Scenario: The search-MailboxAuditLog command has been deprecated and is no longer producing results. It is now replaced with the search-unifiedAuditLog which pulls in lots of data from various sources, not just Exchange.
I need a simple command to search a mailbox for activity and have it display results similar to before.
Commands:
#Pull Log data into a Variable from Exchange Online PowerShell
#I am running 3 separate searches since the logs cap out at 5000 and adding them all into the $logs variable
$Logs += Search-UnifiedAuditLog -StartDate 3/31/2025 -EndDate 4/3/2025 -UserIds steveman -RecordType ExchangeItem -ResultSize 5000
$Logs += Search-UnifiedAuditLog -StartDate 4/3/2025 -EndDate 4/5/2025 -UserIds steveman -RecordType ExchangeItem -ResultSize 5000
$Logs += Search-UnifiedAuditLog -StartDate 4/5/2025 -EndDate 4/8/2025 -UserIds steveman -RecordType ExchangeItem -ResultSize 5000
#The results that we are after are in JSON. I am going to get it into a form that is usable within PowerShell or CSV:
$logResults = foreach ($entry in $logs) {
if ($entry.AuditData) {
$entry | Add-Member -MemberType NoteProperty -Name AuditDataJson -Value (ConvertFrom-Json $entry.AuditData) -Force
$entry
}
}#Now I am going to pick out the common stuff that I am after, feel free to add to it.
$Logs_Cleaned = $Logresults.auditdatajson | Select ClientInfoString, CreationTime, Operation, ResultStatus, ClientIP, userID, @{Name="Subject";Expression={$_ | Select -ExpandProperty Item | Select -expandproperty Subject}}, @{Name='ModifiedProperties';Expression={$_.ModifiedProperties -join ','}}
#Now to view it, export it, whatever you want to do, you can just reference the $logs_Cleaned variable.
$Logs_Cleaned
#-or
$Logs_Cleaned | Out-gridview
#-or
$Logs_Cleaned | export-csv c:\temp\data.csv
Ex-Shell 