Get-MgBetaSecurityAuditLogQueryRecord

[Maxiz80]

It seems a string formatting error since it's missing the } that close the object

Following the script that I use:

$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppID, (ConvertTo-SecureString -String $AppSecret -AsPlainText -Force)
Connect-MgGraph -ClientSecretCredential $ClientSecretCredential -TenantId $TID -ErrorAction Stop

New-MgBetaSecurityAuditLogQuery -FilterStartDateTime "2024-03-25 00:00" -FilterEndDateTime "2024-03-29 23:59" -DisplayName "activities"

PS C:\Users\Skype4bsched> Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId QueryID -All -Debug
DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientSecret', ContextScope: 'Process', AppName: 'GOSP-UCC-Reporting'.
DEBUG: [Authentication]: - Scopes: [...AuditLogsQuery.Read.All, AuditLog.Read.All, ...].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.17.0
client-request-id : ClientID

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 49dd6246-10aa-4a4f-ba47-e2820c958696
client-request-id : ClientID
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}}
OData-Version : 4.0
Cache-Control : no-cache
Date : Fri, 12 Apr 2024 08:34:30 GMT

Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('*QueryID*')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAwOGE5ZTQtYTgzOC00NjcxLTI3OTgtMDhkYzRkOGNiYTY1",
"value": [...]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAwOGE5ZTQtYTgzOC00NjcxLTI3OTgtMDhkYzRkOGNiYTY1

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.17.0,
client-request-id : 25806d5f-7bdd-4a3d-ac0b-c0496b2cd5e5
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 95a34a58-4332-493c-820d-0692c61ce6b6
client-request-id : 25806d5f-7bdd-4a3d-ac0b-c0496b2cd5e5
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}}
OData-Version : 4.0
Cache-Control : no-cache
Date : Fri, 12 Apr 2024 08:34:32 GMT

Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('*QueryID*')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAxMGYwNDAtYmM5Mi00YzZmLTZlZTYtMDhkYzRjYTE3ODA2",
"value": [...]
}

Id AdministrativeUnits AuditLogRecordType ClientIP CreatedDateTime ObjectId

---

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAxMGYwNDAtYmM5Mi00YzZmLTZlZTYtMDhkYzRjYTE3ODA2

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.17.0,
client-request-id : 0ed353da-584c-4760-b8be-d5aa082b1c47
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : edb7916f-f77e-451b-b610-bf02b4851563
client-request-id : 0ed353da-584c-4760-b8be-d5aa082b1c47
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}}
OData-Version : 4.0
Cache-Control : no-cache
Date : Fri, 12 Apr 2024 08:34:34 GMT

Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('*QueryID*')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAxOTcwNzEtMWMxYy00NWNkLWQzZjktMDhkYzRlMzkyMGRi",
"value": [...]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAxOTcwNzEtMWMxYy00NWNkLWQzZjktMDhkYzRlMzkyMGRi

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.17.0,
client-request-id : 5e3b79cc-e9de-4de9-8676-0f7ddca8f5e2
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 8ba8f3e4-9459-4777-b506-5d1152fceeca
client-request-id : 5e3b79cc-e9de-4de9-8676-0f7ddca8f5e2
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}}
OData-Version : 4.0
Cache-Control : no-cache
Date : Fri, 12 Apr 2024 08:34:35 GMT

Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('*QueryID*')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAyMWRkNzgtN2ZiYi00ZWI2LWYxZTYtMDhkYzRlNTBiZjVh",
"value": [...]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/*QueryID*/records?$skiptoken=1!4!MA--%2f1!48!MDAyMWRkNzgtN2ZiYi00ZWI2LWYxZTYtMDhkYzRlNTBiZjVh

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.17.0,
client-request-id : 917fecde-2343-4130-add3-db179e2392fd
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : a91c3698-df25-4b46-a0e9-2e3aa996b628
client-request-id : 917fecde-2343-4130-add3-db179e2392fd
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}}
OData-Version : 4.0
Cache-Control : no-cache
Date : Fri, 12 Apr 2024 08:34:37 GMT

Body:
{...,
{"id":"002aae90-f402-c84e-6212-2a14a29e4f36",
"createdDateTime":"2024-03-27T13:04:31Z",
"auditLogRecordType":"Yammer",
"operation":"FileVisited",
"organizationId":"",
"userType":"Regular",
"userId":"",
"service":"Yammer",
"objectId":".jpg",
"userPrincipalName":"",
"clientIp":null,
"administrativeUnits":[""]
{"error":
{"code":"UnknownError",
"message":"Unexpected Jsontoken. Check response for property value[141].auditData.ActorYammerUserId",
"innerError":{"date":"2024-04-12T08:44:40",
"request-id":"e6e1bd2f-3476-453d-903f-945dda906c28",
"client-request-id":"3d8b7b60-2d19-416e-9e0e-0d973fea9101"
}
}
}

}

DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. : at Microsoft.Graph.Beta.PowerShell.Runtime.Json.TokenReader.Ensure(TokenKind kind, String readerName)
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadFieldValue()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadField()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadNode()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task1 body) at System.Threading.Tasks.ContinuationResultTaskFromResultTask2.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.d__94.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.d__94.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.d__373.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.d__92.MoveNext()'
Get-MgBetaSecurityAuditLogQueryRecord : Expected String while reading Expected field name). Was LeftBrace: {.
At line:1 char:1

• Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId ****- ...

•   + CategoryInfo          : NotSpecified: (:) [Get-MgBetaSecur...ueryRecord_List], ParserException
    + FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List
  
  

DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.

Module Version
Get-Module Microsoft.Graph*

ModuleType Version Name ExportedCommands

---

Script 2.17.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext...}
Script 2.17.0 Microsoft.Graph.Beta.Security {Add-MgBetaSecurityCaseEdiscoveryCaseCustodianHold, Add-MgBetaSecurityCaseEdiscoveryCaseNoncustodialDataSourceHold, Add-MgBetaSecurityCaseEdiscoveryCaseReviewSetQueryTag, Add-MgBetaSecurityCaseEdi...
Script 2.17.0 Microsoft.Graph.Users {Get-MgUser, Get-MgUserCount, Get-MgUserCreatedObject, Get-MgUserCreatedObjectAsServicePrincipal...}

Environment Data
$PSVersionTable

Name Value

---

PSVersion 5.1.17763.5696
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.5696
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

[EmilienCourt]

Hi,

For your information, I'm getting the exact same error.

@timayabi2020 did you have any time to investigate ?

Thanks a lot in advance :)

[timayabi2020]

@Maxiz80 @EmilienCourt I couldn't replicate the issue because I get a success whenever I try to out the command.

Maybe you can share an audit log query payload which you suspect is causing the issue so that I create it on my end, retrieve it's record and see whether I'll get the error.

[EmilienCourt]

@timayabi2020 Thanks for trying it out ! As it turns out, the issue only appears with some specific events (it is difficult to find which one, as the -Skip option of the cmdlet does not work).

I tested it again on a production tenant (~30k users), without any filter (except for startDate (-> 2 days ago) and endDate (->today), and here is the log :

The status of the request is succeeded

$(Get-MgBetaSecurityAuditLogQuery -AuditLogQueryId $auditLogQueryId).status 
succeeded

But when I try to get the results ...

Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId -Debug -Verbose
DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '<REDACTED>'.
DEBUG: [Authentication]: - Scopes: [AuditLogsQuery.Read.All, AuditLog.Read.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Linux; Ubuntu 22.04.4 LTS; en-US),PowerShell/7.4.2
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.19.0
client-request-id             : <REDACTED>

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : <REDACTED>
client-request-id             : <REDACTED>
x-ms-ags-diagnostic           : <REDACTED>
odata-version                 : 4.0
Date                          : Mon, 01 Jul 2024 12:18:27 GM

Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('<REDACTED>')/records",
  "@odata.count": 150,
  "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records?$skiptoken=<REDACTED>",
  "value": [
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {
      "id": "<REDACTED>",
      "createdDateTime": "2024-07-01T11:47:43Z",
      "auditLogRecordType": "Yammer",
      "operation": "FileVisited",
      "organizationId": "<REDACTED>",
      "userType": "Regular",
      "userId": "<REDACTED>",
      "service": "Yammer",
      "objectId": "<REDACTED>",
      "userPrincipalName": "<REDACTED>",
      "clientIp": null,
      "administrativeUnits":[""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[12].auditData.FileId","innerError":{"date":"2024-07-01T12:18:28","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}


DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. :    at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
   at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task`1 body)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.on2Xx(HttpResponseMessage responseMessage, Task`1 response)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord(String auditLogQueryId, Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.ProcessRecordAsync()'
Get-MgBetaSecurityAuditLogQueryRecord_List: Expected String while reading Expected field name). Was LeftBrace: {.
DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.

(I have beautified the JSON and the first events, which are fine).

I went ahead and got the specific event which was crashing the Purview API, using Search-UnifiedAuditLog :

{
  "UserId": "<REDACTED>",
  "ActorYammerUserId": <REDACTED>,
  "ActorUserId": "<REDACTED>",
  "YammerNetworkId": <REDACTED>,
  "Version": 1,
  "Id": "<REDACTED>",
  "RecordType": 22,
  "CreationTime": "2024-07-01T11:47:43",
  "Operation": "FileVisited",
  "OrganizationId": "<REDACTED>",
  "UserType": 0,
  "UserKey": "<REDACTED>",
  "Workload": "Yammer",
  "ResultStatus": "TRUE",
  "ObjectId": "<REDACTED>",
  "ClientIP": "<REDACTED>",
  "Details": "",
  "FileId": 2121248555008,
  "FileName": "<REDACTED>",
  "VersionId": 2145063878656
}

So my guess is that the Purview backend did not like that event :)

[timayabi2020]

@EmilienCourt this was a strange one. If that is the case, then I would suggest that you also open an issue here so that the API owner can investigate further.

[EmilienCourt]

@timayabi2020 I'm in the process of opening a support ticket for that API, if that's what you meant by "open an issue". Please note that this API issue is reproducible in every production tenant and totally breaks (unfiltered) log collection using Purview.

In the meantime, would it be possible to fix the -Skip parameter of the Get-MgBetaSecurityAuditLogQueryRecord cmdlet ? This could be a way of manually "skipping" the problematic events.

Regards,

[EmilienCourt]

@timayabi2020 another example :

{
  "id": "<REDACTED>",
  "createdDateTime": "2024-06-24T18:19:56Z",
  "auditLogRecordType": "SharePointFileOperation",
  "operation": "FileDownloaded",
  "organizationId": "<REDACTED>",
  "userType": "Regular",
  "userId": "<REDACTED>",
  "service": "OneDrive",
  "objectId": "<REDACTED>",
  "userPrincipalName": "<REDACTED>",
  "clientIp": null,
  "administrativeUnits": [""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[19].auditData.FileSizeBytes","innerError":{"date":"2024-07-04T08:47:09","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.