MicrosoftMicrosoftHello,
I feel compelled to provide you feedback. This, now postponed, change is completely unwelcomed. I am sure that you that there is some over-all plan driven by those interested IT from the security only perspective that the Search-UnifiedAuditLog is attempting to address. However, when trying to verify what is happening it is simply not a replacement. Its performance is way below par.
Running the following Search command:
(Search-UnifiedAuditLog -RecordType ExchangeItem -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -HighCompleteness -UserIds email address removed for privacy reasons).AuditData | ConvertFrom-Json
Took over 20 minutes to complete in my Office 365 Tenant and returned a grand total of two records.
The simple inclusion of the HighCompleteness switch speaks volumes. Under what circumstances would I not want a complete picture of the audit actions in a mailbox.
By Contrast:
(Search-MailboxAuditLog email address removed for privacy reasons -ShowDetails -StartDate ([DateTime]::UtcNow).AddDays(-1) -EndDate ([DateTime]::UtcNow)
Returned 587 records in about 10 seconds.
The Search-UnifiedAuditLog command did not help me in any way resolve the issue I was investigating. On the other hand, the Search-MailboxAuditLog command returned a complete picture of what was occurring in the mailbox which rapidly led to the solution.
While change is inevitable, I think is beyond important that such change does not further obfuscate information that our engineering and support teams need to do their jobs effectively.
