Set activity alerts using PowerShell issues

%3CLINGO-SUB%20id%3D%22lingo-sub-203571%22%20slang%3D%22en-US%22%3ESet%20activity%20alerts%20using%20PowerShell%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203571%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20used%20the%20following%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Enew-activityalert%20-name%26nbsp%3B%22Elevation%20of%20Privilege%22%20-NotifyUser%26nbsp%3B%22user%40domain.com%22%20-type%20elevationofprivilege%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20it%20completed%20successfully.%20I%20do%20not%20however%20see%20this%20new%20alert%20listed%20in%20the%20browser%20interface%20in%20the%20Manage%20Alerts%20area.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20if%20I%20execute%20the%20following%2C%20I%20see%20no%20listing%20of%20this%20new%20alert%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eget-activityalert%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebut%20if%20I%20execute%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eget-activityalert%20-identity%20%22Elevation%20of%20Privilege%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20do%20see%20the%20alert.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAny%20ideas%20what%20I%20missing%20and%20why%20the%20initial%20alert%20creation%20in%20PwoerShell%20works%20but%20then%20doesn't%20appear%20anywhere%20unless%20I%20ask%20for%20it%20by%20name%3F%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-203571%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212805%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20activity%20alerts%20using%20PowerShell%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212805%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20confirm%20that%20alert%20policies%20created%20with%20the%20PS%20Cmdlet%20%22New-ActivityAlert%22%20are%20not%20shown%20in%20the%20Office%20365%20SCC%20Alert%20Policy%20section.%20However%2C%20if%20I%20check%20for%20the%20presence%20of%20the%20alert%20policy%20by%20%22Get-AlertPolicy%22%2C%20it%20shows%20up.%20It%20seems%20that%20Microsoft%20want%20to%20enforce%20having%20a%20E5%20plan%20or%20the%20Office%20365%20Threat%20Intelligence%20or%20Office%20365%20Advanced%20Compliance%20add-on%20subscription%20for%20E1%20and%20E3%20plans%20in%20order%20to%20make%20use%20of%20the%20policies...%20(source%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264%3C%2FA%3E)%3CBR%20%2F%3EFurthermore%2C%20they%20introduced%20a%20new%20Cmdlet%20%22New-ProtectionAlert%22%20(source%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance%2Fnew-protectionalert%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance%2Fnew-protectionalert%3Fview%3Dexchange-ps%3C%2FA%3E).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203865%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20activity%20alerts%20using%20PowerShell%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203865%22%20slang%3D%22en-US%22%3E%3CP%3EActually%2C%20I%20believe%20even%20E1%20tenants%20don't%20have%20access%20to%20alert%20policies%20(at%20least%20cannot%20create%20new%20ones).%20So%20yeah%2C%20far%20from%20ideal%20replacement...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203705%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20activity%20alerts%20using%20PowerShell%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203705%22%20slang%3D%22en-US%22%3E%3CP%3EHere's%20the%20rub.%20From%20-%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%20class%3D%22ocpNote%22%3ENote%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3BAlert%20policies%20are%20available%20for%20organizations%20with%20an%20Office%20365%20Enterprise%20E1%2C%20E3%2C%20or%20E5%20subscription.%20However%2C%20some%20advanced%20functionality%20is%20only%20available%20for%20organizations%20with%20an%20E5%20subscription%2C%20or%20for%20organizations%20that%20have%20an%20E1%20or%20E3%20subscription%20and%20an%20Office%20365%20Threat%20Intelligence%20or%20Office%20365%20Advanced%20Compliance%20add-on%20subscription.%20The%20functionality%20that%20requires%20an%20E5%20or%20add-on%20subscription%20is%20highlighted%20in%20this%20topic.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20%3CSTRONG%3Enew-protectionalert%3C%2FSTRONG%3E%20module%20won't%20function%20with%20Business%20Plans%3F%20Including%20M%20365%20Business%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203596%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20activity%20alerts%20using%20PowerShell%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203596%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20confirm%20that%20behavior%2C%20and%20here's%20my%20theory%20as%20to%20why.%20They%20seem%20to%20be%20moving%20away%20from%20the%20old%20%22activity%20alerts%22%20(*-ActivityAlert)%20and%20focusing%20on%20the%20newer%20%22alert%20policies%22%20(*-ProtectionAlert).%20In%20the%20SCC%2C%20getting%20to%20the%20%22activity%20alerts%22%20page%20is%20a%20challenge%20nowadays%2C%20and%20I%20get%20the%20same%20behavior%20when%20I%20try%20to%20create%20an%20activity%20alert%20from%20the%20UI.%20So%20I%20don't%20think%20it's%20anything%20specific%20to%20PowerShell%2C%20but%20more%20of%20a%20deliberate%20decision%20on%20their%20end%20to%20%22de-emphasize%22%20this%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20sure%20who%20the%20PM%20on%20this%20feature%20is%20though%2C%20so%20if%20you%20want%20an%20official%20answer%20best%20open%20a%20support%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

I have used the following command:

 

new-activityalert -name "Elevation of Privilege" -NotifyUser "user@domain.com" -type elevationofprivilege

 

and it completed successfully. I do not however see this new alert listed in the browser interface in the Manage Alerts area.

 

Also if I execute the following, I see no listing of this new alert:

 

get-activityalert

 

but if I execute:

 

get-activityalert -identity "Elevation of Privilege"

 

I do see the alert.

 

Any ideas what I missing and why the initial alert creation in PwoerShell works but then doesn't appear anywhere unless I ask for it by name??

4 Replies
Highlighted

I can confirm that behavior, and here's my theory as to why. They seem to be moving away from the old "activity alerts" (*-ActivityAlert) and focusing on the newer "alert policies" (*-ProtectionAlert). In the SCC, getting to the "activity alerts" page is a challenge nowadays, and I get the same behavior when I try to create an activity alert from the UI. So I don't think it's anything specific to PowerShell, but more of a deliberate decision on their end to "de-emphasize" this feature.

 

Not sure who the PM on this feature is though, so if you want an official answer best open a support case.

Highlighted

Here's the rub. From - https://support.office.com/en-us/article/alert-policies-in-the-office-365-security-compliance-center...

Note: Alert policies are available for organizations with an Office 365 Enterprise E1, E3, or E5 subscription. However, some advanced functionality is only available for organizations with an E5 subscription, or for organizations that have an E1 or E3 subscription and an Office 365 Threat Intelligence or Office 365 Advanced Compliance add-on subscription. The functionality that requires an E5 or add-on subscription is highlighted in this topic.

 

So the new-protectionalert module won't function with Business Plans? Including M 365 Business??

Highlighted

Actually, I believe even E1 tenants don't have access to alert policies (at least cannot create new ones). So yeah, far from ideal replacement...

Highlighted

I can confirm that alert policies created with the PS Cmdlet "New-ActivityAlert" are not shown in the Office 365 SCC Alert Policy section. However, if I check for the presence of the alert policy by "Get-AlertPolicy", it shows up. It seems that Microsoft want to enforce having a E5 plan or the Office 365 Threat Intelligence or Office 365 Advanced Compliance add-on subscription for E1 and E3 plans in order to make use of the policies... (source: https://support.office.com/en-us/article/alert-policies-in-the-office-365-security-compliance-center...)
Furthermore, they introduced a new Cmdlet "New-ProtectionAlert" (source: https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance/new-protectionaler...).