Unified Audit logs are a requirement for Office Protect, this is how we monitor activity for our clients. If they are turned off, you lose all visibility on the activities of your tenant. It is an organization-wide setting that is enabled/disabled for all users. 

 

If audit logs are turned off by mistake, or by a rogue administrator, through the Microsoft 365 portal or by PowerShell, we will automatically turn it back on. It will also produce an event in our reports, and we will alert you if you enabled alerts for Settings Changed Outside of Office Protect.

 

This setting can only be enabled through Exchange Online Powershell.

 

Operation to look for in the Unified Audit Logs: Set-AdminAuditLogConfig


Microsoft’s documentation for Audit Logs in Security Center: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide