big-bad-wolfe
commented
8 months ago Currently, message traces are being truncated because of this change to only a partial subset. I suspect the warning is breaking the data capture.
Open mdewart-hummingbird opened 8 months ago
big-bad-wolfe
commented
8 months ago Currently, message traces are being truncated because of this change to only a partial subset. I suspect the warning is breaking the data capture.
shnsys
commented
1 month ago @T0pCyber Is this something already looking into? I tried running the tool, but some components are failing because of this depreciation.
https://admin.microsoft.com/AdminPortal/home?#/MessageCenter/:/messages/MC713038 https://aka.ms/AuditCmdletBlog
Message Summary We would like to inform you about an upcoming change in the way you access and manage your Exchange Online audit logs. Starting April 30, 2024, we will be retiring the following four cmdlets in the Exchange Online V3 module:
Search-AdminAuditLog Search-MailboxAuditLog New-AdminAuditLogSearch New-MailboxAuditLogSearch When this will happen:
We will roll out this change late April 2024 and expect to complete mid-May 2024.
How this will affect your organization:
This change will affect your organization if any admin in your tenant is using the above-mentioned cmdlets. After April 30, 2024, you will need to switch to the Search-UnifiedAuditLog cmdlet or the Microsoft Purview portal to access your audit logs.
We are retiring these cmdlets to streamline the audit log search experience for our customers. The Search-UnifiedAuditLog cmdlet offers several advantages, including support for a wider variety of record types, more filtering options, and a range of output formats. We recommend using this cmdlet from now on.
What you need to do to prepare:
If you are currently using any of the deprecated cmdlets, you will need to take action before April 30, 2024. You can replace Search-AdminAuditLog and Search-MailboxAuditLog with Search-UnifiedAuditLog in your scripts or commands. For New-MailboxAuditLogSearch and New-AdminAuditLogSearch, you will need to use the Microsoft Purview portal to download your audit log report.
We are also working on a new Audit Search API using Microsoft Graph, which is expected to become available in Public Preview by February 2024. This will allow our customers to programmatically access the new async Audit Search experience.
Please note that to use the Search-UnifiedAuditLog command, auditing needs to be enabled for your tenant. Auditing is by default only enabled for certain SKUs. If you are using a different SKU, you will need to enable auditing manually by following the steps mentioned here: Turn auditing on or off.
https://github.com/T0pCyber/hawk/blob/df2208d36dfb2dac740ccac40bd0aa26861c6c37/Hawk/functions/User/Get-HawkUserAdminAudit.ps1#L42 https://github.com/T0pCyber/hawk/blob/df2208d36dfb2dac740ccac40bd0aa26861c6c37/Hawk/functions/Tenant/Get-HawkTenantRbacChanges.ps1#L41 https://github.com/T0pCyber/hawk/blob/df2208d36dfb2dac740ccac40bd0aa26861c6c37/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1#L58 https://github.com/T0pCyber/hawk/blob/df2208d36dfb2dac740ccac40bd0aa26861c6c37/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryConfiguration.ps1#L41