Forum Discussion
Configuring 'Quarantine release request' alert via powershell?
I'm working on a big fat script to configure the Threat policies in compliance with Secure Score. I'd like to configure a quarantine policy allowing the user to request release (done), that emails the request to email address removed for privacy reasons (problem). Most of this I've done via ExchangeOnline, but the Alerts policy that notifies us when a user requests release - that is apparently managed via the ippsSession components. I've tried to
1) Get the system alert policy named "User requested to release a quarantined email", pull its Identity, and set "NotifyUser" to my desired email using it's Identity. For reasons I don't understand, it seems to truncate the Identity param when I try to set it, so it can't find it.
```powershell
PS C:\Users\woof\Documents> $alertPolicy.Identity
> FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message
> Set-ProtectionAlert -Identity $alertPolicy.Identity -NotifyUser "email address removed for privacy reasons"
Write-ErrorMessage : There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e\User requested to release a quarantined message'. At C:\Users\woof\AppData\Local\Temp\tmpEXO_jw5lvpdc.vtl\tmpEXO_jw5lvpdc.vtl.psm1:1189 char:13
+ Write-ErrorMessage $ErrorObject
```
2) Create a new alert policy with `PS C:\Users\woof\Documents> New-ProtectionAlert -Name "test2" -NotifyUser "email address removed for privacy reasons" -Operation "QuarantineRequestReleaseMessage" -NotificationEnabled $true -Severity "Low" -Disabled $false -ThreatType "Activity"` ... This returns that I'm not allowed to make "advanced alert policies" with my P2 license - only "single event alerts", and that I'd need an Enterprise license to do this?
Considering I can do both of these things without issue on the web portal, and there's really nothing 'advanced' about wanting to add an alert recipient, I have to imagine I'm approaching this wrong. I just want to set these alerts to go to a different email.
You cannot modify built-in policies, as mentioned in the documentation:
Note: You can't use this cmdlet to edit default alert policies. You can only modify alerts that you created using the New-ProtectionAlert cmdlet.
The UI uses a different API to update policies ("policy overrides"), which is not exposed via any PowerShell cmdlet, afaik.
As for creating the alert, try specifying "-AggregationType None", as "advanced" aggregations are one of the conditions that require premium licensing.
4 Replies
You cannot modify built-in policies, as mentioned in the documentation:
Note: You can't use this cmdlet to edit default alert policies. You can only modify alerts that you created using the New-ProtectionAlert cmdlet.
The UI uses a different API to update policies ("policy overrides"), which is not exposed via any PowerShell cmdlet, afaik.
As for creating the alert, try specifying "-AggregationType None", as "advanced" aggregations are one of the conditions that require premium licensing.
VasilMichevThank you, adding that param bypassed the licensing requirements!
I had to also specify Operation for it to go through, but I just checked the web end and it looks good.. Full command I used (for google's sake)
PS C:\WINDOWS\system32> New-ProtectionAlert -AggregationType None -Operation QuarantineRequestReleaseMessage -Category ThreatManagement -name someName -NotifyUser email address removed for privacy reasons -ThreatType Activity
Hi, based on your description, it seems you’re facing two separate issues:
1-Truncated Identity Issue:
It appears that when you retrieve the alert policy, the Identity string is getting truncated when used with the Set-ProtectionAlert cmdlet. This might be due to how the module handles long strings with spaces or special characters. One possible workaround is to see if there’s a short alias or an alternative identifier that you can use instead. You might also try escaping special characters or enclosing the identity in quotes to ensure it’s interpreted correctly.2-Creating a New Alert Policy and Licensing Restrictions:
When you try to create a new alert policy with your desired notification settings, you’re encountering an error that says you're not allowed to create "advanced alert policies" with your P2 license, and that an Enterprise license is required. This is puzzling, especially since the web portal lets you perform these actions without issue. It might be that through PowerShell, you are inadvertently triggering functionality that’s considered advanced, even if all you want is to change the alert recipient.Here are a few suggestions to consider:
Double-check documentation: Look for any parameters or special modes that allow you to simply modify the notification recipient without enabling advanced features.
Use a different identifier: If possible, check if there’s an alternative identifier or a more “short-hand” version of the alert policy’s Identity that might work without truncation.
Reach out to support: Given the discrepancy between the web portal and PowerShell behavior, contacting Microsoft support or checking their forums/documentation might clarify if there’s a known issue or workaround.
I hope these insights help you move forward.Thanks for this! So,
1) So I looked into this again, and tried a few different methods - Quotation Marks, Escape Chars, using -Operation to identify it. Unfortunately, Set-ProtectionAlert DEMANDS an -Identity. If you don't pass it, you get prompted....PS C:\Users\woof> $alert.Identity FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message PS C:\Users\woof> Set-ProtectionAlert -Operation QuarantineRequestReleaseMessage -Identity $alert.Identity -NotifyUser email address removed for privacy reasons Set-ProtectionAlert: There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e\User requested to release a quarantined message'.Encapsulating with Quotations like "$alert.Identity" or "$($alert.Identity)" didn't change anything..
I also tried Write-Host "Identity: $($alert.Identity)" to try to debug what it was passing, but this returns the full Identity - so this actually works.. Checking documentation on Set-ProtectionAlert, it SAYS - Identity can be the name, guid, or DN. So I try ALL of these.. and none of them match.. For reference $alert is directly pulled from my policies with Get-ProtectionAlert - what's being passed is directly from the policy.PS C:\Users\woof> $alert | Select-Object Name, Guid, DistinguishedName | Format-List Name : User requested to release a quarantined message Guid : 34116cef-7761-4cdf-a30b-5aa944d93d74 DistinguishedName : CN=User requested to release a quarantined message,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com PS C:\Users\woof> Set-ProtectionAlert -Identity $alert.Guid -NotifyUser (me) Set-ProtectionAlert: There is no rule matching identity '34116cef-7761-4cdf-a30b-5aa944d93d74'. PS C:\Users\woof> Set-ProtectionAlert -Identity $alert.DistinguishedName -NotifyUser (me) Set-ProtectionAlert: There is no rule matching identity 'FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message'. PS C:\Users\woof> Set-ProtectionAlert -Identity $alert.name -NotifyUser (me) Set-ProtectionAlert: There is no rule matching identity 'User requested to release a quarantined message'.
Re: reaching out to support, do you have any recommendations on where to do this? This IS the community hub, so I figured it would be active. And honestly, anytime I visit their documentation, I'm fixing errors. Any recommendations would be appreciated.
e: even manually inputting the GUID doesn't work.PS C:\Users\woof> Set-ProtectionAlert -Identity "f00ed340-8f84-4eb4-83f3-0075a22b262e" -NotifyUser (me) Set-ProtectionAlert: There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e'E2: from doc - Note: You can't use this cmdlet to edit default alert policies. You can only modify alerts that you created using the New-ProtectionAlert cmdlet.
FFS..
