This was a question from a recent customer engagement: Why is the Microsoft Defender portal asking me to turn on the Unified Audit Log when I already have that enabled?
In the Defender portal https://security.microsoft.com this banner message was present: "To use this feature, turn on auditing so we can start recording user and admin activity in your organisation"
You can see that in the example screenshot below.
But why were they getting this when the Unified Audit Log (UAL) was already enabled?
First up, let's check the status of the UAL using Exchange PowerShell.
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
You can see that the UAL is not enabled.
Negative Ghost Rider, the pattern is full. Oh.
Their next thought was that this is actually a separate audit log, and is nothing to do with the UAL.
OK, let's enable your "new" audit log in the Microsoft Defender portal and then check the status of the UAL using PowerShell again.
Now that we enabled the audit log, what do we see in Exchange PowerShell?
That the UAL is now enabled as it is the same audit log.
This really is a repeat of the classic Monty Python African Vs. European swallow.
Bootnote
You may also have seen the prompt to enable UAL when looking at audit searches in the compliance portal as shown below.
- Go to https://compliance.microsoft.com and sign in.
- In the left navigation pane of the Microsoft 365 compliance center, click Audit.If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity
Cheers,
Rhoderick
