Forum Discussion

bala official's avatar
bala official
Copper Contributor
Aug 31, 2018

Incomplete data from Search-UnifiedAuditLog cmdlet for AzureAD record type

Hi,

 

From the below cmdlet I got AuditData parameter as an incomplete JSON string.

Search-UnifiedAuditLog -Operations 'Update User.' -RecordType azureactivedirectory -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)

I attached the output which i got.

 

Please help me with this case !!! 

 

  • Dahai Fang's avatar
    Dahai Fang
    Brass Contributor

    7 months passed. The problem still exists.

     

    Now, I think, maybe, this is not a bug, but a feature.  :-)

    • CSP77's avatar
      CSP77
      Copper Contributor

      Hi guys

      2021 and this is still an issue for the AuditData field!

      Not acceptable. I have had one of my techs inadvertently remove a fairly large list of sharepoint site exclusions from retention policy. Hoping I could use search-unifiedauditlog to get the sites to add back, but no, truncated!

  • Please find attached an sample of the audit log (value of "AuditData"), i have replaced some values with an place-holder ("foobar")

     

     

    {"CreationTime":"2018-11-10T20:00:14","Id":"foobar","Operation":"CrmDefaultActivity","OrganizationId":"foobar","RecordType":21,"ResultStatus":"Success","UserKey":"Unknown","UserType":2,"Version":1,"Workload":"CRM","ClientIP":"127.0.0.1","ObjectId":"Create email","UserId":"drt@alfapeople.com","CrmOrganizationUniqueName":"foobar","Fields":[{"Name":"subject","Value":"foobar"},{"Name":"description","Value":"foobar"},{"Name":"ownerid","Value":"foobar"},{"Name":"from","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"to","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"cc","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"regardingobjectid","Value":"foobar"},{"Name":"isworkflowcreated","Value":"False"},{"Name":"notifications","Value":"0"},{"Name":"followemailuserpreference","Value":"False"},{"Name":"readreceiptrequested","Value":"False"},{"Name":"foobar","Value":"False"},{"Name":"emailreminderstatus","Value":"0"},{"Name":"isemailfollowed","Value":"False"},{"Name":"emailremindertype","Value":"0"},{"Name":"isregularactivity","Value":"False"},{"Name":"deliveryreceiptrequested","Value":"False"},{"Name":"deliveryprioritycode","Value":"1"},{"Name":"isemailreminderset","Value":"False"},{"Name":"compressed","Value":"False"},{"Name":"prioritycode","Value":"1"},{"Name":"directioncode","Value":"True"},{"Name":"correlationmethod","Value":"0"},{"Name":"activityid","Value":"foobar"}],"InstanceUrl":"https:\/\/foobar.crm4.dynamics.com\/","ItemType":"Dynamics365","ItemUrl":"https:\/\/foobar.crm4.dynamics.com\/main.aspx?etn=email&pagetype=entityrecord&id=foobar","UserAgent":"","CorrelationId":"00000000-0000-0000-0000-000000000000","EntityId":"foobar","EntityName":"email","Message":"Create","PrimaryFieldValue":"","Query":"","QueryResults":"","ServiceContextId":"00000000-0000-0000-0000-000000000000","ServiceContextIdType":"","ServiceName":"Dynamics365","SystemUserId":"foobar","UserUp

     

  • The same problem is reproduceable for workload "CRM". Hopefully is Microsoft able to address this issue soon.

    • TonyRedmond's avatar
      TonyRedmond
      MVP

      Hi,

       

      I don't run the CRM workload... could you post an example here of a truncated record so that I can make sure that this workload is fixed in the work that's ongoing?

       

      TR

      • Daniel René Thul's avatar
        Daniel René Thul
        Copper Contributor

        Please find the sample below. I have replaced some values with an place-holder ("foobar")

         

        {"CreationTime":"2018-11-10T20:00:14","Id":"foobar","Operation":"CrmDefaultActivity","OrganizationId":"foobar","RecordType":21,"ResultStatus":"Success","UserKey":"Unknown","UserType":2,"Version":1,"Workload":"CRM","ClientIP":"127.0.0.1","ObjectId":"Create email","UserId":"drt@alfapeople.com","CrmOrganizationUniqueName":"foobar","Fields":[{"Name":"subject","Value":"foobar"},{"Name":"description","Value":"foobar"},{"Name":"ownerid","Value":"foobar"},{"Name":"from","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"to","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"cc","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"regardingobjectid","Value":"foobar"},{"Name":"isworkflowcreated","Value":"False"},{"Name":"notifications","Value":"0"},{"Name":"followemailuserpreference","Value":"False"},{"Name":"readreceiptrequested","Value":"False"},{"Name":"foobar","Value":"False"},{"Name":"emailreminderstatus","Value":"0"},{"Name":"isemailfollowed","Value":"False"},{"Name":"emailremindertype","Value":"0"},{"Name":"isregularactivity","Value":"False"},{"Name":"deliveryreceiptrequested","Value":"False"},{"Name":"deliveryprioritycode","Value":"1"},{"Name":"isemailreminderset","Value":"False"},{"Name":"compressed","Value":"False"},{"Name":"prioritycode","Value":"1"},{"Name":"directioncode","Value":"True"},{"Name":"correlationmethod","Value":"0"},{"Name":"activityid","Value":"foobar"}],"InstanceUrl":"https:\/\/foobar.crm4.dynamics.com\/","ItemType":"Dynamics365","ItemUrl":"https:\/\/foobar.crm4.dynamics.com\/main.aspx?etn=email&pagetype=entityrecord&id=foobar","UserAgent":"","CorrelationId":"00000000-0000-0000-0000-000000000000","EntityId":"foobar","EntityName":"email","Message":"Create","PrimaryFieldValue":"","Query":"","QueryResults":"","ServiceContextId":"00000000-0000-0000-0000-000000000000","ServiceContextIdType":"","ServiceName":"Dynamics365","SystemUserId":"foobar","UserUp

    • The problem is not the documented character limit. It is an ingestion problem for specific events that causes the JSON payload to be truncated as the record is written. Engineering is working on the issue.
      • Ryan Jacobson's avatar
        Ryan Jacobson
        Copper Contributor

        Great - at the end of the day I am hoping for a valid JSON output.  If individual fields have to be thrown away/truncated, so be it.

    • Mozzz's avatar
      Mozzz
      Copper Contributor

      Hi Ryan

       

      I am executing the Search-UnifiedAuditLog power shell command and getting error below.


      Which module i need to install in Power Shell for  ‘Search-UnifiedAuditLog ‘  command ?

       

      Search-UnifiedAuditLog : The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
      the name, or if a path was included, verify that the path is correct and try again.
      At line:11 char:1
      + Search-UnifiedAuditLog -StartDate 19/02/2019 -EndDate 20/02/2019 -Rec …
      + ~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : ObjectNotFound: (Search-UnifiedAuditLog:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

       

      Thanks

      Moz

      • TonyRedmond's avatar
        TonyRedmond
        MVP

        I'm still discussing the issue. Microsoft has accepted that a problem exists and they need to fix it. Stay tuned.

  • Confirmed, I see the same. What's even worse, if you use the UI, you get a "Failure: Record truncated" error. I'm not sure how this made it to production, but it should be addressed ASAP. Open a support case.

    • VasilMichev's avatar
      VasilMichev
      MVP

      As a workaround, you might be able to get the full event details from the Azure AD blade in the Azure portal.

Resources