Mailbox audit logs are a requirement for Office Protect as this is how we monitor activity for our clients. If they are turned off, you lose all visibility of the Exchange activities of your tenant. This is a user-based setting, which means Mailbox Auditing must be turned on for all users individually.
Mailboxes have their own logs. If they are turned off by mistake, or by a rogue administrator, through the Microsoft 365 portal, or by PowerShell, we will automatically turn them back on. It will also produce an event in our reports if you enabled alerts for Settings Changed Outside of Office Protect.
Note that creating a new user can cause the Settings Changed Outside of Office Protect for Mailbox Audit logs to be triggered and alert you. This is expected behavior.
This setting can only be enabled through Exchange Online Powershell.
The operation to look for in the Unified Audit Logs: Set-Mailbox
Microsoft’s documentation about Mailbox Audit Logs: https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/enable-or-disable?view=exchserver-2019