May 14 2018 04:27 PM - edited May 16 2018 05:51 PM
Hi,
We're having some issues with the Office 365 Management API/Unified Audit Log. Specifically the Azure Active Directory logs.
For the Office 365 Management API, we're receiving the webhook notifications to download the content, however when we download the log, the ResultStatus and the Operation field are both blank.
Previously, these fields would contain ResultStatus: Succeeded or Operation: UserLoggedIn. We'd then be able to use this info to determine whether the operation was successful or not.
These logs also do not contain data when retrieved via Search-Unified Audit Log, or when searched via the portal at protection.office.com. The below is the same log via the Search-UnifiedAuditLog cmdlet.
This issue seems to have been occurring since the 2nd of May. This was the last time the Unified Audit Log contains info relating to ResultStatus, Operation, and UserAgent.
It seems that it is the Azure Active Directory logging that is incomplete as the Exchange logs seem to be OK.
We are experiencing this problem across all customers that we are running our tooling on.
Thanks,
Elliot
May 17 2018 01:09 PM
I'm also seeing this behavior (blank fields for Operation and ResultStatus) in logs pulled within the past week, but dating back further (at least as early as 7 May 2018). I unfortunately don't have an answer, but in my case this information is critical to completing an investigation, thank you for posting the question!
May 20 2018 02:46 PM
May 20 2018 02:50 PM
May 20 2018 09:50 PM
Just spoke to a Microsoft support technician and he confirmed this was a global issue. He said a patch has been rolled out to all tenants to restore the missing log data.
May 21 2018 09:39 AM
Thank you for updating this thread, I'm hopeful this patch will cross our workload sometime soon - I re-ran our affected reports and haven't seen the fix yet (still empty fields), but I'll stay on top of it and hopefully get some results. Thanks again.