Search-UnifiedAuditLog doesn't work from 20/5 when connected to ExchangeOnline using a Registered App in AzureAD

eIT Admin 60 Reputation points
2023-05-22T08:45:01.2933333+00:00

Hi Community,

We have some scripts deployed in different clients (different Tenants) where we use the cmdlet "Search-UnifiedAuditLog".

These scripts connect to ExchangeOnline using an App registered in the Tenant (each client has it own App) and using a Self-Signed certificate:

In the script we use the cmdlet "Search-UnifiedAuditLog" and this have been working during months but from saturday 20/5 an error appears when using the cmdlet.

So, it seems that a change have been made in Microsoft side making that now doesn't work because we got the same error in all ot our clients (diferentes tenants) without making any change in the script, installed Exchangeonline module (version 3.1.0) or anyhing else from Saturday 20/5.

So, I request your help to check if you have or can recreate the same problem and how to fix it.

Below the error when connecting using the App and how it works when connecting using credentials (the "user@company.com" obviously is not real and replaces the real userprincipalname)

PS C:\Users\user> Connect-ExchangeOnline -Organization $organization -AppId $clientid -CertificateThumbprint $certificatethumbprint
----------------------------------------------------------------------------------------
This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure.
Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets.
V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently.
However, REST backed EOP and SCC cmdlets are not available yet. To use those, you will need to enable WinRM Basic Auth.
For more information check https://aka.ms/exov3-module
----------------------------------------------------------------------------------------

PS C:\Users\user> Search-UnifiedAuditLog -enddate $EndDate -startdate $StartDate -UserIds "user@company.com" -resultsize 5000
Write-ErrorMessage : One or more errors occurred.
En C:\Users\user\AppData\Local\Temp\tmpEXO_k1eb1aj3.2j2\tmpEXO_k1eb1aj3.2j2.psm1: 1120 Carácter: 13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Search-UnifiedAuditLog], Exception
    + FullyQualifiedErrorId : [Server=DB4PR03MB9409,RequestId=cb62cac9-7756-7cdf-da1e-d0d4b568ab80,TimeStamp=Mon, 22 May 2023 08:25:55 GMT],Write-ErrorMessage


If you connect using credentials then it works:

PS C:\Users\user> Connect-ExchangeOnline -credential $Office365credentials
----------------------------------------------------------------------------------------
This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure.
Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets.
V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently.
However, REST backed EOP and SCC cmdlets are not available yet. To use those, you will need to enable WinRM Basic Auth.
For more information check https://aka.ms/exov3-module
----------------------------------------------------------------------------------------




PS C:\Users\user> $FechaUltimoAcceso=Search-UnifiedAuditLog -enddate $EndDate -startdate $StartDate -UserIds "user@company.com" -resultsize 5000
PS C:\Users\user> $FechaUltimoAcceso.count
422
PS C:\Users\user>

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,368 questions
{count} votes

Accepted answer
  1. Yuki Sun-MSFT 41,011 Reputation points
    2023-05-24T07:14:48.2+00:00

    From my side in almost 100% of the Tenants that we manage now the cmdlet works properly again. It's clear that something was changed in background and now are fixing the problem.

    Hi @eIT Admin

    Great to know that it's all working now and thanks for sharing the update here!

    By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll write a brief summary of this thread in case you'd like to "Accept" it as answer for others' reference : )


    [Search-UnifiedAuditLog doesn't work from 20/5 when connected to ExchangeOnline using a Registered App in AzureAD]

    Issue Symptom:

    Search-UnifiedAuditLog cmdlet suddenly doesn't work when connecting using the App with the error below:

    Write-ErrorMessage : One or more errors occurred.
    
    

    Current Status:

    The cmdlet works properly again with no action undertaken. "It's clear that something was changed in background and now are fixing the problem."

    1 person found this answer helpful.
    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Andy David - MVP 145K Reputation points MVP
    2023-05-22T12:47:25.3866667+00:00
    1 person found this answer helpful.

  2. Gear Knacks 0 Reputation points
    2023-05-22T08:59:42.91+00:00

    It seems like you're experiencing an issue with the "Search-UnifiedAuditLog" cmdlet in your scripts, which connect to Exchange Online using an App registered in each client's tenant with a self-signed certificate. The error started occurring on May 20th, and you haven't made any changes to the script or the Exchange Online module (version 3.1.0).

    Based on the error message you provided, it appears that a change may have been made on the Microsoft side, causing the cmdlet to fail. To investigate and resolve this issue, I recommend the following steps:

    Check for any recent updates or announcements from Microsoft regarding changes to the "Search-UnifiedAuditLog" cmdlet or Exchange Online modules. Look for any known issues or breaking changes that might be relevant to your situation.

    Verify that the self-signed certificate you're using is still valid and hasn't expired. If necessary, renew the certificate and update it in the App registration for each client's tenant.

    Update the Exchange Online module to the latest version available. Even though you mentioned that you haven't made any changes to the module, it's worth ensuring that you have the most up-to-date version installed, as it might include bug fixes or compatibility improvements.

    Try running the script on a different machine or environment to see if the issue persists. This will help determine if the problem is specific to your current environment or if it's a broader issue.


  3. eIT Admin 60 Reputation points
    2023-05-22T09:36:06.78+00:00

    Hi Gear, regarding your recommendations:

    • Not found updates or announcements from Microsoft regarding changes to the "Search-UnifiedAuditLog"
    • The Self-signed certificate is still valid (expires in 31/12/2100) in all the clients (each client has its own certificate)
    • All the clients have the last version of Exchange Online module (3.1.0)
    • The issue persist in all the clients, so differents machines, environments and Tenants due to the script is executed in the servers of the clients

    So, all these steps have been checked before open this Post.


  4. EmlyLorienz 0 Reputation points
    2024-02-27T12:05:55.37+00:00

    Using self-signed certificates for production use in Azure AD applications. Microsoft recommends using certificates issued by a trusted certificate authority (CA) for production environments. Sharing potentially sensitive information like error messages, as they might contain confidential details.

    0 comments No comments