Unified Audit Log is one of the essential features for tracking down every action done across the tenant.
The logs are kept for 90 days by default, but you can extend them using special addons.
If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status.
Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName email@example.com Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
If you get “True” as a result, the logging is enabled. If you get “False”, follow the steps below to enable it:
Using the PS tab, you opened before to check the Audit Log status, send the following command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
You might be asked to run “Enable-OrganizationCustomization” before relaunching the command. You must wait 30 to 60 minutes after sending “Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true” to see it enabled in the portal.
Go to https://compliance.microsoft.com/, then click on “Audit” on the left pane. When you get to the page, click on “Start recording user and admin activity“, then check the status after 30-60 minutes. If it fails, try with PowerShell.