cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

Tony Redmond
MVP

‎Sep 05 2023 09:08 AM

‎Sep 05 2023 09:08 AM

Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

 

Microsoft changed the way that the Search-UnifiedAuditLog cmdlet works without saying anything to Microsoft 365 customers. The results is that some scripts don't work and others won't return the expected results. This article explains what's happened and offers a workaround. Microsoft's actions are unexplainable, but it's the norm in this area where audit log changes happen without communication all the time.

https://practical365.com/search-unifiedauditlog-cmdlet-changes/

Labels:
642 Views
0 Likes
2 Replies
Reply
2 Replies
Nick_A

‎Sep 08 2023 05:37 PM

‎Sep 08 2023 05:37 PM

Re: Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

Whats insane to me is when I had to track down who was creating accounts and users in our tenant. The UnifiedAuditLogs still can't provide any detail on who created accounts when its being done by "Microsoft Substrate System". Worse I have not found any audit program/system that can pull these specific logs out. You actually have to go in AzureAD, find that app, and check the app's audit logs to figure out the culprit. Just another entry in my list of massive security failures with O365. It turned out in our case, the problem was with MS new "Bookings" feature, where by default it lets literally any user create an account in your tenant with any name they can think of.
0 Likes
Reply
Tony Redmond

‎Sep 09 2023 04:28 AM

‎Sep 09 2023 04:28 AM

Re: Microsoft Changed the Way the Search-UnifiedAuditLog Cmdlet Works Without Telling Anyone

A way is needed to allow non-privileged actors to create new accounts. That mechanism is the substrate... and it's what creates the accounts used for Bookings. The 'Microsoft Substrate Management' is an Entra ID app that holds the permissions necessary to perform all sorts of operations, like the dual-writes to keep EXODS and Entra ID in sync (Vasil has a lot to say on this topic in https://www.michev.info/blog/post/4264/dual-write-glitch-allows-exchange-online-cmdlets-to-be-execut...). I agree that things could be better and will raise the problem with Microsoft.
1 Like
Reply