Retirement of AdminAuditLog and MailboxAuditLog cmdlets

[mdewart-hummingbird]

https://admin.microsoft.com/AdminPortal/home?#/MessageCenter/:/messages/MC713038
https://aka.ms/AuditCmdletBlog

Message Summary
We would like to inform you about an upcoming change in the way you access and manage your Exchange Online audit logs. Starting April 30, 2024, we will be retiring the following four cmdlets in the Exchange Online V3 module:

Search-AdminAuditLog
Search-MailboxAuditLog
New-AdminAuditLogSearch
New-MailboxAuditLogSearch
When this will happen:

We will roll out this change late April 2024 and expect to complete mid-May 2024.

How this will affect your organization:

This change will affect your organization if any admin in your tenant is using the above-mentioned cmdlets. After April 30, 2024, you will need to switch to the Search-UnifiedAuditLog cmdlet or the Microsoft Purview portal to access your audit logs.

We are retiring these cmdlets to streamline the audit log search experience for our customers. The Search-UnifiedAuditLog cmdlet offers several advantages, including support for a wider variety of record types, more filtering options, and a range of output formats. We recommend using this cmdlet from now on.

What you need to do to prepare:

If you are currently using any of the deprecated cmdlets, you will need to take action before April 30, 2024. You can replace Search-AdminAuditLog and Search-MailboxAuditLog with Search-UnifiedAuditLog in your scripts or commands. For New-MailboxAuditLogSearch and New-AdminAuditLogSearch, you will need to use the Microsoft Purview portal to download your audit log report.

We are also working on a new Audit Search API using Microsoft Graph, which is expected to become available in Public Preview by February 2024. This will allow our customers to programmatically access the new async Audit Search experience.

Please note that to use the Search-UnifiedAuditLog command, auditing needs to be enabled for your tenant. Auditing is by default only enabled for certain SKUs. If you are using a different SKU, you will need to enable auditing manually by following the steps mentioned here: Turn auditing on or off.

hawk/Hawk/functions/User/Get-HawkUserAdminAudit.ps1

Line 42 in df2208d

[array]$UserChanges = Search-AdminAuditLog -ObjectIDs $MailboxName -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate

hawk/Hawk/functions/Tenant/Get-HawkTenantRbacChanges.ps1

Line 41 in df2208d

[array]$RBACChanges = Search-AdminAuditLog -Cmdlets New-ManagementRole, New-ManagementRoleAssignment, New-ManagementScope, Remove-ManagementRole, Remove-ManagementRoleAssignment, Set-MangementRoleAssignment, Remove-ManagementScope, Set-ManagementScope -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate

hawk/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1

Line 58 in df2208d

[array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000

hawk/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryConfiguration.ps1

Line 41 in df2208d

$EDiscoveryCmdlets = "New-MailboxSearch", "Search-Mailbox"

[big-bad-wolfe]

Currently, message traces are being truncated because of this change to only a partial subset. I suspect the warning is breaking the data capture.