Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.
MITRE ATT&CK Tactics
Service accounts related changes
1. If change is not correlated with an approved internal events - subject to corporate change management policy, reverse the change in Windows.
2. Review activity logs in Office365 via Azure Sentinel console and identify any abnormal activities to within the time when the change was done.