SOLVED

Configuring Alerts using PowerShell

%3CLINGO-SUB%20id%3D%22lingo-sub-237214%22%20slang%3D%22en-US%22%3EConfiguring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237214%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20be%20able%20to%20configure%20the%20Office%20365%20alerts%20using%20PowerShell.%20To%20do%20this%2C%20as%20I%20understand%20it%20I%20need%20to%20use%20the%20cmdlet%20new-protcetionalert.%20However%2C%20when%20I%20use%20this%20I%20get%20an%20error%20like%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22%3CFONT%20face%3D%22Verdana%22%20size%3D%223%22%3E%3CEM%3ECreating%20advanced%20alert%20policies%20requires%20an%20Office%20365%20E5%20subscription%20or%20Office%20365%20E3%20subscription%20with%20an%20Office%20365%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20face%3D%22Verdana%22%20size%3D%223%22%3E%3CEM%3EThreat%20Intelligence%20or%20Office%20365%20EquivioAnalytics%20add-on%20subscription%20for%20your%20organization.%20With%20your%20current%20subscription%2C%20only%20single%20event%20alert%20can%20be%20created.%3C%2FEM%3E%3C%2FFONT%3E%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHowever%2C%20if%20I%20go%20in%20via%20the%20web%20console%20I%20can%20configure%20a%20range%20of%20alerts%20for%20tenant%20without%20E5%20or%20Threat%20Intelligence%20addin.%20Thus%2C%20it%20isn't%20a%20licensing%20issue%20as%20I%20can%20create%20alerts%20via%20the%20web%2C%20just%20seems%20to%20be%20an%20issue%20with%20PowerShell.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDoes%20anyone%20have%20an%20idea%20on%20how%20to%20use%20the%20new-protectionalert%20cmdlet%20for%20tenants%20without%20E5%20to%20save%20me%20from%20manually%20using%20the%20web%20interface%20for%20every%20different%20tenant%3F%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-237214%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242655%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242655%22%20slang%3D%22en-US%22%3E%3CP%3Ehe%20solution%20to%20this%20problem%20turns%20out%20to%20be%20the%20inclusion%20of%20the%20following%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E-aggregationtype%20none%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewhich%20limits%20the%20creation%20of%20alerts%20to%20a%20single%20item%20which%20is%20supported%20by%20all%20SKUs.%20Add%20that%20to%20the%20command%20and%20you%20are%20off%20to%20the%20races.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238396%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238396%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20indeed%20creating%20pure%20Protection%20Alerts%2C%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20651px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44331i512F9DECF49A1754%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image%5B11%5D.png%22%20title%3D%22image%5B11%5D.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThese%20option%20are%20not%20available%20in%20activity%20alerts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%20this%20alerts%20works%20via%20web%20interface%20on%20all%20SKU%20but%20I%20can't%20configure%20by%20PowerShell.%20This%20I%20don't%20understand.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238392%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238392%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20because%20you%20are%20not%20actually%20creating%20a%20%22protection%22%20alert.%20The%20easiest%20way%20to%20check%20this%20is%20to%20look%20at%20the%20available%20options%20on%20the%20%22create%20alert%20settings%22%20page%20of%20the%20wizard%20-%20if%20you%20only%20see%20%22%3CSPAN%20class%3D%22labelText%20ng-binding%22%3EEvery%20time%20an%20activity%20matches%20the%20rule%3C%2FSPAN%3E%22%2C%20that's%20the%20%22old%22%20alert%20type.%20They%20are%20simply%20grouped%20together%20under%20the%20same%20UI%20item%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238383%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238383%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20they%20are%20E5%20only%20why%20can%20I%20set%20them%20in%20the%20web%20interface%20for%20with%20any%20SKU%3F%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20can%20set%20these%20alerts%20via%20all%20plans%20in%20web%20interface%20but%20not%20via%20PowerShell.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238381%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238381%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20ones%20you%20refer%20to%20as%20%22new%22%20have%20always%20required%20E5%2FTI%20(you%20can%20even%20see%20the%20difference%20in%20name%20-%20%22alert%20*policies*%22%2C%20as%20they%20relate%20to%20CAS%2FASM).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237944%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237944%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20already%20set%20these%20'Activity%20Alerts'%20via%20PowerShell.%20They%20work%20as%20expected.%20These%20however%20are%20not%20the%20same%20currently%20as%20the%20ones%20I%20am%20trying%20to%20set%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThus%2C%20there%20are%20two%20types%20of%20O365%20alerts%2C%20old%20ones%20(new-activityalert)%20and%20new%20ones%20(new-protectionalert).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20alerts%20are%20here%20-%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Falertpolicies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%23%2Falertpolicies%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EOld%20Alerts%20are%20here%20-%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Fmanagealerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%23%2Fmanagealerts%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20look%20at%20the%20doc%20page%20for%20new-protectionalert%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance%2Fnew-protectionalert%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance%2Fnew-protectionalert%3C%2FA%3E%20there%20ain't%20much%20there.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoing%20these%20new%20alerts%20via%20PowerShell%20will%20save%20so%20much%20time%20but%20even%20though%20we%20can%20do%20them%20via%20the%20web%20interface%20we%20can't%20do%20via%20scripting!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237936%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%20using%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237936%22%20slang%3D%22en-US%22%3E%3CP%3ETry%20the%20Get-ActivityAlert%2FNew-ActivityAlert%20istead.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

I want to be able to configure the Office 365 alerts using PowerShell. To do this, as I understand it I need to use the cmdlet new-protcetionalert. However, when I use this I get an error like:

 

"Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365

Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alert can be created."

 

However, if I go in via the web console I can configure a range of alerts for tenant without E5 or Threat Intelligence addin. Thus, it isn't a licensing issue as I can create alerts via the web, just seems to be an issue with PowerShell.

 

Does anyone have an idea on how to use the new-protectionalert cmdlet for tenants without E5 to save me from manually using the web interface for every different tenant??

 

7 Replies
Highlighted

Try the Get-ActivityAlert/New-ActivityAlert istead.

Highlighted

I have already set these 'Activity Alerts' via PowerShell. They work as expected. These however are not the same currently as the ones I am trying to set here.

 

Thus, there are two types of O365 alerts, old ones (new-activityalert) and new ones (new-protectionalert).

 

New alerts are here - 

https://protection.office.com/#/alertpolicies

 

Old Alerts are here - 

https://protection.office.com/#/managealerts

 

If you look at the doc page for new-protectionalert - https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance/new-protectionaler... there ain't much there.

 

Doing these new alerts via PowerShell will save so much time but even though we can do them via the web interface we can't do via scripting!

Highlighted

The ones you refer to as "new" have always required E5/TI (you can even see the difference in name - "alert *policies*", as they relate to CAS/ASM).

If they are E5 only why can I set them in the web interface for with any SKU??

 

I can set these alerts via all plans in web interface but not via PowerShell.

Highlighted

Probably because you are not actually creating a "protection" alert. The easiest way to check this is to look at the available options on the "create alert settings" page of the wizard - if you only see "Every time an activity matches the rule", that's the "old" alert type. They are simply grouped together under the same UI item now.

Highlighted

I am indeed creating pure Protection Alerts, like this:

 

image[11].png

These option are not available in activity alerts.

 

Again this alerts works via web interface on all SKU but I can't configure by PowerShell. This I don't understand.

Highlighted
Best Response confirmed by Robert Crane (MVP)
Solution

he solution to this problem turns out to be the inclusion of the following command:

 

-aggregationtype none

 

which limits the creation of alerts to a single item which is supported by all SKUs. Add that to the command and you are off to the races.