This article is contributed. See the original author and article here.

We wanted to provide you with an important update to the deprecation schedule for the two Admin Audit Log cmdlets, as part of our ongoing commitment to improve security and compliance capabilities within our services. The two Admin Audit Log cmdlets are:



  1. Search-AdminAuditLog

  2. New-AdminAuditLog


As communicated in a previous blog post, the deprecation of Admin Audit Log (AAL) and Mailbox Audit Log (MAL) cmdlets was initially planned to occur simultaneously on April 30th, 2024. However, to ensure a smooth transition and to accommodate the feedback from our community, we have revised the deprecation timeline.


We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024.



This change allows for a more phased approach, giving you additional time to adapt your processes to the new Unified Audit Log (UAL) cmdlets, which offer enhanced functionality and a more unified experience.


What This Means for You



  • The Admin Audit Log cmdlets will be deprecated on September 15, 2024.

  • The Mailbox Audit Log cmdlets will have a separate deprecation date, which will be announced early next year.

  • We encourage customers to begin transitioning to the Unified Audit Log (UAL) cmdlet i.e. Search-UnifiedAuditLog as soon as possible.  Alternatively, you can explore using the Audit Search Graph API, which is currently in Public Preview and is expected to become Generally Available by early July 2024.



Next Steps


If you are currently using any one or both of the above-mentioned Admin Audit Log cmdlets, you will need to take the following actions before September 15, 2024


 



  • For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command:


Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)


 



  • For New-AdminAuditLogSearch, you will need to use the Microsoft Purview Compliance Portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Home Microsoft Purview. More details on using the Compliance portal for audit log searching can be found here.


 


 


Differences between UAL and AAL cmdlets


As you move from AAL to UAL cmdlets, you may notice some minor changes between them. In this section, we will show you some important differences in the Input and Output of the UAL cmdlet from the AAL cmdlets.


Input Parameter Differences


Admin Audit Log (AAL) cmdlets include certain parameters that are not directly available in the Unified Audit Log (UAL) cmdlets. However, we have identified suitable alternatives for most of them within the UAL that will allow you to achieve similar functionality.  


Below are the 4 parameters that are supported in the AAL and their alternatives in UAL (if present).


 




































AAL Parameter



Current AAL use example



New UAL equivalent example



Note



Cmdlets



Search-AdminAuditLog  -StartDate 05/20/2024 -EndDate 05/28/2024 -Cmdlets Set-Mailbox  



Search-UnifiedAuditLog  -StartDate 05/20/2024 -EndDate 05/28/2024 


-Operations Set-Mailbox


 



The “Cmdlets” parameter in AAL can be substituted with the “Operations” parameter in UAL. This will allow you to filter audit records based on the operations performed.


 



ExternalAccess



Search-AdminAuditLog -StartDate 05/20/2024 -EndDate  05/28/2024 -ExternalAccess $false



Search-UnifiedAuditLog  -RecordType ExchangeAdmin -StartDate 05/20/2024 -EndDate 05/28/2024


FreeText “ExternalAccess-false”



While UAL does not have a direct “ExternalAccess” parameter, you can use the “FreeText” parameter to filter for external access by including relevant keywords and terms associated with external user activities



IsSuccess



Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters MaxSendSize,MaxReceiveSize


-StartDate 01/24/2024 -EndDate 02/12/2024 -IsSuccess $true



Not Supported



This property was always True in AAL because only the logs that succeeded were returned. Hence using or not using this parameter made no difference in the returned result set. Therefore, this property is not supported anymore in the Search-UnifiedAuditLog cmdlet.



StartIndex



Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Resultsize 100 -StartIndex 99



Not Supported



In AAL, you can use the “StartIndex” parameter to pick the starting index for the results. UAL doesn’t support this parameter. Instead, you can use the pagination feature of Search-UnifiedAuditLog cmdlet to get a specific number of objects with the SessionId, SessionCommand and  ResultSize parameter.



 


Please Note: The SessionId that is returned in the output of Search-AdminAuditLog is a system set value and the SessionId that is passed as an input along with the Search-UnifiedAuditLog cmdlet is User set value. This parameter may have the same name but perform different functions for each cmdlet.


 


Output Differences


There are differences how the Audit Log output is displayed in AAL vs UAL cmdlets. UAL has an enhanced set of results with enhanced properties in JSON format. In this section we point out a few major differences that should ease your migration journey.






































Property in AAL



Equivalent Property in UAL



CmdletName



Operations



ObjectModified



Object Id



Caller



UserId



Parameters



AuditData > Parameters


NOTE: All the parameters and the values passed will be present as a JSON



ModifiedProperties



AuditData > ModifiedProperties


NOTE: Modified values will be only present in case the verbose mode is enabled using Set-AdminAuditLogConfig cmdlet.



ExternalAccess



AuditData > ExternalAccess



RunDate



CreationDate



 


We are here to help
We are committed to providing you with the best tools and services to manage your Exchange Online environment and welcome your questions or feedback about this change. Please feel free to contact us through a comment on this blog post or reaching out by email at AdminAuditLogDeprecation[at]service.microsoft.com. We are always happy to hear from you and assist in any way we can.



The Exchange Online Team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.