logicsec-zz
diff --git a/‎exchange/exchange-ps/exchange/policy-and-compliance-audit/Search-AdminAuditLog.md
Lines changed: 69 additions & 32 deletions b/‎exchange/exchange-ps/exchange/policy-and-compliance-audit/Search-AdminAuditLog.md
Lines changed: 69 additions & 32 deletions
@@ -14,39 +14,49 @@ monikerRange: "exchserver-ps-2010 || exchserver-ps-2013 || exchserver-ps-2016 ||
 ## SYNOPSIS
 This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
 
-Use the Search-AdminAuditLog cmdlet to search the contents of the administrator audit log.
+Use the Search-AdminAuditLog cmdlet to search the contents of the administrator audit log. Administrator audit logging records when a user or administrator makes a change in your organization (in the Exchange admin center or by using cmdlets).
 
 For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax (https://technet.microsoft.com/library/bb123552.aspx).
 
 ## SYNTAX
 
 ```
-Search-AdminAuditLog [[-Cmdlets <MultiValuedProperty>]
- [-DomainController <Fqdn>] [-EndDate <ExDateTime>] [-IsSuccess <$true | $false>]
- [-ObjectIds <MultiValuedProperty>] [-Parameters <MultiValuedProperty>] [-ResultSize <Int32>]
- [-StartDate <ExDateTime>] [-StartIndex <Int32>] [-UserIds <MultiValuedProperty>]
- [-ExternalAccess <$true | $false>] [<CommonParameters>]
+Search-AdminAuditLog
+ [-Cmdlets <MultiValuedProperty>]
+ [-DomainController <Fqdn>]
+ [-EndDate <ExDateTime>]
+ [-ExternalAccess <$true | $false>]
+ [-IsSuccess <$true | $false>]
+ [-ObjectIds <MultiValuedProperty>]
+ [-Parameters <MultiValuedProperty>]
+ [-ResultSize <Int32>]
+ [-StartDate <ExDateTime>]
+ [-StartIndex <Int32>]
+ [-UserIds <MultiValuedProperty>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
 If you run the Search-AdminAuditLog cmdlet without any parameters, up to 1,000 log entries are returned by default.
 
 Note: In Exchange Online, if you don't use the StartDate or EndDate parameters, only results from the last 14 days are returned.
 
+For more information about the structure and properties of the audit log, [Administrator audit log structure](https://docs.microsoft.com/en-us/Exchange/policy-and-compliance/admin-audit-logging/log-structure).
+
 You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet (https://technet.microsoft.com/library/mt432940.aspx).
 
 ## EXAMPLES
 
 ### -------------------------- Example 1 --------------------------
 ```
-Search-AdminAuditLog -Cmdlets New-RoleGroup, New-ManagementRoleAssignment
+Search-AdminAuditLog -Cmdlets New-RoleGroup,New-ManagementRoleAssignment
 ```
 
 This example finds all the administrator audit log entries that contain either the New-RoleGroup or the New-ManagementRoleAssignment cmdlet.
 
 ### -------------------------- Example 2 --------------------------
 ```
-Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/24/2018 -EndDate 02/12/2018 -IsSuccess $true
+Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults,ProhibitSendReceiveQuota,ProhibitSendQuota -StartDate 01/24/2018 -EndDate 02/12/2018 -IsSuccess $true
 ```
 
 This example finds all the administrator audit log entries that match the following criteria:
@@ -80,9 +90,9 @@ This example returns entries in the administrator audit log of an Exchange Onlin
 ## PARAMETERS
 
 ### -Cmdlets
-The Cmdlets parameter specifies the cmdlets you want to search for in the administrator audit log. Only the log entries that contain the cmdlets you specify are returned.
+The Cmdlets parameter filters the results by the cmdlets that were used. You can specify multiple cmdlets separated by commas.
 
-If you want to specify more than one cmdlet, separate each cmdlet with a comma.
+In the results of this cmdlet, this property is named **CmdletName**.
 
 ```yaml
 Type: MultiValuedProperty
@@ -118,6 +128,8 @@ The EndDate parameter specifies the end date of the date range.
 
 Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
 
+In the results of this cmdlet, the date/time when the change was made (the cmdlet was run) is returned in the property named **RunDate**.
+
 ```yaml
 Type: ExDateTime
 Parameter Sets: (All)
@@ -130,8 +142,33 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ExternalAccess
+The ExternalAccess parameter filters the results by changes that were made (cmdlets that were run) by users outside of your organization. Valid values are:
+
+- $true: Only return audit log entries where the change was made by an external user. In Exchange Online, use value to return audit log entries for changes that were made by Microsoft datacenter administrators.
+
+- $false: Only return audit log entries where the change was made by an internal user.
+
+```yaml
+Type: $true | $false
+Parameter Sets: (All)
+Aliases:
+Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -IsSuccess
-The IsSuccess parameter specifies whether only administrator audit log entries that indicated a success or failure should be returned. Valid values are $true and $false.
+The IsSuccess parameter filters the results by whether the changes were successful. Valid values are:
+
+- $true: Only return audit log entries where the change was successful (in other words, the cmdlet ran successfully).
+
+- $false: Only return audit log entries where the change was not successful (in other words, the cmdlet did not run successfully and resulted in an error).
+
+In the results of this cmdlet, this property is named **Succeeded**.
 
 ```yaml
 Type: $true | $false
@@ -146,9 +183,17 @@ Accept wildcard characters: False
 ```
 
 ### -ObjectIds
-The ObjectIds parameter specifies that only administrator audit log entries that contain the specified changed objects should be returned. This parameter accepts a variety of objects, such as mailbox aliases, Send connector names, and so on.
+The ObjectIds parameter filters the results by the object that was modified (the mailbox, public folder, Send connector, transport rule, accepted domain, etc. that the cmdlet operated on). A valid value depends on how the object is represented in the audit log. For example:
+
+- Name
 
-If you want to specify more than one object ID, separate each ID with a comma.
+- Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
+
+- Public folder identity (for example, \\Engineering\\Customer Discussion)
+
+You'll likely need to use other filtering parameters on this cmdlet to narrow down the results and identify the types of objects that you're interested in. In the results of this cmdlet, this property is named **ObjectModified**.
+
+To enter multiple values, use the following syntax: Value1,Value2,...ValueN. If the values contain spaces or otherwise require quotation marks, you need to use the following syntax: "Value 1","Value 2",..."Value N".
 
 ```yaml
 Type: MultiValuedProperty
@@ -163,9 +208,9 @@ Accept wildcard characters: False
 ```
 
 ### -Parameters
-The Parameters parameter specifies the parameters you want to search for in the administrator audit log. Only the log entries that contain the parameters you specify are returned. You can only use this parameter if you use the Cmdlets parameter.
+The Parameters parameter filters the results by the parameters that were used. You can only use this parameter with the Cmdlets parameter (you can't use it by itself). You can specify multiple parameters separated by commas.
 
-If you want to specify more than one parameter, separate each parameter with a comma.
+In the results of this cmdlet, this property is named **CmdletParameters**
 
 ```yaml
 Type: MultiValuedProperty
@@ -181,6 +226,7 @@ Accept wildcard characters: False
 
 ### -ResultSize
 The ResultSize parameter specifies the maximum number of results to return. The default value is 1000.
+
 The maximum results to return is 250,000.
 
 ```yaml
@@ -200,6 +246,8 @@ The StartDate parameter specifies the start date of the date range.
 
 Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
 
+In the results of this cmdlet, the date/time when the change was made (the cmdlet was run) is returned in the property named **RunDate**.
+
 ```yaml
 Type: ExDateTime
 Parameter Sets: (All)
@@ -228,30 +276,19 @@ Accept wildcard characters: False
 ```
 
 ### -UserIds
-The UserIds parameter specifies that only the administrator audit log entries that contain the specified ID of the user who ran the cmdlet should be returned.
+The UserIds parameter filters the results by the user who made the change (who ran the cmdlet).
 
-If you want to specify more than one user ID, separate each ID with a comma.
+A typical value for this parameter is the user principal name (UPN; for example, [email protected]). But, updates that were made by system accounts without email addresses might use the Domain\Username syntax (for example, NT AUTHORITY\SYSTEM (MSExchangeHMHost)).
 
-```yaml
-Type: MultiValuedProperty
-Parameter Sets: (All)
-Aliases:
-Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
+To enter multiple values, use the following syntax: User1,User2,...UserN. If the values contain spaces or otherwise require quotation marks, you need to use the following syntax: "User 1","User 2",..."User N".
 
-### -ExternalAccess
-The ExternalAccess parameter returns only audit log entries for cmdlets that were run by a user outside of your organization. In Exchange Online, use this parameter to return audit log entries for cmdlets run by Microsoft datacenter administrators.
+In the results of this cmdlet, this property is named **Caller**
 
 ```yaml
-Type: $true | $false
+Type: MultiValuedProperty
 Parameter Sets: (All)
 Aliases:
-Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online
+Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online
 Required: False
 Position: Named
 Default value: None