M365 Archive
Back to latest version
Comparing Jan 27, 2025 Dec 12, 2024 Swap

MC955752 - Change in behavior of the HighCompleteness parameter in the Search-UnifiedAuditLog cmdlet

Message Center

Metadata at Dec 12, 2024

Message ID

MC955752

View in Message Center

Published

Dec 12, 2024

Service

Microsoft Purview

Tag

Feature update
Admin impact

Metadata changes

Tags
Admin impact, Feature update, Updated messageAdmin impact, Feature update

Body changes

removed textadded text

Updated January 27, 2025: We have updated the content. Thank you for your patience.

The Search-UnifiedAuditLog cmdlet Search-UnifiedAuditLog cmdlet gives administrators in your organization access to critical audit log event data to gain insights and further investigate user activities. Microsoft had introduced a new HighCompleteness parameterHighCompleteness parameter in this cmdlet in April 2024 that allowed customers to toggle between prioritizing completeness of search results and performance. When the HighCompleteness parameter is set to true, the search query returns a more complete set of search results, but the query may take a longer time to finish. When set to false, the query runs faster but only returns a subset of results. We recommended setting the parameter to true in scenarios where a complete list of search results was required. 

We previously announced a changeTo improve our customers’ visibility into their security logging and reduce instances of customers missing out on important audit records in their search results, we are now changing the behavior of the Search-UnifiedAuditLog cmdlet, specific toHighCompleteness parameter. Previously, customers could toggle the functioning ofparameter between true or false. With this change, the HighCompleteness parameter. We had announced plansparameter will always be set to deprecate supporttrue. 

When this will happen:

General Availability (Worldwide, GCC, GCC-High, DoD): Starting late January 2025, for this parameter and enforce HighCompleteness on all search queries submitted via the Search-UnifiedAuditLog cmdlet.

Several customers and partners reached out to us with concerns aboutcmdlet, the performance of the cmdlet in certain scenarios when HighCompleteness is enabled. Based on these concerns, we have decided to postpone the deprecationvalue of the HighCompleteness parameter will be set to a future date. This postponementtrue. 

How this will allow us to address these concerns before making any lasting changesaffect your organization:

The HighCompleteness parameter in the behaviorSearch-UnifiedAuditLog cmdlet will now be set to true for all queries. With this change, the cmdlet will now prioritize completeness of the cmdlet, andsearch results over performance. As a result, search queries may take longer to minimize any impact on customers relying on this cmdlet.finish. 

To search the audit log programmatically,What you can do to prepare:

You could also consider using our new Audit Search Graph APIAudit Search Graph API for programmatic access to audit logs. This API is now Generally Available to all our Worldwide and Gov customers.

Learn more about Purview Audit: Learn about auditing solutions in Microsoft Purview | Microsoft Learn Learn about auditing solutions in Microsoft Purview | Microsoft Learn

Learn more about the Search-UnifiedAuditLog cmdlet: Search-UnifiedAuditLog (ExchangePowerShell) | Microsoft LearnSearch-UnifiedAuditLog (ExchangePowerShell) | Microsoft Learn