Microsoft will make the HighCompleteness parameter in the Search-UnifiedAuditLog cmdlet mandatory.
Published: Dec 18, 2024
Key Takeaways:
Microsoft is changing the way the Search-UnifiedAuditLog cmdlet works in Exchange Online. Starting in January 2025, the HighCompleteness parameter, which administrators can currently toggle between true and false, will be permanently set to true for all queries.
The Search-UnifiedAuditLog cmdlet is a PowerShell command that is used in Exchange Online to search the unified audit log. This log includes events from various Microsoft 365 services such as Exchange Online, Microsoft Entra ID, Microsoft Teams, and OneDrive for Business. This cmdlet is particularly useful for investigating security incidents and compliance issues within their organization.
Earlier this year, Microsoft introduced the HighCompleteness parameter in the Search-UnifiedAuditLog cmdlet, giving users the option to balance search completeness and performance. When set to true, this parameter ensures the search retrieves the most comprehensive set of relevant audit records but may take longer to process.
On the other hand, setting the HighCompleteness parameter to false prioritizes speed over completeness. While queries will run faster, they may return only a partial set of the possible results.
“The HighCompleteness parameter in the Search-UnifiedAuditLog cmdlet will now be set to true for all queries. With this change, the cmdlet will now prioritize completeness of search results over performance. As a result, search queries may take longer to finish,” the company explained on the Microsoft 365 admin center.
This change will apply to all search queries submitted through the Search-UnifiedAuditLog cmdlet starting in January 2025. Microsoft advises administrators to prepare by transitioning to the Audit Search Graph API for programmatic access to audit logs. This API is available to all commercial and government customers.
Overall, this change is problematic because high-completeness searches in the Search-UnifiedAuditLog cmdlet are often unreliable and can take up to 20 times longer to complete, which makes them impractical for real-time use in production scripts. Additionally, the mandatory shift to high-completeness searches could disrupt existing workflows, especially for tasks that rely on faster, less resource-intensive queries.