Amid the many undocumented “features” of Microsoft Exchange
server auditing, from time to time we discover new things. This time it is
about a limit that is set by Exchange on how many audit log search requests you
This number seems to be a maximum of 50 asynchronous mailbox
audit log search requests (New-MailboxAuditLogSearch
cmdlet) and 50 asynchronous admin audit log search requests (New-AdminAuditLogSearch
cmdlet). If you issue more than 50 of any of the above cmdlets, you will get an
error message like this:
-StartDate "2/10/2017 10:00" -EndDate "2/10/2017 11:00"
-Name "testing" -StatusMailRecipients firstname.lastname@example.org
You have exceeded the maximum number of
audit log search requests that your organization can submit. Please try again
CategoryInfo : QuotaExceeded:
(:) [New-AdminAuditLogSearch], InvalidOperationException
11:01:57 PM] [FailureCategory=Cmdlet-InvalidOperationException]
PSComputerName : lab-ex.test.local
After one or more audit log search requests have been
processed by Exchange, you can again issue more requests.
The number of counters for admin and mailbox audit log
requests are separate. In the above example, we have reached the maximum number
of admin audit log search requests, but we have not issued any mailbox audit
log requests. Therefore, we can still issue New-MailboxAuditLogSearch cmdlets.
Also, the above limits only apply to asynchronous audit log
requests, so in the above example you could still issue Search-AdminAuditLog
cmdlets and get the results.
From our testing so far, this applies to most (if not all)
cumulative updates of Exchange 2013 and Exchange 2016, but not to Exchange
Where is this limit specified? Can it be changed? We do not
know yet. If you do, please let us know.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!