An year ago, the first iteration of the Audit Search UI was released, and I wasn’t impressed by it, to put it mildly. Now, a new Preview experience is made available, which largely ignores all the shortcomings of the initial release, but adds asynchronous execution and a way to review the results of previously run searches. Which is a nice step forward, I won’t deny. Here’s how it works.
First, navigate to the Purview compliance center and hit the Audit entry on the left nav pane, or use the https://compliance.microsoft.com/auditlogsearch URI directly. If the preview is enabled within your tenant, you will land at the New Search (preview) page, also designated as ‘async search’ (?viewid=Async Search). The layout remains largely the same, with the addition of (optional) Search Name textbox. The other new element is the list of previously performed searches, presented in tabular view with the following details:
- Search name – quite descriptive by itself.
- Job status – as the search is now run asynchronously, it starts with Queued, processes to In progress and if everything goes as expected, Completed.
- Progress – an indicator of the job completion percentage.
- Search time – another progress indicator, in the form of the time it took to complete the query.
- Number of results – the total number of entries returned by the query.
- Creation time – the datetime at which the query was submitted.
- Searched by – the identifier of the user who started the query.
Interestingly, the Creation time column is the only one you can sort by. You cannot rearrange the columns either, and the resizing experience is flaky at best.
The process of creating a new search is virtually unchanged. As mentioned above, the only new UI element is the Search name textbox, but that’s not a mandatory one, so you can skip it. The date selection bits function the same as with the Classic search experience, which unfortunately means that if you want to include today’s results in the search, you have to manually change the end date to tomorrow’s value (here’s another reminder that this was done by default in the good old SCC UI). For the start date, you can go back up to one year, depending on the type of SKU you have and the audit retention policies configured. In the new experience, the default time range seems to be a day, whereas in the classic one it spanned a week.
The Activities control remains as useless as ever, as sifting through the few hundred event types remains a very unpleasant experience. Nothing has changed in the other controls either, and you’re expected to know and use the exact format needed for the File, folder or site box, and the Users selection hasn’t received any love either. Lastly, a new warning has been added, prompting you to add at least one filter to your search query in order to improve performance (as in, if you hit the Search button without going over the other controls).
Anyway, once you’ve entered the search criteria, hit the Search button to queue the query, which as mentioned above will now run asynchronously. The new search will be populated in the list view at the bottom of the screen, where you can monitor the progress. Selecting a search entry does not update the UI elements to reflect the corresponding date, activities or object selection. You can however use the Copy this search button to the same effect, which allows you to “reuse” past queries. You can hit the Refresh button to force the table to update the details on each search entry. You will also have the option to Cancel a given search if it’s still in progress, whereas for completed searches you can hit the Delete button to remove the entry and purge the results. Lastly, you cannot multi-select entries.
Once the search has completed, you can click the corresponding entry (or the Completed hyperlink) to get to the search results page. You can actually get to the same page while the search is still in progress, but for better experience, best wait for it to complete. Otherwise you will see few glitches, such as the Total number of results represented as 0, even though you can actually see individual events in the list (or their details). Same can be said for the Searches list itself, see for example the value of the Search time column on the screenshot above. Anyway, for best experience, wait for the query to complete.
Glitches aside, the Filter button is now back! It allows you to further narrow down the set of results returned, client-side. The list of available criteria includes the date range, IP address, User, Activity or Detail, as illustrated on the screenshot below:
Depending on the number of results returned, you can expect to see several “pages” worth of data, in increments of 150 events. Scrolling to the bottom of the results page will load the next set of 150 events, or you can hit the Export button and Download all results instead. Selecting individual entries will cause the Details pane to pop up on the right, and nothing much seems to have changed here. You can also sort results by each of the columns, but not rearrange them.
And that’s it in a nutshell. The new Preview adds async execution of search queries and somewhat improved experience that allows you to reuse previous queries. And we’re getting back the Filter button on the results page, which was definitely missed. Some of the other grievances I have with the Search experience in the Purview compliance center remain unaddressed, which is that more annoying now that the relevant SCC bits are gone for good. On the positive side, the annoying issue with caused the dates to be displayed as Invalid date seems to now be fixed. Perhaps. The issue with the UI bits occasionally being grayed out when landing on the Audit search page still remains, and sometimes persists even after multiple refreshes 🙁