cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Audit Log fields blank

Elliot Munro
Copper Contributor

‎May 14 2018 04:27 PM - edited ‎May 16 2018 05:51 PM

‎May 14 2018 04:27 PM - edited ‎May 16 2018 05:51 PM

Audit Log fields blank

Hi,

 

We're having some issues with the Office 365 Management API/Unified Audit Log. Specifically the Azure Active Directory logs. 

 

For the Office 365 Management API, we're receiving the webhook notifications to download the content, however when we download the log, the ResultStatus and the Operation field are both blank.

APIResults.png

 

Previously, these fields would contain ResultStatus: Succeeded or Operation: UserLoggedIn. We'd then be able to use this info to determine whether the operation was successful or not.

 

These logs also do not contain data when retrieved via Search-Unified Audit Log, or when searched via the portal at protection.office.com. The below is the same log via the Search-UnifiedAuditLog cmdlet.

UnifiedAuditLogResults.png

 

This issue seems to have been occurring since the 2nd of May. This was the last time the Unified Audit Log contains info relating to ResultStatus, Operation, and UserAgent.

LastSuccessfulResults.png

It seems that it is the Azure Active Directory logging that is incomplete as the Exchange logs seem to be OK.

We are experiencing this problem across all customers that we are running our tooling on. 

 

Thanks,
Elliot

2,561 Views
0 Likes
5 Replies
Reply
5 Replies
Chris Hendricks

‎May 17 2018 01:09 PM

‎May 17 2018 01:09 PM

Re: Audit Log fields blank

I'm also seeing this behavior (blank fields for Operation and ResultStatus) in logs pulled within the past week, but dating back further (at least as early as 7 May 2018).  I unfortunately don't have an answer, but in my case this information is critical to completing an investigation, thank you for posting the question!

1 Like
Reply
Elliot Munro

‎May 20 2018 02:46 PM

‎May 20 2018 02:46 PM

Re: Audit Log fields blank

I logged a support ticket about this and receive noticed on Friday that they would refresh
0 Likes
Reply
Elliot Munro

‎May 20 2018 02:50 PM

‎May 20 2018 02:50 PM

Re: Audit Log fields blank

Posted the last message too early from my phone. :)

Anyway, I logged a support ticket about this and received notice that they have processed a resync on the affected tenant.

The issue was affecting all of our customer tenants, however in the last 72 hours we are receiving backdated webhook notifications and audit logs with the missing data now visible.

Hopefully this is the case in all other affected tenants too.
0 Likes
Reply
Elliot Munro

‎May 20 2018 09:50 PM

‎May 20 2018 09:50 PM

Re: Audit Log fields blank

Just spoke to a Microsoft support technician and he confirmed this was a global issue. He said a patch has been rolled out to all tenants to restore the missing log data.

0 Likes
Reply
Chris Hendricks

‎May 21 2018 09:39 AM

‎May 21 2018 09:39 AM

Re: Audit Log fields blank

Thank you for updating this thread, I'm hopeful this patch will cross our workload sometime soon - I re-ran our affected reports and haven't seen the fix yet (still empty fields), but I'll stay on top of it and hopefully get some results.  Thanks again.

0 Likes
Reply