Forum Discussion

bala official's avatar
bala official
Copper Contributor
Aug 31, 2018

Incomplete data from Search-UnifiedAuditLog cmdlet for AzureAD record type

Hi,   From the below cmdlet I got AuditData parameter as an incomplete JSON string. Search-UnifiedAuditLog -Operations 'Update User.' -RecordType azureactivedirectory -StartDate (Get-Date).AddDays...
office 365
Fromelard's avatar
Fromelard
Iron Contributor
Jan 28, 2019

Dear all,

Any news for that question ?

I tried to use the Web interface to export the data and discovered that AuditData field limitation truncated to 3000 chars
I created a dedicated PowerShell script using the special command:

 - Search-UnifiedAuditLog

 

And found the truncate is also done at this Powershell level, so when that issue will be fixed ?

 

Thanks for your feedback.

 

PS: 

I posted a script to manage that AuditLog:

 - https://techcommunity.microsoft.com/t5/Office-365/PowerShell-script-to-export-Audit-log-search-Data-based-on/m-p/326589#M19622

The limitation still exist with the PS command

 

Fab

TonyRedmond's avatar
TonyRedmond
MVP
Jan 28, 2019

The problem still exists.

 

Microsoft applied an update to the code and the result is even worse than before. The audit records for Azure AD group operations now contain a lot of detail, but the audit data is badly terminated. The net result is that these events don't show up in the SCC.

 

Messages have been sent to Microsoft to ask if they can look at the issue again. It's sad, but this has been a problem that started in August 2018...

 

TR

  • VasilMichev's avatar
    VasilMichev
    MVP
    Jan 28, 2019

    Oh the wonders of the DevOps world...

    • TonyRedmond's avatar
      TonyRedmond
      MVP
      Jan 29, 2019

      I imagined that you'd like the current state of affairs...

Resources