Windows News
Microsoft has announced a significant upcoming change to the Search-UnifiedAuditLog cmdlet in Exchange Online, set to take effect in January 2025. This change focuses on the "HighCompleteness" parameter, which will be permanently locked to true. This alters how audit log searches prioritize completeness and speed, impacting IT administrators worldwide who rely on audit logs for security, compliance, and operational investigations.
Background: What is the Search-UnifiedAuditLog Cmdlet?
The Search-UnifiedAuditLog cmdlet is a powerful PowerShell command that queries the unified audit log across Microsoft 365 services. Unlike traditional audit tools, this cmdlet accesses consolidated logs from multiple Microsoft 365 services such as:
- Exchange Online (email activities)
- Microsoft Entra ID (formerly Azure AD, tracking identity and access)
- Microsoft Teams (conversations, meetings, and collaboration events)
- OneDrive for Business (file access and sharing)
IT administrators use this cmdlet chiefly to investigate security incidents, compliance validation, and to monitor user and system activities across an organization's Microsoft 365 environment.
The Role of the HighCompleteness Parameter
Introduced quietly in early 2024, the HighCompleteness parameter allows admins to balance between:
- Completeness (true): Retrieve every available audit record relevant to a query, ensuring thoroughness but potentially slower search performance.
- Speed (false): Prioritize faster search responses sometimes at the cost of missing some audit records.
Currently, administrators can toggle this parameter based on their priorities.
What’s Changing?
Starting January 2025, Microsoft will lock the HighCompleteness parameter to true permanently. This means:
- All audit log searches using Search-UnifiedAuditLog will prioritize completeness over speed.
- Queries may take longer to complete as the system fetches and processes exhaustive sets of audit records.
- It is no longer possible to set HighCompleteness to false to speed up searches.
Microsoft has stated:
"The cmdlet will now prioritize completeness of search results over performance. As a result, search queries may take longer to finish."
Why is Microsoft Making This Change?
The change is driven by the need for accuracy and thoroughness in audit log searches, which are increasingly critical for cybersecurity, regulatory compliance, and forensic investigations. Incomplete audit data can introduce risks such as:
- Missing indicators of compromise in security investigations.
- Failing to detect violations in compliance audits.
- Overlooking unauthorized or suspicious activities across services.
Microsoft's philosophy with this change is summarized as:
"Better to wait longer and get the full picture than to get fast but partial results."Implications and Impact for IT Administrators
While this enhances the integrity and detail of audit searches, it also introduces potential challenges, including:
1. Slower Search Performance
HighCompleteness searches can take up to 20 times longer than speed-prioritized searches. For admins conducting real-time investigations, this delay might impact responsiveness in critical scenarios like active breaches.
2. Broken or Slowed Automation Workflows
Many IT pros have built automation and scripts around the current flexibility of the cmdlet. Locking HighCompleteness to true can cause these automation workflows to stall or fail due to longer processing times or system resource constraints.
3. Increased System Resource Usage
Comprehensive searches require more compute and memory resources, potentially affecting system performance and concurrent operations, especially in large or resource-constrained environments.
Microsoft’s Recommended Alternative: Audit Search Graph API
Microsoft is encouraging administrators to transition towards the Audit Search Graph API which offers:
- Greater scalability and performance.
- More granular control over audit log queries, including filtering by event types, timestamps, and users.
- RESTful API interface enabling integration with modern automation pipelines and custom tools.
- Availability across commercial and government Microsoft 365 customers.
The Graph API is positioned as a more robust and flexible solution going forward, especially for programmatic and automated audit log access.
Preparing for the Change: Best Practices for IT Teams
To minimize disruption and prepare for the January 2025 change, Microsoft and experts advise:
- Audit Current Workflows:
Identify scripts and processes reliant on Search-UnifiedAuditLog and test their performance with HighCompleteness locked to true.
- Familiarize with the Audit Search Graph API:
Begin experimenting with Graph API-based audit log queries to evaluate improved performance and control.
- Test Performance Impact:
Run high-completeness queries during off-peak hours to assess resource usage and query duration.
- Segment Searches if Needed:
Consider narrowing the scope of searches by focusing on specific users, services, or date ranges to reduce query load.
- Train IT Staff:
Provide training for administrative teams on new audit tooling and API usage to ensure smooth transition.
Broader Context: Unified Audit Logging and Legacy Cmdlet Retirement
This change coincides with Microsoft's broader plan to retire older audit cmdlets—Search-MailboxAuditLog and New-MailboxAuditLogSearch—by March 2025. Both legacy cmdlets served specialized roles but lack the unified, cross-service capability of Search-UnifiedAuditLog.
The retirement timeline is:
- March 1, 2025: Stop generating new entries for legacy cmdlets.
- Late June 2025: Legacy cmdlets become read-only artifacts; no new downloads or changes allowed.
The consolidated Search-UnifiedAuditLog cmdlet is the future-forward tool, supporting unified audit logging across Exchange Online, Teams, SharePoint, OneDrive, Power BI, and more.
Conclusion
Microsoft's decision to lock the HighCompleteness parameter in Search-UnifiedAuditLog reflects the growing importance of comprehensive, accurate audit data in today’s complex security and compliance landscape. While potentially causing slower search performance and requiring workflow revisions, the change ultimately aims to strengthen the integrity and reliability of audit investigations in Microsoft 365.
Administrators should begin preparing now by assessing their current audit processes, adopting the Graph API for scalable querying, and embracing the unified approach to audit logs. This shift is part of Microsoft's broader strategy to unify tooling under a cloud-first, automated, and simplified management framework—making audit logging more powerful, if sometimes more demanding.
Reference Links
- Microsoft documentation on Search-UnifiedAuditLog and audit logging:
- Overview of Microsoft 365 unified audit log and Graph API:
- Community discussions and expert analysis:
If you are an IT administrator or Microsoft 365 engineer, it is crucial to start testing your audit log queries now to accommodate these changes and ensure uninterrupted compliance and security monitoring under the new requirements.
Please extract and format the article into this JSON structure:
- title: Extract the article title (create one if not present)
- content: The full article content in HTML or Markdown format
- summary: Write a 2-3 sentence summary of the article
- meta_description: Create an SEO meta description (max 160 characters)
- tags: Extract 5-10 relevant tags from the article
- reference_links: Extract ONLY the real reference links that were found through web search and mentioned in the article content
IMPORTANT: Only include actual URLs that appear in the article content from the web search results. These should be real links that were discovered and validated during research. These can be linked to the original article URLs.
Do NOT create new URLs or include any links not present in the article.
If no real links from web search are found in the content, use an empty array [].
Return ONLY the JSON object, no additional text.