Forum Discussion

JeremyTBradshaw's avatar
JeremyTBradshaw
Steel Contributor
Jul 02, 2021

MS Graph (or alternative) for M365/O365 Retention Policy management

Wondering if anyone is aware of whether we can get API access to the Security and Compliance Center.  I'm not even sure what to call it, but I'm in need to manage retention policies that today are managed at https://compliance.microsoft.com, or via Connect-IPPSSession (from the EXO v2 PS module).

 

What I'm trying to avoid is basic authentication with Connect-IPPSSession.  I don't see anything for MS Graph from the v1.0/beta references, and I have already asked the Exchange Team in the comments for their blog post about the app-only/certificate authentication addition to Connect-ExchangeOnline (asked if they'll bring the same added functionality to Connect-IPPSSession).

 

My use case is to unattended'ly script the addition/removal of certain users to/from the excluded mailboxes list for a given retention policy.  This would be done interactively like this:

 

Connect-IPPSSession <parameters of choice>
Set-RetentionCompliancePolicy <policy> -AddExchangeLocationException <one,or,more,users>

 

The reason is that a customer is using a retention policy to ensure their terminating users' mailboxes become Inactive Mailboxes.  Since they rely so heavily on Inactive Mailboxes, auto-expanding archives are out of the question (as this takes away recoverability/restorability for Inactive Mailboxes).  As a result, many mailboxes are hitting the 100GB Recoverable Items quota.  So we have a manual process for now to exclude these mailboxes from the policy, then either wait or rush with Start-ManagedFolderAssistant to see the Recoverable Items consumption go down.

 

We can easily use Connect-ExchangeOnline, Get-EXOMailbox, and Get-EXOMailboxStatistics with an Azure AD app and a certificate to figure out which mailboxes are approaching the 100GB.  But we can't do the same with Connect-IPPSSession.  I am eagerly awaiting either MS Graph support for this, or for Connect-IPPSSession to be updated.  Neither of these things are even announced that I can see.

    • JeremyTBradshaw's avatar
      JeremyTBradshaw
      Steel Contributor
      Awe yeah 👍!!!! The timing is spectacular as I have just worked on several scripts that are stuck doing Basic for unattended... So it'll still be nice and fresh, easy to update them.

      Thank you for coming here with this news!
      • JeremyTBradshaw's avatar
        JeremyTBradshaw
        Steel Contributor

        Jhosefer , svermaak_MGL , dgal73 , Victor_Ivanidze Hi all,

         

        I forgot to share something that was provided to me by Chris D on GitHub (I think, but sort of forget) MS Support.  Right now, the Connect-IPPSSession which supports certificate based app-only authentication is only within the preview modules 2.0.6***.  If we want to accomplish the same thing, but using the current GA 2.0.5, we can use Connect-ExchangeOnline and simply supply the -ConnectionUri parameter with the URL to the SCC:

         

         

        Connect-ExchangeOnline -AppId e3de3805-2f5a-43c7-8541-b448b50936f4 -Organization MyTenant.onmicrosoft.com -Certificate (Get-ChildItem cert:\CurrentUser\My\98556EEAC704460287C809AEDA9CD3A33A9CAA9B) -ConnectionUri 'https://ps.compliance.protection.outlook.com'

         

         

         

        ... and it works flawlessly!  I can't find this documented as supported, however, I do feel better using this approach in production scripts for clients, vs using the prerelease module versions.  Hope you find it helpful!

    • dgal73's avatar
      dgal73
      Copper Contributor
      Question: are you prompted for user/pass/mfa for each of the services you connect to when using the method in that article?
      • JeremyTBradshaw's avatar
        JeremyTBradshaw
        Steel Contributor
        I think each module needs its own token to cache initially, so it makes sense they'd each need the user / pass / MFA, but then the frequency would depend on a bunch of things.

        But in any case, I truly am only after non-user/pass authentication. Since either MS Graph or Connect-ExchangeOnline can each do client credential OAuth flow (certificate credential), I just have this one part left which still only supports interactive user/pass. Hoping somebody has found a way...
    • JeremyTBradshaw's avatar
      JeremyTBradshaw
      Steel Contributor
      Hi, I have seen that page and appreciate it. But, I'm specifically looking for unattended approach and ideally not using username/password, rather certificate and registered app in Azure AD. This is doable today for several of the services in the link you referred, but not for the Security and Compliance Center yet.

Resources