This article is contributed. See the original author and article here.
We wanted to provide you with an important update to the deprecation schedule for the two Admin Audit Log cmdlets, as part of our ongoing commitment to improve security and compliance capabilities within our services. The two Admin Audit Log cmdlets are:
- Search-AdminAuditLog
- New-AdminAuditLog
As communicated in a previous blog post, the deprecation of Admin Audit Log (AAL) and Mailbox Audit Log (MAL) cmdlets was initially planned to occur simultaneously on April 30th, 2024. However, to ensure a smooth transition and to accommodate the feedback from our community, we have revised the deprecation timeline.
We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024.
This change allows for a more phased approach, giving you additional time to adapt your processes to the new Unified Audit Log (UAL) cmdlets, which offer enhanced functionality and a more unified experience.
What This Means for You
- The Admin Audit Log cmdlets will be deprecated on September 15, 2024.
- The Mailbox Audit Log cmdlets will have a separate deprecation date, which will be announced early next year.
- We encourage customers to begin transitioning to the Unified Audit Log (UAL) cmdlet i.e. Search-UnifiedAuditLog as soon as possible. Alternatively, you can explore using the Audit Search Graph API, which is currently in Public Preview and is expected to become Generally Available by early July 2024.
Next Steps
If you are currently using any one or both of the above-mentioned Admin Audit Log cmdlets, you will need to take the following actions before September 15, 2024:
- For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command:
Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
- For New-AdminAuditLogSearch, you will need to use the Microsoft Purview Compliance Portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Home Microsoft Purview. More details on using the Compliance portal for audit log searching can be found here.
Differences between UAL and AAL cmdlets
As you move from AAL to UAL cmdlets, you may notice some minor changes between them. In this section, we will show you some important differences in the Input and Output of the UAL cmdlet from the AAL cmdlets.
Input Parameter Differences
Admin Audit Log (AAL) cmdlets include certain parameters that are not directly available in the Unified Audit Log (UAL) cmdlets. However, we have identified suitable alternatives for most of them within the UAL that will allow you to achieve similar functionality.
Below are the 4 parameters that are supported in the AAL and their alternatives in UAL (if present).
AAL Parameter | Current AAL use example | New UAL equivalent example | Note |
Cmdlets | Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Cmdlets Set-Mailbox | Search-UnifiedAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Operations Set-Mailbox
| The “Cmdlets” parameter in AAL can be substituted with the “Operations” parameter in UAL. This will allow you to filter audit records based on the operations performed.
|
ExternalAccess | Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -ExternalAccess $false | Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate 05/20/2024 -EndDate 05/28/2024 –FreeText “ExternalAccess-false” | While UAL does not have a direct “ExternalAccess” parameter, you can use the “FreeText” parameter to filter for external access by including relevant keywords and terms associated with external user activities |
IsSuccess | Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters MaxSendSize,MaxReceiveSize -StartDate 01/24/2024 -EndDate 02/12/2024 -IsSuccess $true | Not Supported | This property was always True in AAL because only the logs that succeeded were returned. Hence using or not using this parameter made no difference in the returned result set. Therefore, this property is not supported anymore in the Search-UnifiedAuditLog cmdlet. |
StartIndex | Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Resultsize 100 -StartIndex 99 | Not Supported | In AAL, you can use the “StartIndex” parameter to pick the starting index for the results. UAL doesn’t support this parameter. Instead, you can use the pagination feature of Search-UnifiedAuditLog cmdlet to get a specific number of objects with the SessionId, SessionCommand and ResultSize parameter. |
Please Note: The SessionId that is returned in the output of Search-AdminAuditLog is a system set value and the SessionId that is passed as an input along with the Search-UnifiedAuditLog cmdlet is User set value. This parameter may have the same name but perform different functions for each cmdlet.
Output Differences
There are differences how the Audit Log output is displayed in AAL vs UAL cmdlets. UAL has an enhanced set of results with enhanced properties in JSON format. In this section we point out a few major differences that should ease your migration journey.
Property in AAL | Equivalent Property in UAL |
CmdletName | Operations |
ObjectModified | Object Id |
Caller | UserId |
Parameters | AuditData > Parameters NOTE: All the parameters and the values passed will be present as a JSON |
ModifiedProperties | AuditData > ModifiedProperties NOTE: Modified values will be only present in case the verbose mode is enabled using Set-AdminAuditLogConfig cmdlet. |
ExternalAccess | AuditData > ExternalAccess |
RunDate | CreationDate |
We are here to help
We are committed to providing you with the best tools and services to manage your Exchange Online environment and welcome your questions or feedback about this change. Please feel free to contact us through a comment on this blog post or reaching out by email at AdminAuditLogDeprecation[at]service.microsoft.com. We are always happy to hear from you and assist in any way we can.
The Exchange Online Team
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments