Blog Post

Microsoft Security Blog
4 MIN READ

Update on the Deprecation of Admin Audit Log Cmdlets

acondeMSFT's avatar
acondeMSFT
Icon for Microsoft rankMicrosoft
Jun 20, 2024

We wanted to provide you with an important update to the deprecation schedule for the two Admin Audit Log cmdlets, as part of our ongoing commitment to improve security and compliance capabilities within our services. The two Admin Audit Log cmdlets are:

  1. Search-AdminAuditLog
  2. New-AdminAuditLog

As communicated in a previous blog post, the deprecation of Admin Audit Log (AAL) and Mailbox Audit Log (MAL) cmdlets was initially planned to occur simultaneously on April 30th, 2024. However, to ensure a smooth transition and to accommodate the feedback from our community, we have revised the deprecation timeline.

We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024.


This change allows for a more phased approach, giving you additional time to adapt your processes to the new Unified Audit Log (UAL) cmdlets, which offer enhanced functionality and a more unified experience.

What This Means for You

  • The Admin Audit Log cmdlets will be deprecated on September 15, 2024.
  • The Mailbox Audit Log cmdlets will have a separate deprecation date, which will be announced early next year.
  • We encourage customers to begin transitioning to the Unified Audit Log (UAL) cmdlet i.e. Search-UnifiedAuditLog as soon as possible.  Alternatively, you can explore using the Audit Search Graph API, which is currently in Public Preview and is expected to become Generally Available by early July 2024.


Next Steps

If you are currently using any one or both of the above-mentioned Admin Audit Log cmdlets, you will need to take the following actions before September 15, 2024

 

  • For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command:

Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)

 

  • For New-AdminAuditLogSearch, you will need to use the Microsoft Purview Compliance Portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Home Microsoft Purview. More details on using the Compliance portal for audit log searching can be found here.

 

 

Differences between UAL and AAL cmdlets

As you move from AAL to UAL cmdlets, you may notice some minor changes between them. In this section, we will show you some important differences in the Input and Output of the UAL cmdlet from the AAL cmdlets.

Input Parameter Differences

Admin Audit Log (AAL) cmdlets include certain parameters that are not directly available in the Unified Audit Log (UAL) cmdlets. However, we have identified suitable alternatives for most of them within the UAL that will allow you to achieve similar functionality.  

Below are the 4 parameters that are supported in the AAL and their alternatives in UAL (if present).

 

AAL Parameter

Current AAL use example

New UAL equivalent example

Note

Cmdlets

Search-AdminAuditLog  -StartDate 05/20/2024 -EndDate 05/28/2024 -Cmdlets Set-Mailbox  

Search-UnifiedAuditLog  -StartDate 05/20/2024 -EndDate 05/28/2024 

-Operations Set-Mailbox

 

The “Cmdlets” parameter in AAL can be substituted with the “Operations” parameter in UAL. This will allow you to filter audit records based on the operations performed.

 

ExternalAccess

Search-AdminAuditLog -StartDate 05/20/2024 -EndDate  05/28/2024 -ExternalAccess $false

Search-UnifiedAuditLog  -RecordType ExchangeAdmin -StartDate 05/20/2024 -EndDate 05/28/2024

-FreeText “ExternalAccess-false”

While UAL does not have a direct “ExternalAccess” parameter, you can use the “FreeText” parameter to filter for external access by including relevant keywords and terms associated with external user activities

IsSuccess

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters MaxSendSize,MaxReceiveSize

-StartDate 01/24/2024 -EndDate 02/12/2024 -IsSuccess $true

Not Supported

This property was always True in AAL because only the logs that succeeded were returned. Hence using or not using this parameter made no difference in the returned result set. Therefore, this property is not supported anymore in the Search-UnifiedAuditLog cmdlet.

StartIndex

Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Resultsize 100 -StartIndex 99

Not Supported

In AAL, you can use the "StartIndex" parameter to pick the starting index for the results. UAL doesn't support this parameter. Instead, you can use the pagination feature of Search-UnifiedAuditLog cmdlet to get a specific number of objects with the SessionId, SessionCommand and  ResultSize parameter.

 

Please Note: The SessionId that is returned in the output of Search-AdminAuditLog is a system set value and the SessionId that is passed as an input along with the Search-UnifiedAuditLog cmdlet is User set value. This parameter may have the same name but perform different functions for each cmdlet.

 

Output Differences

There are differences how the Audit Log output is displayed in AAL vs UAL cmdlets. UAL has an enhanced set of results with enhanced properties in JSON format. In this section we point out a few major differences that should ease your migration journey.

Property in AAL

Equivalent Property in UAL

CmdletName

Operations

ObjectModified

Object Id

Caller

UserId

Parameters

AuditData > Parameters

NOTE: All the parameters and the values passed will be present as a JSON

ModifiedProperties

AuditData > ModifiedProperties

NOTE: Modified values will be only present in case the verbose mode is enabled using Set-AdminAuditLogConfig cmdlet.

ExternalAccess

AuditData > ExternalAccess

RunDate

CreationDate

 

We are here to help
We are committed to providing you with the best tools and services to manage your Exchange Online environment and welcome your questions or feedback about this change. Please feel free to contact us through a comment on this blog post or reaching out by email at AdminAuditLogDeprecation[at]service.microsoft.com. We are always happy to hear from you and assist in any way we can.


The Exchange Online Team

Updated Jun 20, 2024
Version 1.0
  • SreeS1630  Good day and thank you for your message.

    For the New-Mailbox cmdlet -Scheduling is not a valid parameter.

    Source: New-Mailbox (ExchangePowerShell) | Microsoft Learn

     

    When you use Search-UnifiedAuditLog you must specify a record type and, in your case, "ExchangeAdmin" is the one you want as it returns only audit records from the Exchange admin audit log.  All audit log record types can be found here: Office 365 Management Activity API schema | Microsoft Learn.

     

    After a user created a Booking calendar in my tenant, I successfully ran the following to retrieve the audit entry:

    Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate 09/23/2024 -EndDate 09/25/2024 -Operations New-SchedulingMailbox

     

    I hope this helps.

    --A.C.

     

  • SreeS1630's avatar
    SreeS1630
    Copper Contributor

    Hello acondeMSFT 

     

    I am trying to get output for (New-Mailbox -Scheduling) but I am unable to get any data.

     

    I tried the below but still no luck command gets executed but no data.

     

    Search-UnifiedAuditLog -StartDate "10/18/2024 8:00 AM" -EndDate "10/23/2024 6:00 PM" -Operations New-Mailbox

     

    Hi VasilMichev I am trying to follow your response in one article https://techcommunity.microsoft.com/t5/exchange/what-is-a-scheduling-mailbox-and-how-is-it-created/m-p/376605 would appreciate if you can give some leads on this.

     

    Thanks & Regards,

    Sree

     

  • JeremyTBradshaw yes you are right. This blog is only about the deprecation if AdminAuditLog cmdlets and the dates for MailboxAuditLog cmdlets are not yet announced.

  • So, just clarify - this post is only regarding Search-AdminAuditLog going away, and Search-MailboxAuditLog is still unannounced for an updated deprecation date?  Otherwise thanks and good info.

  • Thank you for the update.

     

    WRT the “ExternalAccess-false” workaround, are there any other properties that can be searched in similar way? In my experience, filtering against any property contained within the AuditData blob can usually only be done client-side, which makes the process quite cumbersome. It would be awesome if we could leverage -FreeText for similar searches/filters against other properties, say "LogonType-2" or "UserType-2". Which in turn should address some of the shortcomings of replacing Search-MailboxAuditLog with Search-UnifiedAuditLog, just saying 🙂