Unified Audit Log Backend Failure

Hi Zarek,

It is important to distinguish this from normal audit log latency. While audit records may take some time to appear (typically minutes to a few hours), a complete absence of results across the Microsoft Purview portal, PowerShell, and the Office 365 Management Activity API over an extended period indicates a backend service issue rather than expected delay.

A simple validation test can be performed using:

Search-UnifiedAuditLog -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) -ResultSize 10

If this consistently returns no results in a tenant with known recent activity, it further supports that audit data is not being ingested or indexed correctly on the service side.

For escalation, it is recommended to provide Microsoft support with exact timestamps of failed searches, any correlation IDs from errors in the Microsoft Purview portal, and confirmation that the issue reproduces across all access methods (portal, PowerShell, and API). You should also explicitly request confirmation of audit ingestion status, any processing backlog, and whether the issue is tied to a known incident or internal defect.

Additionally, review the Microsoft 365 Service Health dashboard for any related advisories, noting that not all backend ingestion issues are immediately published.

Finally, depending on the nature of the backend failure, audit data generated during the affected period may be delayed or, in some cases, not recoverable. Microsoft support should confirm whether missing data will be backfilled after resolution.

For a tenant-wide Unified Audit Log backend failure that Microsoft has already acknowledged as a service-side issue, there is no client-side fix available in configuration, PowerShell, or the portal. When auditing is enabled and correctly configured but searches across the Microsoft Purview portal, Search-UnifiedAuditLog, and the Office 365 Management Activity API all fail or return zero results, remediation must be done by Microsoft on the backend audit pipeline and storage.

Locally applicable checks are limited to confirming that:

• Auditing is enabled at the organization level and not disabled at the tenant level.
• Mailbox auditing is enabled where relevant and that E5 vs non‑E5 behavior is understood.
• The account performing searches has the correct roles.

From the provided information:

• Mailbox audit events for non‑E5 users may not appear in unified audit log searches unless mailbox auditing is explicitly enabled on those mailboxes. As a workaround, Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true can be used to enable auditing per mailbox, and if a mailbox appears enabled but returns no results, toggling AuditEnabled to $false and then back to $true can help reinitialize auditing for that mailbox.
• To search for mailbox activities in specific mailboxes, it is necessary to verify the organization-level audit configuration (Get-AdminAuditLogConfig), ensure auditing is not disabled at the tenant level (Get-OrganizationConfig | FL AuditDisabled), and confirm that the mailbox appears in Get-Mailbox -Filter {AuditEnabled -eq "True"}.
• To search for specific email messages, the account must have the Audit Logs role in Microsoft Purview and use Exchange Online PowerShell with Connect-ExchangeOnline.
• If a user receives "Your request couldn't be completed. Please try again" when searching the audit log, the fix is to assign the View‑Only Audit Logs or Audit Logs role via a custom role group in the Exchange admin center.

If all of these conditions are already satisfied, and Microsoft has confirmed a backend service issue, there is no additional tenant-side action that can repair the unified audit log. In that case, resolution depends on Microsoft engineering correcting the backend. The only escalation path is through Microsoft support; there is no alternate self-service or direct engineering contact channel documented beyond opening and pursuing support cases.

References:

• Search the audit log to investigate common support issues
• "Your request couldn't be completed. Please try again" error when you try to search the audit log in Microsoft 365
• Search the audit log for mailbox activities in specific mailboxes
• Learn about auditing solutions in Microsoft Purview
• Search the audit log for specific email messages
• Office 365 Management Activity API FAQs and troubleshooting