Table of Contents
Mailbox Audit Events Problematic for Multi-Geo Audit Searches
At first glance, the title given to MC550039 (3 May 2023) is confusing. What exactly does “Configuration Change: Search-MailboxAuditLog cmdlet, multi-geo scenarios” mean?
Microsoft attempts to explain that in multi-geo tenants, a problem might arise when running the Search-MailboxAuditLog cmdlet to search mailbox audit records, leading to the message “An error occurred while trying to access the audit log.” The reason why this happens is that the administrator running the search uses a mailbox in a different region.
Remember that Exchange stores mailbox audit records in the Audits folder of Recoverable Items in user mailboxes. In a multi-geo organization, user mailbox can be in different regions. To make sure that searches work, administrators must “anchor” themselves in the target region by specifying a mailbox in the region when they run Connect-ExchangeOnline to connect PowerShell to Exchange Online. It’s a way of setting a scope for the mailbox audit log search.
The Unified Audit Log is a Better Search Target
Exchange Online generates mailbox audit events for mailboxes licensed with Exchange Online Plan 1 and 2. Enterprises running multi-geo organizations are likely to have Office 365 E3 or better licenses and therefore can use the unified audit log to gather data from multiple workloads in a single searchable store. In Office 365 E3 environments, administrators must enable mailboxes for auditing before mailbox audit events flow to the unified audit log. From March 2023, admin audit events from all regional locations end up in the unified audit log and can be searched there.
For instance, this command finds mailbox audit events recording the use of the Send As feature for a shared mailbox:
Search-MailboxAuditLog -Identity Customer.Communictions -LogonTypes Delegate -StartDate ((Get-Date).AddDays(-90)) -EndDate ((Get-Date).AddDays(+1)) -ShowDetails | Where-Object {$_.Operation -eq "SendAs"} | Select LogonUserDisplayName, LastAccessed
LogonUserDisplayName LastAccessed
-------------------- ------------
Tony Redmond 03/05/2023 20:29:39
Tony Redmond 03/05/2023 19:42:39
Tony Redmond 03/05/2023 19:13:41
Tony Redmond 20/04/2023 23:48:11
Tony Redmond 20/04/2023 17:44:10
Tony Redmond 20/04/2023 14:08:41
Within 15 minutes or so of creation, Exchange Online sends the mailbox audit events to the unified audit log. The events are immediately searchable through the Purview compliance portal (Figure 1) and PowerShell.
But, as MC550039 points out, unless you’re signed into an account in a satellite region, you won’t be able to see mailbox audit events from that region. Exchange Online does not transmit mailbox audit events from satellite regions to the unified audit log.
Admin Events
Exchange Online also generates admin audit events and transmits these events to the unified audit log. This process works for multi-geo environments, meaning that you can search for admin events using PowerShell or the audit search in the Microsoft Purview compliance portal.
Passing the Message
Microsoft hasn’t invested in Exchange mailbox audit logging for several years. Their focus is on the unified audit log. This is natural because the unified audit log offers better search options (even if the modern audit search GUI in the Purview compliance portal is very slow to retrieve audit data).
In general, it’s always best to use Search-UnifiedAuditLog or the Microsoft Purview compliance portal to search audit data. The exception, as appears to be in this case, is when searching for mailbox audit data from a satellite region, where you’re forced to run the Search-MailboxAuditLog cmdlet after connecting to an appropriate mailbox. It would be nice if Microsoft make it possible for mailbox audit events to flow from satellite regions to the unified audit log. Unified, after all, is the important word.
Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.