Extract AuditData From Unified Audit Log Search


You want to extract the SoftDelete and HardDelete audit data returned after running Search-UnifiedAuditLog.


First, save the results to a variable:

[array]$results = Search-UnifiedAuditLog -RecordType ExchangeItemGroup -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(0.5) -ResultSize 400

This creates an array of unified audit log records but the data for the events is located in the AuditData property. The value of AuditData is a JSON formatted string.

Unified Audit Record

Create a new array with just the audit data.

[array]$audit += $results | Foreach-Object{ConvertFrom-Json $_.AuditData}

Now the data is what would be returned from the Search-MailboxAuditLog cmdlet.

Mailbox Audit Record


The Search-MailboxAuditLog cmdlet is being deprecated on April 30, 2024. Microsoft is streamlining audit logs searches into the Search-UnifiedAuditLog cmdlet.1

Exchange Record Types 2:


  1. Microsoft blog article detailing the deprecation of `Search-MailboxAuditLog cmdlet. 

  2. All audit log record types