Microsoft Exchange Online: Search-MailboxAuditLog and New-MailboxAuditLogSearch will retire
Important Update The licensing for the migration tool related to the deprecation of the Search-MailboxAuditLog cmdlet is specifically designed for customers with extended audit log retention set in Exchange. Customers can choose to migrate their historical data to Audit Premium with Extended Retention plan in Purview, which is an E5 add-on. Audit Premium with Extended Retention plan is an advanced auditing solution that provides extended data retention capabilities. This plan is essential for organizations that need to meet stringent regulatory requirements and ensure comprehensive audit logging. The migration tool applies to customers with >1 year retention set on their existing audit logs in Exchange. Documentation will be made available prior to June 2025. Overview As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets. This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. For our earlier communication on the subject please see this blog post. Background We are working on streamlining the audit log search experience and we are deprecating older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet, which has been around for a while, offers several advantages, including: Support for a greater variety of record types, making it more versatile. More filtering options, allowing for more precise results. Range of output formats to suit your needs. After March 1, 2025, existing data generated by mailbox audit logging will be accessible only as a historical record (with data only up to March 1). After March 1, 2025, existing data generated for customers with auditing enabled can be accessed only via the Search-UnifiedAuditLog cmdlet. To make things simpler and more efficient, we recommend you use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here. Timeline March 1, 2025: New audit log data will no longer be written to the mailbox. Existing data will be available as a historic record allowing for administrative review, modification and download of the logs. June 2025: Customers are provided documentation as well as migration tool described below to migrate their data to Search-UnifiedAuditLog for long-term auditing retention. June 2025: Audit log data in mailboxes will become a static, read-only record that used for historical searches. End of 2025: Former cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch will no longer be available in Exchange Online. Migration Tool If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use. Our documentation will include common issues and their resolutions. By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. Migration Overview To ensure seamless migration we suggest the following steps: Begin by reviewing your current usage to identify any scripts, tools, or applications that depend on the specified cmdlets. Engage with your legal and compliance teams to ensure all regulatory requirements are met. Make sure auditing is enabled for your tenant to maintain data integrity. Once the migration tool is available, utilize it to prevent data loss and transition to the Search-UnifiedAuditLog. Below is a comparison grid showcasing the differences between the Exchange cmdlets and the Purview cmdlet: Feature/Capability Search-MailboxAuditLog & New-MailboxAuditLogSearch Search-UnifiedAuditLog (Purview) Record Types Supported Exchange Only Extensive Filtering Options Standard Modern Data Retention Varies 180 days Compliance Limited Full Compliance User Experience Fragmented Unified Audit logging is turned on by default for Microsoft 365 organizations. Please verify the auditing status for your organization. Feedback If you have any feedback about this change, you can reach out to our exchangeonlinesearch-mailboxauditlogmigration@service.microsoft.com group. We are always happy to hear from you and assist in any way we can.Microsoft Purview Best Practices
Microsoft Purview is a solution that helps organizations manage data and compliance. It also uses AI to classify data, monitor compliance, and identify risks. Key features include data discovery, classification, governence, retention, compliance management, encryption, and access controls. Purview ensures data security, prevents insider threats, and helps implement data loss prevention policies to meet compliance requirements. Hello everyone - This is just a short introduction, I am Dogan Colak. I have been working as an M365 Consultant for about 5 years, holding certifications such as MCT, SC-100, SC-200, SC-300, and MS-102, with a focus on Security & Compliance. This year, I am excited to share what I have learned with the Microsoft Technology Community. In the coming days, I will be publishing videos and articles based on the training agenda I have created. I will also share these articles on LinkedIn, so feel free to follow me there. I am always open to feedback and suggestions. See you soon!Introducing the Microsoft Purview Audit Search Graph API
The new Microsoft Purview Audit Search Graph API will enable the programmatic search and retrieval of relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.
How to use Log Analytics log data exported to Storage Accounts
In this blog post I explore some options for accessing logs that were archived in Azure storage account containers, either through export from Log Analytics and Sentinel or through a custom Logic App. This is to address exceptional cases where you need those archived data, for example for historical context during an investigation.Increased security visibility through new Standard Logs in Microsoft Purview Audit
In response to increasing frequency and evolution of cyberthreats, Microsoft is providing access to wider cloud security logs to its worldwide customers at no additional cost. Audit (Standard) customers can now access these additional logs, which have been identified as a result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA).
Size of the Microsoft Purview Audit Log for sizing SIEM / Splunk Storage
Hi there, we plan to export our M365 Audit Logs into a Splunk solution. The license cost is based on the storage needed. my questions: - is there a way to assess the storage used by our Audit logs in Microsoft Purview? - is there a way to calculate the storage needed for a number of users in a give time, e.g. per day/ week for heavy, medium, low M365 usage, I only need rough numbers? - does anybody have experience or numbers of their export to a SIEM system? Any support highly appreciated. Thanks, Franck
