Exchange-Online-PowerShell-Recipes

Extract AuditData From Unified Audit Log Search

Problem

You want to extract the SoftDelete and HardDelete audit data returned after running Search-UnifiedAuditLog.

Solution

First, save the results to a variable:

[array]$results = Search-UnifiedAuditLog -RecordType ExchangeItemGroup -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(0.5) -ResultSize 400

This creates an array of unified audit log records but the data for the events is located in the AuditData property. The value of AuditData is a JSON formatted string.

Unified Audit Record

Create a new array with just the audit data.

[array]$audit += $results | Foreach-Object{ConvertFrom-Json $_.AuditData}

Now the data is what would be returned from the Search-MailboxAuditLog cmdlet.

Mailbox Audit Record

Discussion

The Search-MailboxAuditLog cmdlet is being deprecated on April 30, 2024. Microsoft is streamlining audit logs searches into the Search-UnifiedAuditLog cmdlet.¹

Exchange Record Types ²:

ExchangeAdmin
ExchangeItem
ExchangeItemGroup

References

Microsoft blog article detailing the deprecation of `Search-MailboxAuditLog cmdlet. ↩
All audit log record types ↩

This site is open source. Improve this page.