The Set-AuditConfig cmdlet is used to configure organization-wide settings for the unified audit log, such as the audit level or ingestion status. It does not enable or disable auditing for individual mailboxes. The problem states that audit log searches for a specific mailbox (User1) are blank, indicating that auditing for that particular mailbox is likely disabled. The correct procedure to ensure future sign-ins and other actions are logged for a specific mailbox is to enable auditing directly on that mailbox object using the Set-Mailbox -Identity User1 -AuditEnabled $true command. Therefore, the proposed solution is incorrect.

A: This is incorrect because the Set-AuditConfig command does not target or enable auditing for a specific user's mailbox. It manages the global configuration of the unified audit log service.

1. Microsoft Purview Documentation

"Enable or disable mailbox auditing": This document explicitly states that the Set-Mailbox -AuditEnabled parameter is used to turn on or off mailbox auditing for specific user mailboxes. It confirms this is the correct method to resolve the issue described.

URL: https://learn.microsoft.com/en-us/purview/audit-mailboxes#enable-or-disable-mailbox-auditing

2. Microsoft PowerShell Documentation

"Set-Mailbox": The official documentation for the Set-Mailbox cmdlet details the -AuditEnabled parameter

which "specifies whether to enable or disable mailbox auditing for the mailbox."

URL: https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailbox?view=exchange-ps#parameters (See -AuditEnabled parameter description).

3. Microsoft PowerShell Documentation

"Set-AuditConfig": The documentation for Set-AuditConfig shows its purpose is to "configure the unified audit log." Its parameters

such as -UnifiedAuditLogIngestionEnabled

affect the entire service

not individual mailboxes.

URL: https://learn.microsoft.com/en-us/powershell/module/exchange/set-auditconfig?view=exchange-ps