private/review/exchangeonline/audit/Invoke-ReviewExoMailboxAuditEnabled.ps1

function Invoke-ReviewExoMailboxAuditEnabled
{
    <#
    .SYNOPSIS
        Check mailbox auditing for users is enabled.
    .DESCRIPTION
        Returns review object.
    .NOTES
        Requires the following modules:
        - ExchangeOnlineManagement
    .EXAMPLE
        Invoke-ReviewExoMailboxAuditEnabled;
    #>


    [cmdletbinding()]
    param
    (
    )

    BEGIN
    {
        # Write to log.
        Write-Log -Category 'Exchange Online' -Subcategory 'Audit' -Message 'Getting all mailboxes' -Level Debug;

        # Get all mailboxes.
        $mailboxes = Get-Mailbox -ResultSize Unlimited;

        # Object array with mailboxes where auditing is disabled.
        $mailboxesAuditDisabled = New-Object System.Collections.ArrayList;
    }
    PROCESS
    {
        # Foreach mailbox.
        foreach ($mailbox in $mailboxes)
        {
            # If mailbox auditing is disabled.
            if ($mailbox.AuditEnabled -eq $false)
            {
                # Add to the list.
                $mailboxesAuditDisabled += $mailbox;
            }
        }

        # Write to log.
        Write-Log -Category 'Exchange Online' -Subcategory 'Audit' -Message ("Found {0} with audit disabled" -f $mailboxesAuditDisabled.Count) -Level Debug;
    }
    END
    {
        # Bool for review flag.
        [bool]$reviewFlag = $false;

        # If review flag should be set.
        if ($mailboxesAuditDisabled.Count -gt 0)
        {
            # Should be reviewed.
            $reviewFlag = $true;
        }

        # Create new review object to return.
        [Review]$review = [Review]::new();

        # Add to object.
        $review.Id = '2b849f34-8991-4a13-a6f1-9f7d0ea4bcef';
        $review.Category = 'Microsoft Exchange Admin Center';
        $review.Subcategory = 'Audit';
        $review.Title = 'Ensure mailbox auditing for users is Enabled';
        $review.Data = $mailboxesAuditDisabled | Select-Object -Property Name, Alias, UserPrincipalName, PrimarySmtpAddress, AuditEnabled;
        $review.Review = $reviewFlag;

        # Print result.
        $review.PrintResult();

        # Return object.
        return $review;
    }
}