M365 Changelog: (Updated) Retirement of AdminAuditLog and MailboxAuditLog cmdlets

MC713038 – Updated May 8, 2024: Microsoft has made the decision to not move forward with the change at this time. Microsoft will communicate via Message center when it’s ready to move forward. Thank you for your patience.

Microsoft would like to inform you about an upcoming change in the way you access and manage your Exchange Online audit logs. Starting April 30, 2024, Microsoft will be retiring the following four cmdlets in the Exchange Online V3 module:

  1. Search-AdminAuditLog
  2. Search-MailboxAuditLog
  3. New-AdminAuditLogSearch
  4. New-MailboxAuditLogSearch

When this will happen:

Microsoft will communicate via Message center when it’s ready to proceed.

How this will affect your organization:

This change will affect your organization if any admin in your tenant is using the above-mentioned cmdlets. After April 30, 2024, you will need to switch to the Search-UnifiedAuditLog cmdlet or the Microsoft Purview portal to access your audit logs.

Microsoft is retiring these cmdlets to streamline the audit log search experience for our customers. The Search-UnifiedAuditLog cmdlet offers several advantages, including support for a wider variety of record types, more filtering options, and a range of output formats. Microsoft recommends using this cmdlet from now on.

What you need to do to prepare:

If you are currently using any of the deprecated cmdlets, you will need to take action before April 30, 2024. You can replace Search-AdminAuditLog and Search-MailboxAuditLog with Search-UnifiedAuditLog in your scripts or commands. For New-MailboxAuditLogSearch and New-AdminAuditLogSearch, you will need to use the Microsoft Purview portal to download your audit log report.

Microsoft is also working on a new Audit Search API using Microsoft Graph, which is expected to become available in Public Preview by February 2024. This will allow our customers to programmatically access the new async Audit Search experience.

Please note that to use the Search-UnifiedAuditLog command, auditing needs to be enabled for your tenant. Auditing is by default only enabled for certain SKUs. If you are using a different SKU, you will need to enable auditing manually by following the steps mentioned here: Turn auditing on or off.

Microsoft apologizes for any inconvenience this change may cause and appreciate your understanding and cooperation. For any additional information please refer to our blog post Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets. If you have any questions or feedback, please feel free to contact us through our support channels or post a comment on the blog post.

Blog