Blog Post

Microsoft Security Community Blog
3 MIN READ

Microsoft Exchange Online: Search-MailboxAuditLog and New-MailboxAuditLogSearch will retire

ColbyBoone's avatar
ColbyBoone
Icon for Microsoft rankMicrosoft
Jan 14, 2025

As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets.

Important Update

  • The licensing for the migration tool related to the deprecation of the Search-MailboxAuditLog cmdlet is specifically designed for customers with extended audit log retention set in Exchange. Customers can choose to migrate their historical data to Audit Premium with Extended Retention plan in Purview, which is an E5 add-on.
  • Audit Premium with Extended Retention plan is an advanced auditing solution that provides extended data retention capabilities. This plan is essential for organizations that need to meet stringent regulatory requirements and ensure comprehensive audit logging.
  • The migration tool applies to customers with >1 year retention set on their existing audit logs in Exchange.
  • Documentation will be made available prior to June 2025.

 

Overview

As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets. This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. For our earlier communication on the subject please see this blog post

Background

We are working on streamlining the audit log search experience and we are deprecating older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet, which has been around for a while, offers several advantages, including:

  • Support for a greater variety of record types, making it more versatile. 
  • More filtering options, allowing for more precise results. 
  • Range of output formats to suit your needs. 

After March 1, 2025, existing data generated by mailbox audit logging will be accessible only as a historical record (with data only up to March 1). After March 1, 2025, existing data generated for customers with auditing enabled can be accessed only via the Search-UnifiedAuditLog cmdlet.  To make things simpler and more efficient, we recommend you use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here

Timeline

  • March 1, 2025: New audit log data will no longer be written to the mailbox. Existing data will be available as a historic record allowing for administrative review, modification and download of the logs. 
  • June 2025: Customers are provided documentation as well as migration tool described below to migrate their data to Search-UnifiedAuditLog for long-term auditing retention.
  • June 2025: Audit log data in mailboxes will become a static, read-only record that used for historical searches. 
  • End of 2025: Former cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch will no longer be available in Exchange Online. 

 

Migration Tool

If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use. Our documentation will include common issues and their resolutions.

By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. 

Migration Overview

To ensure seamless migration we suggest the following steps:  

  1. Begin by reviewing your current usage to identify any scripts, tools, or applications that depend on the specified cmdlets.  
  1. Engage with your legal and compliance teams to ensure all regulatory requirements are met.  
  1. Make sure auditing is enabled for your tenant to maintain data integrity. Once the migration tool is available, utilize it to prevent data loss and transition to the Search-UnifiedAuditLog.

Below is a comparison grid showcasing the differences between the Exchange cmdlets and the Purview cmdlet: 

Feature/Capability

Search-MailboxAuditLog & New-MailboxAuditLogSearch 

Search-UnifiedAuditLog (Purview) 

Record Types Supported 

Exchange Only

Extensive 

Filtering Options 

Standard

Modern

Data Retention 

Varies 

180 days 

Compliance 

Limited 

Full Compliance 

User Experience 

Fragmented 

Unified 

 

Audit logging is turned on by default for Microsoft 365 organizations. Please verify the auditing status for your organization.

Feedback

If you have any feedback about this change, you can reach out to our exchangeonlinesearch-mailboxauditlogmigration@service.microsoft.com group. We are always happy to hear from you and assist in any way we can. 

Updated Mar 06, 2025
Version 3.0

11 Comments

  • "As part of our ongoing efforts to improve the logging capabilities of Exchange Online" 

    You have not improved logging capabilities, instead you have introduced a regression.  The audit records returned by the Search-UnifiedAuditlog is entirely incomplete.  The inconsistency and incompleteness of the returned records is actually appalling.

    "This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. "

    You have not enhanced an Exchange Administrators ability to answer auditing question, instead you have eliminated the ability for an exchange administrator to do so.

    All of the most important events in exchange mailbox do not appear in the Search-UnifiedAuditLog even with the -HighCompleteness flag.  

    Which brings me to an important question:  When would I not want “High Completeness”  If I am performing a Audit to diagnose a reported issue I want ALL the data, every time.

    I’m sorry but Unified Logging might be making someone happy, I just don’t know who that might be?

  • How will this impact advanced auditing on shared mailboxes?  I regularly have to search shared mailboxes for "who deleted this email" and that is not available in the unified log. 

    • RaksChauhan's avatar
      RaksChauhan
      Brass Contributor

      melaniekremer212- i asked this question last year when they first proposed the changes as we use this extensively too. MS advised this is the new method, which i find makes things super complicated. Link here for Shared Mailboxes: 

      https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-in-a-specific-mailbox-including-shared-mailboxes

      • ColbyBoone's avatar
        ColbyBoone
        Icon for Microsoft rankMicrosoft

        Hi RaksChauhan, 

        Thank you for your comment. We can confirm that the documentation you provided is correct. We understand that the changes might seem challenging. 

        Could you please share any specific feedback on how we can improve the documentation? Your insights would be very helpful. 

  • There's a lot to not be OK about with this change.  The Search-UnifiedAuditLog gives less than complete results by design.  It has the "-HighCompleteness" parameter whose name just gives this away, to start.  Next, there's a -ResultSize parameter that is limited to 5000, unlike most / maybe all other Exchange cmdlets that take numbers or "Unlimited".  But then we have this new parameter / value that we need to know and supply "-SessionCommand ReturnLargeSet".

    It's fine that these oddities are there since this command is meant not only for Exchange auditing, but auditing for other M365 services, but it's a huge downgrade from Search-MailboxAuditLog which is infinitely more logical, intuitive, and fitting for searching Exchange mailbox audit logs!

    Add in the fact that you're giving customers some kind of "migration tool" to handle trying to make the new thing closer to as good as the old thing, while the old thing is sadly on its way out the door, is just terrible.

    ColbyBoone wrote:

    Migration Tool
    If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use prior to the March 1ST deadline. Our documentation will include common issues and their resolutions.

    By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. 

    So, even today (Trump's day), there are mailbox audit logs that can only be found via Search-MailboxAuditLog, and it's somehow on me to migrate the logs to the new tool?  Completely unacceptable.  Deadline you say?  What deadline.  Are you just going to leave it so customers have to fend for themselves to get this done?  You should have been migrating this stuff all along since Search-UnifiedAuditLog has been there all along and is supposed to have been working all along.  Meanwhile, it never has worked even close to as good as Search-MailboxAuditLog and the fact that we have to fix this ourselves to keep up with your unwelcomed change is ludicrous.

    This is a poorly executed and unnecessary, forced change that nobody is asking for.

    • ColbyBoone's avatar
      ColbyBoone
      Icon for Microsoft rankMicrosoft

      Hi Jeremy , 


      Thank you for your question! We want to clarify that migration of logs applies for those who have set long retention ( older than a year ) on audit needs in Exchange , and would like to backfill that historical data to Purview. This ensures that all relevant data is captured and stored appropriately. Please let us know if you have any further questions or need additional information.  

      • stefanwey-umb's avatar
        stefanwey-umb
        Brass Contributor

        Unacceptable if you are paying for the E5 add-on in Pureview

  • This was all fine back when the initial post was made, but since then you've also announced the upcoming change to force Search-UnifiedAuditLog to always use -HighCompleteness. This effectively leaves without any option to query the audit log synchronously and in turn will break huge percentage of existing automations. What is the proposed solution for such scenarios? 

    • ajanes-arc's avatar
      ajanes-arc
      Iron Contributor

      I think this comment is critically under appreciated. I would also like to hear from Microsoft as to what the plan is here for allowing real time application integrations to this data. We have third party security platforms that are relying on this data to be synchronous.