Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 3 Contributor

Search-UnifiedAuditLog returns nothing for half my tenants when connecting via SAM

I am able to connect to all of my tenants Exchange online instances via PowerShell using the Secure Application Model, all commands that I've tested seem to work fine, the only exception to this it seems is the "Seach-UnifiedAuditLog" command, which imports, but returns nothing.


I set up a script to loop through all of my tenant's exchanges(Below) and out of around 90 tenants, only 40 were able to retrieve data when running the "Seach-UnifiedAuditLog" command.


  • This wasn't always the case, I used to be able to retrieve logs for these clients.
  • The clients that are now unable to pull data are consistently broken.
  • I have tested this on both Powershell 5 and 7.
  • If I connect via delegated access in the EXOv2 module, it works fine. 
  • I get the same result if I remove the "-AllowClobber -CommandName" switches


I have no idea how to troubleshoot this issue further, any help would be appreciated.


The output of the script:

2021-03-09 16_01_21-● Untitled-2 - Visual Studio Code.png


The script to cycle through all clients:



$upn = "my@email.com"
$PartnerEXRT = "ExchangeRefreshTokenFromPartnerTenant"

$body = @{
    "scope"      = "https://outlook.office365.com/.default"
    "grant_type"    = "refresh_token"
    "refresh_token" = $PartnerEXRT
foreach ($customer in $customers.companyProfile) {
    get-pssession | remove-pssession
    $data = $null
    $uri = "https://login.microsoftonline.com/$($customer.tenantId)/oauth2/token/"
    $token = (Invoke-RestMethod $uri -Method 'post' -body $body).access_token
    $tokenValue = ConvertTo-SecureString "Bearer $token" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=asdf&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
    Import-PSSession $session -AllowClobber -CommandName Get-AcceptedDomain, Search-unifiedAuditLog 

    $days = 1
    $SessionId = Get-Date -Format 'mmss'
    $startDate = (Get-Date).AddDays(-$days)
    $endDate = (Get-Date)

    $data = Search-unifiedAuditLog -SessionId $SessionId -StartDate $startDate -EndDate $endDate  -SessionCommand ReturnLargeSet -ResultSize 5000

        Write-host "Success for $($customer.companyName), $($data.count) logs retrieved" -foregroundColor green
        $success += 1
        Write-host "failure for $($customer.companyName)" -foregroundColor red
        $failure += 1


write-host "Total successes: $success" -foregroundColor green
write-host "Total failures: $failure" -foregroundColor red




Level 3 Contributor

Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.

This new module of his solved my issues.



Level 3 Contributor

I have a mix, there doesn't seem to be a correlation between the clients with P1 and clients that do and don't work.

I am able to retrieve logins for clients using the Graph API, but obviously only works for clients with premium.

Level 1 Contributor

Do your tenants have Azure AD Premium P1 or P2 licenses?