated it will default to 1 year, however it can be set optionally for up to 10 years.  

Note, setting longer retention policies than what you already have will not retrospectively reveal older logs that have not already been stored. So if you want logs for more than 1 year in the future you will need to start now

The default audit retention policy applies to all workloads (SharePoint, Teams, Exchange etc.), however any custom policy will override it for the chosen workload.  See here for a list of workloads on which it is possible to extend the storage.

In this example we will override the default retention storage for some important workloads

High-Speed Access to Audit Logs

When you subscribe to advanced audit in Office 365 you will automatically get log events faster than you would otherwise get through the Management API. Octiga’s event monitoring will automatically pick up these additional event types and at the higher rate so you will be informed even more rapidly of suspicious activity

Octiga Ensures BOTH Best Practice Security Configurations AND Monitors all Risky Events

Octiga not only easily set all of the above policies across all the tenants that you manage, but also subscribes to all the resultant risky events.  It alerts you when either one of the policies does not comply with this best practice but also alerts you for all ongoing risks.  It then remediates these risks with the touch of a button. Book a quick 15 minute chat with to understand how Octiga can help your unique business needs through Office 365 security automation.

More from the Blog

A Closer Look at the Midnight Blizzard Crew

Microsoft's security team has recently made a significant discovery regarding an increase in cyber-attacks orchestrated by the Russian state-backed group known as the Midnight Blizzard crew. This group, which also operates under the aliases Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, has been actively targeting personal credentials, according to Microsoft's findings.

Read Story

Navigating M365 Secure Score Limitations for MSPs

Discover the limitations of the M365 Secure Score for MSPs. Understand the scope and potential restrictions when using this tool to assess and enhance the security posture of Microsoft 365 environments. Know how to navigate through these shortcomings.

Read Story

Octiga Vs Flying Solo with Office 365 Security for MSPs

The purpose of the Octiga Office 365 security app is not to replace M365 security but to ensure that MSPs can deliver it consistently, coherently and rapidly to all your clients. A short video explains how Octiga makes MSPs' work super efficient and super fast.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.