I guess Microsoft could plead that the AuditLogQuery API is in preview and therefore liable to break as they fine tune the code to make it GA. I see some other signs of instability with the results generated by the Search-UnifiedAuditLog cmdlet. Let’s hope that this period passes quickly and normal (good JSON) service is restored.

Unfortunately I also get the same invalid JSON returned from Graph (which makes all methods that parse the response as JSON break – like Invoke-MgGraphRequest or Get-MgBetaSecurityAuditLogQueryRecord or Invoke-PnPGraphMethod ).
It looks like a there are multiple people reporting the same like on this posts:
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2689
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2677
https://learn.microsoft.com/en-us/answers/questions/1643751/im-receiving-incomplete-invalid-json-responses-for.
Even in Graph explorer it gives a warning malformed JSON body.

Sounds like some bad data is in the AdministrativeUnits property in the AuditData payload for an audit record. I haven’t seen this before.

Thanks, the body was indeed malformed…

Moving forward i’m now getting another error while fetching the records : Invoke-MgGraphRequest : Conversion from JSON failed with error: After parsing a value an unexpected character was encountered: {. Path ‘value[406].administrativeUnits’, line 1, position 1027566.

Very true… and if you look at the script, it uses Top=999 to minimize the number of Graph requests used to fetch data. When you’re retrieving potentially tens of thousands of audit records, this helps…

I’ve seen quite a few internal server errors (500) in my testing. It could be just that (a server error) or it might be that the body used in the request is malformed in some way.

Very interesting article as always !

I’m getting the following error when posting the query to the audit log queries endpoint in order to create a new job (using Azure automation account), any idea ?

POST https://graph.microsoft.com/beta/security/auditLog/queries HTTP/1.1 500 Internal Server Error Transfer- XXXXXXXX – Code line: $NewSearch = Invoke-MgGraphRequest -Uri $Uri -Method $method -Body $body