Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

Whats insane to me is when I had to track down who was creating accounts and users in our tenant. The UnifiedAuditLogs still can't provide any detail on who created accounts when its being done by "Microsoft Substrate System". Worse I have not found any audit program/system that can pull these specific logs out. You actually have to go in AzureAD, find that app, and check the app's audit logs to figure out the culprit. Just another entry in my list of massive security failures with O365. It turned out in our case, the problem was with MS new "Bookings" feature, where by default it lets literally any user create an account in your tenant with any name they can think of.