TL;DR

Enable your account(s) for administrative audit logging now because it will already be too late when you actually need it.

Foolishly thinking that all of the Office 365 email settings are backed up? Think again. I know from cruel, difficult experience that Email Aliases are NOT backed up. I found at the hard way – while using the new Admin Center Preview, I attempted to add an alias to an existing account and was surprised when the alias actually replaced ALL of my existing aliases instead of appending, which is the normal behavior.

This is most definitely due to a bug in the new interface (and Microsoft assures me they are working to uncover and resolve it). The most surprising thing I learned in this ordeal – the email aliases are NOT backed up. I would expect a cloud service provider to back up all my configuration data but this is not true.

So, if you admin an Office 365 site, protect yourself and enable admin logs. Again, I was surprised to find out this is not enabled by default.

If you are already a PowerShell user, execute the following command:

Hopefully you will see output similar to the following:

If AdminAuditLogEnabled is set to false then stop everything and enable it. THIS is the most important thing you can do right at this moment. It will give you some insight into what happened and when, and maybe some information on how to recover.

 At this point, you may want to configure the retention history for longer than 90 days.

When something goes wrong you will be able to search the log to see what has been done and use that to restore the state of the world. For example, the following command shows me everything done at an administrative level to my mailbox in the past day.

Search-AdminAuditLog -UserIds “Rick Wargo” -StartDate (Get-Date).AddDays(-1)

Follow this advice because it will already be too late when you need it.

To enable auditing via PowerShell:

Step 1: Connect to Exchange Online using remote PowerShell from your local computer

  • a. Open windows PowerShell and run the following command
    • b. In the credential request dialog box, type your username and password for your Office 365 admin account and click OK.
  • b. Run the following command
  • c. Run the next command
  • d. To verify a successful connection, run the following command to get a list of all mailboxes in your org.

Step 2: Enable Mailbox auditing via PowerShell on a single mailbox or on all mailboxes

To enable auditing for a single mailbox, enter the following PowerShell command, replacing “Fname Lname” with the First and last name of the mailbox user.

To enable mailbox auditing for all user mailboxes in your organization, enter the following PowerShell command.