Hi @Mohammed Hashim ,
Can we get the disabled mailbox user audit logs?
I tried a lot of tests in my Exchange 2016 but could not found any workarounds to get the audit logs of the disabled mailbox user.
As I know, Mailbox audit log records are stored in a subfolder (named Audits) in the Recoverable Items folder in each user's mailbox. However, as this document says, we can't directly access an audit log record in the Recoverable Items folder; instead, Search-MailboxAuditLog cmdlet or search the audit log is needed. So, based on all the tests results, in order to get the disabled mailbox user audit logs, we need to connect to them firstly.
By the way, what also need to be mentioned is that mailbox audit log entries are retained in the mailbox for 90 days and then deleted by default. And the disconnected mailbox is permanently deleted (purged) based on the MailboxRetention property value for the mailbox database (the default value is 30 days). Please remember to take necessary operations in time.
Hope these could help.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.