Navigation section

Microsoft Search-UnifiedAuditLog Changes: HighCompleteness Parameter on Lockdown

  • Thread Author
Brace yourselves, Windows community! Starting January 2025, Microsoft will implement a significant change to the Search-UnifiedAuditLog cmdlet in Exchange Online. This isn’t just a minor tweak; it’s a structural shift that every IT admin, engineer, and Microsoft 365 aficionado needs to pay attention to. Let’s break down what these changes entail, how they could impact your workflows, and what you can do to prepare for the inevitable shakeup.

What’s Changing?

The spotlight is on the HighCompleteness parameter, a feature that was quietly introduced earlier in 2024. This parameter currently allows administrators to toggle between prioritizing speed or completeness in audit log searches. Here’s the kicker: as of January 2025, the HighCompleteness parameter will be permanently locked to true, meaning all audit log searches will prioritize retrieving the most comprehensive set of results — no ifs, ands, or buts.
In a nutshell:
  • Pre-2025: You could toggle HighCompleteness based on your need for speed (set to false) or thoroughness (set to true).
  • Post-January 2025: This parameter will always prioritize completeness over performance.
Here’s how Microsoft put it: “The cmdlet will now prioritize completeness of search results over performance. As a result, search queries may take longer to finish.”
Translation? You’ll be forfeiting search speed in exchange for more exhaustive results. Let’s dive deeper into why that matters.

Understanding the Search-UnifiedAuditLog Cmdlet

For the uninitiated, the Search-UnifiedAuditLog cmdlet is a PowerShell command that searches through the unified audit log in Exchange Online. This log isn’t your garden-variety recordkeeping tool. It aggregates activities across Microsoft 365 services, including:
  • Exchange Online (think email-related events)
  • Microsoft Entra ID (formerly Azure AD, tracking identity changes)
  • Microsoft Teams (conversations, meetings, and collaboration events)
  • OneDrive for Business (file accesses, sharing logs, and edits)
Why is this command significant? IT administrators lean on this powerful tool to investigate security incidents, compliance issues, and general audit activities across their organizations.
Now, throw in the HighCompleteness parameter, which debuted in early 2024:
  • True: Retrieves every possible audit record relevant to your query. Great for in-depth investigations but tends to be slow.
  • False: Focuses on delivering results quickly, but you might miss certain records.
With this parameter permanently set to true, you'll always get the nitty-gritty details — just not at lightning speed.

Why the Change?

Microsoft’s reasoning boils down to one word: accuracy. As audit log searches become increasingly critical for compliance and security, organizations need to ensure they’re examining complete data sets. Any gaps in search results could lead to missed red flags, compliance violations, or even escalated cybersecurity breaches.
Essentially, Microsoft is saying, "We’d rather you wait longer but get the FULL story than speed through and miss pivotal details."
Click to expand...

The Potential Fallout

Not everyone is thrilled about this change, and there are valid concerns regarding its broader implications:

1. Slow and Unsteady Queries

The HighCompleteness option isn’t known for its speed. Searches may take up to 20 times longer to complete compared to speed-first queries. For admins used to lightning-fast results — particularly in real-time scenarios like an active security breach — this delay could prove problematic.

2. Broken Automation Workflows

Many IT pros have built production scripts or automated workflows around the flexibility of this cmdlet. With all queries now defaulting to high-completeness, expect some scripts to choke on the increased processing time. This could disrupt essential tasks ranging from compliance checks to regular monitoring scripts.

3. Resource Intensity

High-completeness searches consume more system resources. Companies with limited computational capacity might feel the burn as their audit query executions hog resources, potentially choking other critical operations.

The Alternative: Audit Search Graph API

Microsoft is nudging admins toward the Audit Search Graph API as the go-to solution for programmatic access to audit logs. Here’s why this matters:
  • The Audit Search Graph API is designed with scalability and performance in mind.
  • It offers more granular control over your queries than the PowerShell cmdlet.
  • It’s available across both commercial and government Microsoft 365 customers.
If you’re running custom tools or automated processes that rely on Search-UnifiedAuditLog, the switch to the Graph API might be your lifeline moving forward. Microsoft itself recommends transitioning sooner rather than later.

How Does the Graph API Work?

Think of the Graph API as a Swiss Army knife for accessing Microsoft 365 data. Instead of relying on PowerShell’s somewhat rigid cmdlet structure, the Graph API leverages RESTful services, which means:
  • It’s all about making HTTP requests. Your query goes out as a web request, and bingo — the API delivers your data back in JSON format.
  • With precise endpoints and options, you can better control what data gets pulled in (e.g., getting audit logs between specific timestamps, filtered only by a certain event type, etc.).

How to Prepare for the Upcoming Change

Before you throw up your hands in frustration, let’s look at how you can adapt now to avoid headaches in January 2025:

1. Audit Current Workflows

  • Identify any critical scripts or processes that rely on the Search-UnifiedAuditLog cmdlet.
  • If speed is pivotal, test how these workflows perform with the HighCompleteness set to true.

2. Get Friendly with the Graph API

  • Start experimenting with the Audit Search Graph API.
  • Adjust your automation pipelines to work with API calls instead of PowerShell-based cmdlets.

3. Test Performance Impacts

  • Run high-completeness queries during off-hours to assess how much time they consume and what impact that might have during peak hours.
  • If your logs are enormous, consider segmenting your searches (e.g., focusing on specific services or users).

Final Thoughts

Microsoft’s move to mandate high-completeness searches in the Search-UnifiedAuditLog cmdlet is a double-edged sword. On the one hand, it’s pushing the envelope for accuracy and detail, especially in environments where compliance and security are king. On the other hand, it’s going to sting organizations that value speed and efficiency in their audit log workflows.
The silver lining? The Audit Search Graph API stands ready as a modern replacement, giving admins a faster, more versatile tool — provided they’re willing to climb the API learning curve.

Community Feedback Time!

Does this change make your life easier or harder as an IT pro? Will you switch to Graph API, or will you ride out the challenges of high-completeness searches? Share your thoughts in the WindowsForum.com thread below.
Stay ahead, stay informed, and as always, keep those PowerShell scripts polished!
Source: Petri IT Knowledgebase Microsoft Details Changes to Audit Log Searches in Exchange Online
 


Click to expand...
You must log in or register to reply here.
Back
Top