Hi everyone
The unified audit logs on my (E5) Dev tenant no longer show any data. They worked until 2 or 3 weeks ago but now I get 'No data available' for any search. I am logged on as a Global Admin and also Compliance Admin (these two are automatically assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log).
Here is what I've done to investigate, looking for any other suggestions:
- Audit logging is enabled for the tenant (and worked until recently). Yesterday, I disabled it via PowerShell which caused the 'Record audit activities' option to re-appear in the Audit area, but still 'No data available' more than 24 hours after re-enabling it (I'm active every day in the tenant).
- I searched the logs with another GA account and also a standard user added to the Compliance Admin role, with access to 'Audit logs' granted in EXO admin.
- This Powershell command: Get-AdminAuditLogConfig | FL - shows that both 'Admin AuditLogEnabled' and 'UnifiedAuditLogIngestionEnabled' are 'True'
- The following Powershell search returns nothing - Search-UnifiedAuditLog -StartDate 9/1/2022 -EndDate 10/2/2022 -ObjectIDs "https://tenantname.sharepoint.com" | Export-Csv -Path c:/users/name/Downloads/AuditData.csv
- Curiously, I can see who viewed items in a SharePoint library because the 'SharePoint Viewers' feature is activated. As I understand it, this draws its information from the logs 'File accessed' (but happy to be corrected).
- The Azure AD center audit logs are working (and show that I added the end-user to the role to view the logs).
Anyone have any other suggestions? It appears I have managed to disable the option, somehow, but don't know where else to look.