Microsoft Exchange Online: Search-MailboxAuditLog and New-MailboxAuditLogSearch will retire
Important Update The licensing for the migration tool related to the deprecation of the Search-MailboxAuditLog cmdlet is specifically designed for customers with extended audit log retention set in Exchange. Customers can choose to migrate their historical data to Audit Premium with Extended Retention plan in Purview, which is an E5 add-on. Audit Premium with Extended Retention plan is an advanced auditing solution that provides extended data retention capabilities. This plan is essential for organizations that need to meet stringent regulatory requirements and ensure comprehensive audit logging. The migration tool applies to customers with >1 year retention set on their existing audit logs in Exchange. Documentation will be made available prior to June 2025. Overview As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets. This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. For our earlier communication on the subject please see this blog post. Background We are working on streamlining the audit log search experience and we are deprecating older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet, which has been around for a while, offers several advantages, including: Support for a greater variety of record types, making it more versatile. More filtering options, allowing for more precise results. Range of output formats to suit your needs. After March 1, 2025, existing data generated by mailbox audit logging will be accessible only as a historical record (with data only up to March 1). After March 1, 2025, existing data generated for customers with auditing enabled can be accessed only via the Search-UnifiedAuditLog cmdlet. To make things simpler and more efficient, we recommend you use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here. Timeline March 1, 2025: New audit log data will no longer be written to the mailbox. Existing data will be available as a historic record allowing for administrative review, modification and download of the logs. June 2025: Customers are provided documentation as well as migration tool described below to migrate their data to Search-UnifiedAuditLog for long-term auditing retention. June 2025: Audit log data in mailboxes will become a static, read-only record that used for historical searches. End of 2025: Former cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch will no longer be available in Exchange Online. Migration Tool If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use. Our documentation will include common issues and their resolutions. By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. Migration Overview To ensure seamless migration we suggest the following steps: Begin by reviewing your current usage to identify any scripts, tools, or applications that depend on the specified cmdlets. Engage with your legal and compliance teams to ensure all regulatory requirements are met. Make sure auditing is enabled for your tenant to maintain data integrity. Once the migration tool is available, utilize it to prevent data loss and transition to the Search-UnifiedAuditLog. Below is a comparison grid showcasing the differences between the Exchange cmdlets and the Purview cmdlet: Feature/Capability Search-MailboxAuditLog & New-MailboxAuditLogSearch Search-UnifiedAuditLog (Purview) Record Types Supported Exchange Only Extensive Filtering Options Standard Modern Data Retention Varies 180 days Compliance Limited Full Compliance User Experience Fragmented Unified Audit logging is turned on by default for Microsoft 365 organizations. Please verify the auditing status for your organization. Feedback If you have any feedback about this change, you can reach out to our exchangeonlinesearch-mailboxauditlogmigration@service.microsoft.com group. We are always happy to hear from you and assist in any way we can.Microsoft Purview Best Practices
Microsoft Purview is a solution that helps organizations manage data and compliance. It also uses AI to classify data, monitor compliance, and identify risks. Key features include data discovery, classification, governence, retention, compliance management, encryption, and access controls. Purview ensures data security, prevents insider threats, and helps implement data loss prevention policies to meet compliance requirements. Hello everyone - This is just a short introduction, I am Dogan Colak. I have been working as an M365 Consultant for about 5 years, holding certifications such as MCT, SC-100, SC-200, SC-300, and MS-102, with a focus on Security & Compliance. This year, I am excited to share what I have learned with the Microsoft Technology Community. In the coming days, I will be publishing videos and articles based on the training agenda I have created. I will also share these articles on LinkedIn, so feel free to follow me there. I am always open to feedback and suggestions. See you soon!Search-UnifiedAuditlogs For Mailbox - Problems
Introduction Like many, I have been faced with an audit search problem on mailboxes. I finally found a solution by searching deeply into the web. In this post I will provide you with Microsoft's documentation, I have tested everything, and it finally works. I also have comments to Microsoft, directly to the product group (with a case Microsoft) but also by the technet article feedback feature. Technical Content We assume that you have all necessary permissions and role to run audit logs search. For Regular mailboxes: if you have no results via GUI, It is possible that in the time interval there is no result. It may happen that the audit is blocked on the mailbox despite the fact that the feature is active. You may use the command Search-UnifiedAuditLog with the following parameters: UsersIds : email address Operations : event to be search (Exchange Mailbox Activites) Search-UnifiedAuditLog -UserIds <MailboxIdentity> -Operations MoveToDeletedItems, SoftDelete, HardDelete -StartDate "01/01/2025" -EndDate "15/01/2025" Unfortunately, no results appear with powershell. Here, you can find the documentation that describe the symptom and how to resolve it. Even when [mailbox auditing on by default](https://learn.microsoft.com/en-us/purview/audit-mailboxes) is turned on for your organization, you might notice that mailbox audit events for some users aren't found in audit log searches by using the Microsoft Purview portal or the compliance portal, the **Search-UnifiedAuditLog** cmdlet, or the Office 365 Management Activity API. The reason for this is that mailbox audit events is returned only for users with E5 licenses when you use one of the previous methods to search the unified audit log. You must run the following command within Exchange Online : Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $false And then : Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true Now you can search within the GUI or with powershell and you will have some results. For Shared Mailboxes: To search audit logs for a SharedMailbox, you must use the following command, with the parameter *FreeText.* Search-UnifiedAuditLog -StartDate "08/01/2025" -EndDate "11/01/2025" -FreeText (Get-Mailbox -identity <MailboxIdentity>).ExchangeGuid -Operations MoveToDeletedItems` Here you can find the article that describes the FreeText parameters, and also decscribes that GUI is not working for SharedMailboxes. Also, using the **User** dropdown list in the audit log search tool or the **Search-UnifiedAuditLog -UserIds** won't return results for activities performed in a shared mailbox. If there are no results and you are sure that there should be, then the same manipulation as described above will have to be done. Disable and then reactivate the audit on the mailbox: Set-Mailbox -Identity <SharedMailboxIdentity> -AuditEnabled:$false Set-Mailbox -Identity <SharedMailboxIdentity> -AuditEnabled:$true Run again the Search-UnifiedAuditLog command. Now you will find results. Conclusion I assume that the "Users" text box in the interface corresponds to the parameter "UserIds" in the cmdlet. And there is no match for the "FreeText" parameter. You can find other articles in my GitHub about Purview https://github.com/trisdev75/MicrosoftPurviewIntroducing the Microsoft Purview Audit Search Graph API
The new Microsoft Purview Audit Search Graph API will enable the programmatic search and retrieval of relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.
How to use Log Analytics log data exported to Storage Accounts
In this blog post I explore some options for accessing logs that were archived in Azure storage account containers, either through export from Log Analytics and Sentinel or through a custom Logic App. This is to address exceptional cases where you need those archived data, for example for historical context during an investigation.
Increased security visibility through new Standard Logs in Microsoft Purview Audit
In response to increasing frequency and evolution of cyberthreats, Microsoft is providing access to wider cloud security logs to its worldwide customers at no additional cost. Audit (Standard) customers can now access these additional logs, which have been identified as a result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA).
