My notes for Mailbox Auditing say that Microsoft Defender for Office 365 P1 is required. After some light searching, I cannot confirm this is true. Microsoft changes policies so please confirm before using this recipe.
Mailbox auditing for Microsoft 365 Organizations should be on by default for the following mailbox types:
To confirm mailbox auditing is enabled, we check that the -AuditDisabled is set to False.
This is a bit odd at first but think of it as a double negative; “Not Disabled” = “Enabled”.
First connect to Exchange Online:
Connect-ExchangeOnline
Then check the value of the AuditDisabled switch.
Get-OrganizationConfig | Select-Object -Property AuditDisabled
If auditing is enabled, you will see that AuditDisabled is set to False:
Get-OrganizationConfig | Select-Object -Property AuditDisabled
AuditDisabled
-------------
False
If auditing is required for any of the following mailbox types, you must manually enable it:
To enable auditing for these mailbox types use a routine like this:
Get-ExoMailbox -RecipientTypeDetails DiscoveryMailbox | Set-Mailbox -AuditEnabled $True
To verify this worked, use the -PropertySet Audit with the Get-ExoMailbox command.
Get-ExoMailbox -PropertySet Audit -RecipientTypeDetails DiscoveryMailbox | Select-Object -Property AuditEnabled
AuditEnabled
------------
True
Microsoft Mailbox Auditing Learn article.