This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
Hi Community,
We have some scripts deployed in different clients (different Tenants) where we use the cmdlet "Search-UnifiedAuditLog".
These scripts connect to ExchangeOnline using an App registered in the Tenant (each client has it own App) and using a Self-Signed certificate:
In the script we use the cmdlet "Search-UnifiedAuditLog" and this have been working during months but from saturday 20/5 an error appears when using the cmdlet.
So, it seems that a change have been made in Microsoft side making that now doesn't work because we got the same error in all ot our clients (diferentes tenants) without making any change in the script, installed Exchangeonline module (version 3.1.0) or anyhing else from Saturday 20/5.
So, I request your help to check if you have or can recreate the same problem and how to fix it.
Below the error when connecting using the App and how it works when connecting using credentials (the "user@company.com" obviously is not real and replaces the real userprincipalname)
PS C:\Users\user> Connect-ExchangeOnline -Organization $organization -AppId $clientid -CertificateThumbprint $certificatethumbprint
----------------------------------------------------------------------------------------
This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure.
Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets.
V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently.
However, REST backed EOP and SCC cmdlets are not available yet. To use those, you will need to enable WinRM Basic Auth.
For more information check https://aka.ms/exov3-module
----------------------------------------------------------------------------------------
PS C:\Users\user> Search-UnifiedAuditLog -enddate $EndDate -startdate $StartDate -UserIds "user@company.com" -resultsize 5000
Write-ErrorMessage : One or more errors occurred.
En C:\Users\user\AppData\Local\Temp\tmpEXO_k1eb1aj3.2j2\tmpEXO_k1eb1aj3.2j2.psm1: 1120 Carácter: 13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Search-UnifiedAuditLog], Exception
+ FullyQualifiedErrorId : [Server=DB4PR03MB9409,RequestId=cb62cac9-7756-7cdf-da1e-d0d4b568ab80,TimeStamp=Mon, 22 May 2023 08:25:55 GMT],Write-ErrorMessage
If you connect using credentials then it works:
PS C:\Users\user> Connect-ExchangeOnline -credential $Office365credentials
----------------------------------------------------------------------------------------
This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure.
Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets.
V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently.
However, REST backed EOP and SCC cmdlets are not available yet. To use those, you will need to enable WinRM Basic Auth.
For more information check https://aka.ms/exov3-module
----------------------------------------------------------------------------------------
PS C:\Users\user> $FechaUltimoAcceso=Search-UnifiedAuditLog -enddate $EndDate -startdate $StartDate -UserIds "user@company.com" -resultsize 5000
PS C:\Users\user> $FechaUltimoAcceso.count
422
PS C:\Users\user>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @eIT Admin ,
Have you had a chance to check the Service Health dashboard via M365 admin center and see if there's any potentially relevant incident?
Also noticed that a similar issue has already been opened in the link below. You can also subscribe it and see if we can get any more information there:
search-unifiedauditlog: Write-ErrorMessage : One or more errors occurred.
Hi Yuki,
I've not seen any relevant information from Service Health dashboard (looking at the different Tenants) but looking at the case mentioned above, there is a reference to another very much similar issue (https://github.com/MicrosoftDocs/office-docs-powershell/issues/10693) with the same behaviour:
So, we are now in the same situation but the problem still persists after 4 days waiting for Microsoft to fix it.
Hi @eIT Admin ,
I've also seen the similar case you mentioned and it seems like that was probably a transient backend issue. Given current situation, personally I'd recommend trying to contact M365 support in the admin portal to further confirm about it:
Hi again Yuki,
My sequence trying to getting help from Microsoft:
So, here we are ......
From my side in almost 100% of the Tenants that we manage now the cmdlet works properly again. It's clear that something was changed in background and now are fixing the problem.
Hi @eIT Admin ,
Great to know that it's all working now and thanks for sharing the update here!
By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll write a brief summary of this thread in case you'd like to "Accept" it as answer for others' reference : )
[Search-UnifiedAuditLog doesn't work from 20/5 when connected to ExchangeOnline using a Registered App in AzureAD]
Issue Symptom:
Search-UnifiedAuditLog cmdlet suddenly doesn't work when connecting using the App with the error below:
Write-ErrorMessage : One or more errors occurred.
Current Status:
The cmdlet works properly again with no action undertaken. "It's clear that something was changed in background and now are fixing the problem."
Consider opening a ticket or provide feedback on this issue:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 25%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
We tried logging the details of the errors as mentioned above but no log file gets generated
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 96%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGK%3C/text%3E%3C/svg%3E)
It seems like you're experiencing an issue with the "Search-UnifiedAuditLog" cmdlet in your scripts, which connect to Exchange Online using an App registered in each client's tenant with a self-signed certificate. The error started occurring on May 20th, and you haven't made any changes to the script or the Exchange Online module (version 3.1.0).
Based on the error message you provided, it appears that a change may have been made on the Microsoft side, causing the cmdlet to fail. To investigate and resolve this issue, I recommend the following steps:
Check for any recent updates or announcements from Microsoft regarding changes to the "Search-UnifiedAuditLog" cmdlet or Exchange Online modules. Look for any known issues or breaking changes that might be relevant to your situation.
Verify that the self-signed certificate you're using is still valid and hasn't expired. If necessary, renew the certificate and update it in the App registration for each client's tenant.
Update the Exchange Online module to the latest version available. Even though you mentioned that you haven't made any changes to the module, it's worth ensuring that you have the most up-to-date version installed, as it might include bug fixes or compatibility improvements.
Try running the script on a different machine or environment to see if the issue persists. This will help determine if the problem is specific to your current environment or if it's a broader issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 38%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
I have the same issue
Hi Gear, regarding your recommendations:
So, all these steps have been checked before open this Post.
Hello
We have the same problem here. We run our script with a valid self-signed certificate and it connects successfully to our tenant. Nevertheless, we get a 'Search-UnifiedAuditLog: One or more errors occurred.' message, nothing more. This script has been running for months flawlessly.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 84%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Same issue this side:
Error invoking cmdlet [Search-UnifiedAuditLog]. One or more errors occurred.
The cmdlet was running fine since months.
Hi Vincent,
Many thanks for your feedback, it is good to know that we are not alone with this problem and obviously something has been changed in background by Microsoft.
Let's see their answer about this issue.
We have the same issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 70%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
The same issue and it's quite critical for my company as we have a lot of scripts to track user activities using audit log.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 22%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
Same exact issue here across multiple tenants.
Everything is now back to normal on our side (with no action undertaken)
Lucky you, I'm still seeing the problem in multiple tenants after your message. Maybe they've fixed something that will propagate to all over the next few hours, but I won't hold my breath.
Good morning Community,
From my side in almost 100% of the Tenants that we manage now the cmdlet works properly again.
It's clear that something was changed in background and now are fixing the problem.
Thanls for your time and for giving your feedback!
Same - multiple tenants all now operating as expected. My support ticket is still open and I have asked them to leave it open and get back to me once they figure out what went wrong.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Using self-signed certificates for production use in Azure AD applications. Microsoft recommends using certificates issued by a trusted certificate authority (CA) for production environments. Sharing potentially sensitive information like error messages, as they might contain confidential details.