What problem would this feature solve?
Description:
When UnifiedAuditLogIngestionEnabled is $false on the tenant (which is the default for new/uncustomised tenants), all Search-UnifiedAuditLog calls silently return BadRequest with no results. This causes misleading output -- Hawk completes without error but collects no UAL data whatsoever.
Steps to reproduce:
Run Start-HawkTenantInvestigation on a tenant where auditing has never been explicitly enabled. All UAL searches return BadRequest and zero results with no clear explanation why.
Proposed Solution
Expected behaviour:
Initialize-HawkGlobalObject should fail at a pre-flight check:
powershell$auditConfig = Get-AdminAuditLogConfig
if (-not $auditConfig.UnifiedAuditLogIngestionEnabled) {
Write-Warning "Unified Audit Log ingestion is disabled on this tenant. UAL searches will return no results."
Write-Warning "To enable: run Enable-OrganizationCustomization, then Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled `$true"
}
Impact: High -- silently produces empty forensic output on uncustomised tenants, which could lead an investigator to incorrectly conclude there is nothing to find.
Technical Requirements
No response
Implementation Approach
No response
Acceptance Criteria
No response
What problem would this feature solve?
Description:
When UnifiedAuditLogIngestionEnabled is $false on the tenant (which is the default for new/uncustomised tenants), all Search-UnifiedAuditLog calls silently return BadRequest with no results. This causes misleading output -- Hawk completes without error but collects no UAL data whatsoever.
Steps to reproduce:
Run Start-HawkTenantInvestigation on a tenant where auditing has never been explicitly enabled. All UAL searches return BadRequest and zero results with no clear explanation why.
Proposed Solution
Expected behaviour:
Initialize-HawkGlobalObject should fail at a pre-flight check:
powershell$auditConfig = Get-AdminAuditLogConfig
if (-not $auditConfig.UnifiedAuditLogIngestionEnabled) {
Write-Warning "Unified Audit Log ingestion is disabled on this tenant. UAL searches will return no results."
Write-Warning "To enable: run Enable-OrganizationCustomization, then Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled `$true"
}
Impact: High -- silently produces empty forensic output on uncustomised tenants, which could lead an investigator to incorrectly conclude there is nothing to find.
Technical Requirements
No response
Implementation Approach
No response
Acceptance Criteria
No response