MC955752 - Change in behavior of the HighCompleteness parameter in the Search-UnifiedAuditLog cmdlet

Updated January 27, 2025: We have updated the content. Thank you for your patience.

The Search-UnifiedAuditLog cmdlet Search-UnifiedAuditLog cmdlet gives administrators in your organization access to critical audit log event data to gain insights and further investigate user activities. Microsoft had introduced a new HighCompleteness parameterHighCompleteness parameter in this cmdlet in April 2024 that allowed customers to toggle between prioritizing completeness of search results and performance. When the HighCompleteness parameter is set to true, the search query returns

We previously announced a more complete set of search results, but the query may take a longer time to finish. When set to false, the query runs faster but only returns a subset of results. We recommended setting the parameter to truechange in scenarios where a complete list of search results was required. 

To improve our customers’ visibility into their security logging and reduce instances of customers missing out on important audit records in their search results, we are now changing the behavior of the Search-UnifiedAuditLog cmdlet, specific to the functioning of the HighCompleteness parameter. Previously, customers could toggle theWe had announced plans to deprecate support for this parameter between true or false. With this change, theand enforce HighCompleteness parameter will always be set to true. 

When this will happen:

General Availability (Worldwide, GCC, GCC-High, DoD): Starting late January 2025, foron all search queries submitted via the Search-UnifiedAuditLog cmdlet,cmdlet.

Several customers and partners reached out to us with concerns about the valueperformance of the cmdlet in certain scenarios when HighCompleteness is enabled. Based on these concerns, we have decided to postpone the deprecation of the HighCompleteness parameter to a future date. This postponement will be setallow us to true. 

How this will affect your organization:

The HighCompleteness parameteraddress these concerns before making any lasting changes in the Search-UnifiedAuditLog cmdlet will now be setbehavior of the cmdlet, and to true for all queries. Withminimize any impact on customers relying on this change,cmdlet.

To search the cmdlet will now prioritize completeness of search results over performance. As a result, search queries may take longer to finish. 

Whataudit log programmatically, you can do to prepare:

You could also consider using our new Audit Search Graph APIAudit Search Graph API for programmatic access to audit logs. This API is now Generally Available to all our Worldwide and Gov customers.

Learn more about Purview Audit: Learn about auditing solutions in Microsoft Purview | Microsoft LearnLearn about auditing solutions in Microsoft Purview | Microsoft Learn

Learn more about the Search-UnifiedAuditLog cmdlet: Search-UnifiedAuditLog (ExchangePowerShell) | Microsoft LearnSearch-UnifiedAuditLog (ExchangePowerShell) | Microsoft Learn