Forum Discussion

TonyRedmond's avatar
Sep 05, 2023

Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

 

Microsoft changed the way that the Search-UnifiedAuditLog cmdlet works without saying anything to Microsoft 365 customers. The results is that some scripts don't work and others won't return the expected results. This article explains what's happened and offers a workaround. Microsoft's actions are unexplainable, but it's the norm in this area where audit log changes happen without communication all the time.

https://practical365.com/search-unifiedauditlog-cmdlet-changes/

  • Nick_A's avatar
    Nick_A
    Iron Contributor
    Whats insane to me is when I had to track down who was creating accounts and users in our tenant. The UnifiedAuditLogs still can't provide any detail on who created accounts when its being done by "Microsoft Substrate System". Worse I have not found any audit program/system that can pull these specific logs out. You actually have to go in AzureAD, find that app, and check the app's audit logs to figure out the culprit. Just another entry in my list of massive security failures with O365. It turned out in our case, the problem was with MS new "Bookings" feature, where by default it lets literally any user create an account in your tenant with any name they can think of.

Resources