MS Graph (or alternative) for M365/O365 Retention Policy management

Frequent Contributor

Wondering if anyone is aware of whether we can get API access to the Security and Compliance Center.  I'm not even sure what to call it, but I'm in need to manage retention policies that today are managed at https://compliance.microsoft.com, or via Connect-IPPSSession (from the EXO v2 PS module).

 

What I'm trying to avoid is basic authentication with Connect-IPPSSession.  I don't see anything for MS Graph from the v1.0/beta references, and I have already asked the Exchange Team in the comments for their blog post about the app-only/certificate authentication addition to Connect-ExchangeOnline (asked if they'll bring the same added functionality to Connect-IPPSSession).

 

My use case is to unattended'ly script the addition/removal of certain users to/from the excluded mailboxes list for a given retention policy.  This would be done interactively like this:

 

Connect-IPPSSession <parameters of choice>
Set-RetentionCompliancePolicy <policy> -AddExchangeLocationException <one,or,more,users>

 

The reason is that a customer is using a retention policy to ensure their terminating users' mailboxes become Inactive Mailboxes.  Since they rely so heavily on Inactive Mailboxes, auto-expanding archives are out of the question (as this takes away recoverability/restorability for Inactive Mailboxes).  As a result, many mailboxes are hitting the 100GB Recoverable Items quota.  So we have a manual process for now to exclude these mailboxes from the policy, then either wait or rush with Start-ManagedFolderAssistant to see the Recoverable Items consumption go down.

 

We can easily use Connect-ExchangeOnline, Get-EXOMailbox, and Get-EXOMailboxStatistics with an Azure AD app and a certificate to figure out which mailboxes are approaching the 100GB.  But we can't do the same with Connect-IPPSSession.  I am eagerly awaiting either MS Graph support for this, or for Connect-IPPSSession to be updated.  Neither of these things are even announced that I can see.

10 Replies
Hi, I have seen that page and appreciate it. But, I'm specifically looking for unattended approach and ideally not using username/password, rather certificate and registered app in Azure AD. This is doable today for several of the services in the link you referred, but not for the Security and Compliance Center yet.
Question: are you prompted for user/pass/mfa for each of the services you connect to when using the method in that article?
I think each module needs its own token to cache initially, so it makes sense they'd each need the user / pass / MFA, but then the frequency would depend on a bunch of things.

But in any case, I truly am only after non-user/pass authentication. Since either MS Graph or Connect-ExchangeOnline can each do client credential OAuth flow (certificate credential), I just have this one part left which still only supports interactive user/pass. Hoping somebody has found a way...
Hi Jeremy!

Did you found any solution for this? I have the same problem to solve as yours.
Nope nothing yet. I've asked via the EXO PS module feedback address if Connect-IPPSSession will be brought up to par with Connect-ExchangeOnline, which is where I think this might become possible first. Just a guess though, really not sure what to expect.
Hi Jeremy
Any link to an issue raised or a ticket number?
I want to raise a support ticket with MS directly because this is something we need too
I haven't opened a support ticket since it's mainly a feature request for either Graph or the EXO module. So the farthest I made it was the EXO module's feedback email address.
I asked via the EXO module feedback email if I can open a call for this or does it fall outside of support and they informed me that I can. I have opened a call and MS is reproducing what I am experiencing. Will let thread know of outcome
I will do the same and open one tomorrow. Will be great to get this into either, maybe even both Graph and Connect-IPPSSession. Thanks for sharing that.