Microsoft Exchange Online: Search-MailboxAuditLog and New-MailboxAuditLogSearch will retire
Important Update The licensing for the migration tool related to the deprecation of the Search-MailboxAuditLog cmdlet is specifically designed for customers with extended audit log retention set in Exchange. Customers can choose to migrate their historical data to Audit Premium with Extended Retention plan in Purview, which is an E5 add-on. Audit Premium with Extended Retention plan is an advanced auditing solution that provides extended data retention capabilities. This plan is essential for organizations that need to meet stringent regulatory requirements and ensure comprehensive audit logging. The migration tool applies to customers with >1 year retention set on their existing audit logs in Exchange. Documentation will be made available prior to June 2025. Overview As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets. This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. For our earlier communication on the subject please see this blog post. Background We are working on streamlining the audit log search experience and we are deprecating older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet, which has been around for a while, offers several advantages, including: Support for a greater variety of record types, making it more versatile. More filtering options, allowing for more precise results. Range of output formats to suit your needs. After March 1, 2025, existing data generated by mailbox audit logging will be accessible only as a historical record (with data only up to March 1). After March 1, 2025, existing data generated for customers with auditing enabled can be accessed only via the Search-UnifiedAuditLog cmdlet. To make things simpler and more efficient, we recommend you use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here. Timeline March 1, 2025: New audit log data will no longer be written to the mailbox. Existing data will be available as a historic record allowing for administrative review, modification and download of the logs. June 2025: Customers are provided documentation as well as migration tool described below to migrate their data to Search-UnifiedAuditLog for long-term auditing retention. June 2025: Audit log data in mailboxes will become a static, read-only record that used for historical searches. End of 2025: Former cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch will no longer be available in Exchange Online. Migration Tool If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use. Our documentation will include common issues and their resolutions. By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. Migration Overview To ensure seamless migration we suggest the following steps: Begin by reviewing your current usage to identify any scripts, tools, or applications that depend on the specified cmdlets. Engage with your legal and compliance teams to ensure all regulatory requirements are met. Make sure auditing is enabled for your tenant to maintain data integrity. Once the migration tool is available, utilize it to prevent data loss and transition to the Search-UnifiedAuditLog. Below is a comparison grid showcasing the differences between the Exchange cmdlets and the Purview cmdlet: Feature/Capability Search-MailboxAuditLog & New-MailboxAuditLogSearch Search-UnifiedAuditLog (Purview) Record Types Supported Exchange Only Extensive Filtering Options Standard Modern Data Retention Varies 180 days Compliance Limited Full Compliance User Experience Fragmented Unified Audit logging is turned on by default for Microsoft 365 organizations. Please verify the auditing status for your organization. Feedback If you have any feedback about this change, you can reach out to our exchangeonlinesearch-mailboxauditlogmigration@service.microsoft.com group. We are always happy to hear from you and assist in any way we can.Introducing the Microsoft Purview Audit Search Graph API
The new Microsoft Purview Audit Search Graph API will enable the programmatic search and retrieval of relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.
How to use Log Analytics log data exported to Storage Accounts
In this blog post I explore some options for accessing logs that were archived in Azure storage account containers, either through export from Log Analytics and Sentinel or through a custom Logic App. This is to address exceptional cases where you need those archived data, for example for historical context during an investigation.Increased security visibility through new Standard Logs in Microsoft Purview Audit
In response to increasing frequency and evolution of cyberthreats, Microsoft is providing access to wider cloud security logs to its worldwide customers at no additional cost. Audit (Standard) customers can now access these additional logs, which have been identified as a result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA).
