SOLVED

Creating alert policies in Security and Compliance for all tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-788591%22%20slang%3D%22en-US%22%3ECreating%20alert%20policies%20in%20Security%20and%20Compliance%20for%20all%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788591%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20recently%20Office365%20stopped%20using%20the%20settings%20in%20EAC%20for%20outbound%20spam%20quarantine%20notifications%20and%20moved%20that%20to%20its%20own%20alert%20policy%20in%20the%20Security%20and%20Compliance%20portal.%20For%20some%20reason%2C%20the%20setting%20for%20email%20notification%20was%20not%20carried%20over%20to%20the%20new%20alert%20policy.%20So%20we've%20got%2070%20tenants%20that%20we%20need%20to%20make%20sure%20we%20have%20email%20notifications%20for%20in%20case%20of%20a%20compromised%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20have%20liked%20to%20just%20edit%20the%20default%20MS-created%20alert%20policy%20that%20is%20called%20%22User%20restricted%20from%20sending%20email%22%20using%20the%20Set-ProtectionAlert%20cmdlet%20but%20apparently%20you%20cannot%20use%20this%20cmdlet%20to%20edit%20default%20alert%20policies.%20You%20can%20only%20modify%20alerts%20you%20have%20created%20using%20New-ProtectionAlert%20cmdlet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESoooooooooooooo.....%20I've%20been%20trying%20to%20find%20a%20way%20to%20use%20New-ProtectionAlert%20to%20create%20a%20new%20Alert%20Policy%20with%20the%20same%20Operation%20trigger%20%7BCompromised%20Account%7D%20and%20it%20works%20fine%20when%20using%20the%20Exchange%20Online%20Powershell%20Module%20on%20one%20customer%20but%20I'm%20not%20trying%20to%20do%20that%2070%20times...%20so%20I've%20been%20looking%20around%20for%20ways%20to%20use%20my%20delegated%20admin%20credentials%20to%20connect%20to%20each%20of%20our%20tenants%20and%20create%20this%20alert%20policy%20for%20each%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20use%20this%20one%20as%20a%20template%20%3CA%20href%3D%22https%3A%2F%2Fgcits.com%2Fknowledge-base%2Fget-alerts-elevation-privilege-operations-office-365-customer-tenants%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgcits.com%2Fknowledge-base%2Fget-alerts-elevation-privilege-operations-office-365-customer-tenants%2F%3C%2FA%3E-%20unfortunately%20I%20just%20cannot%20get%20this%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20I've%20got%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%24ruleName%20%3D%20%22CCS%20Security%20-%20Outbound%20Spam%22%20%0A%24ruleEmail%20%3D%20%22help%40company.net%22%0A%0A%24credentials%20%3D%20Get-Credential%0A%0AConnect-Msolservice%20-Credential%20%24credentials%0A%0A%24customers%20%3D%20Get-MsolPartnerContract%0A%0Aforeach%20(%24customer%20in%20%24customers)%20%7B%0A%0AWrite-Host%20%22%5C%60nChecking%20activity%20alert%20on%20%24(%24customer.name)%22%20-ForegroundColor%20Blue%0A%24InitialDomain%20%3D%20Get-MsolDomain%20-TenantId%20%24customer.tenantid%20%7C%20Where-Object%20%7B%24%5C_.IsInitial%20-eq%20%24true%7D%0A%0A%24DelegatedOrgURL%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fps.compliance.protection.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.compliance.protection.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%22%2B%24InitialDomain.Name%3C%2FA%3E%0A%0A%24SCDS%20%3D%20New-PSSession%20-ConnectionUri%20%24DelegatedOrgURL%20-Credential%20%24credentials%20-Authentication%20Basic%20-ConfigurationName%20Microsoft.Exchange%20-AllowRedirection%0A%0AImport-PSSession%20%24SCDS%20-CommandName%20Get-ProtectionAlert%2C%20New-ProtectionAlert%0A%0A%0A%24alert%20%3D%20%24null%0A%24alert%20%3D%20Get-ProtectionAlert%20-Identity%20%24ruleName%20-ErrorAction%20SilentlyContinue%0A%0A%0Aif%20(!%24alert)%20%0A%24newAlert%20%3D%20New-ProtectionAlert%20-Name%20%24ruleName%20-Category%20ThreatManagement%20-NotifyUser%20%0A%0A%24ruleEmail%20-ThreatType%20%22Activity%22%20-Description%20%22Alert%20CCS%20to%20any%20spam%20quarantined%20user%22%20-AggregationType%20none%20-Operation%20CompromisedAccount%0A%0Aif%20(%24newAlert)%20%7B%0AWrite-Host%20%22Alert%20created%20for%20%24(%24customer.name)%22%20-ForegroundColor%20Green%0A%0A%7D%0A%7D%0Aelse%20%7B%0AWrite-Host%20%22Alert%20already%20exists%20for%20%24(%24customer.name)%22%20-ForegroundColor%20Green%0A%7D%0A%0ARemove-PSSession%20%24SCDS%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWhen%20I%20run%20that%20I%20get%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EWARNING%3A%20Your%20connection%20has%20been%20redirected%20to%20the%20following%20URI%3A%20%0A%22%3CA%20href%3D%22https%3A%2F%2Fnam03b.ps.compliance.prot%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnam03b.ps.compliance.prot%3C%2FA%3E%0Aection.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3Dcustomer.onmicrosoft.com%3BPSVersion%3D5.1.17134.85%0A8%20%22%0ANew-PSSession%20%3A%20%5Bnam03b.ps.compliance.protection.outlook.com%5D%20Connecting%20to%20remote%20server%20%0Anam03b.ps.compliance.protection.outlook.com%20failed%20with%20the%20following%20error%20message%20%3A%20Access%20is%20%0Adenied.%20For%20more%20information%2C%20see%20the%20about_Remote_Troubleshooting%20Help%20topic.%0AAt%20C%3A%5Ctest%5CALL!_OutboundSpamNotify.ps1%3A13%20char%3A13%0A%2B%20%24SCDS%20%3D%20New-PSSession%20-ConnectionUri%20%24DelegatedOrgURL%20-Credential%20...%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20online%20I've%20seen%20that%20that%20Access%20Denied%20means%20that%20obviously%20that%20my%20user%20does%20not%20have%20access%20to%20Exchange%20Online%20for%20that%20customer%20but%20I've%20delegated%20admin%20for%20all%20of%20our%20tenants%20and%20I%20can%20perform%20other%20scripts%20with%20my%20credentials%20that%20work%20just%20fine.%3C%2FP%3E%3CP%3EAny%20insight%20or%20help%20would%20be%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-788591%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790612%22%20slang%3D%22en-US%22%3ERe%3A%20Creating%20alert%20policies%20in%20Security%20and%20Compliance%20for%20all%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790612%22%20slang%3D%22en-US%22%3E%3CP%3EOfficially%2C%20connecting%20to%20ExO%2FSCC%20PowerShell%20via%20this%20method%20is%20not%20supported.%20Use%20the%20Connect-IPPSSession%20cmdlet%20instead%2C%20with%20the%20-DelegatedOrganization%20switch.%20If%20it%20doesn't%20work%20there%20either%2C%20you%20most%20likely%20have%20a%20permission%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790843%22%20slang%3D%22en-US%22%3ERe%3A%20Creating%20alert%20policies%20in%20Security%20and%20Compliance%20for%20all%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790843%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThank%20you%20so%20much.%20I%20had%20seen%20that%20parameter%20but%20didn't%20know%20what%20kind%20of%20string%20it%20wanted.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20using%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EConnect-IPPSession%20-UserPrincipalName%20my%40email.com%20-DelegatedOrganization%20mytenant.onmicrosoft.com%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EI%20can%20successfully%20connect%20to%20my%20tenants%20-%20hopefully%20I%20can%20get%20this%20script%20working%20now!%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

So recently Office365 stopped using the settings in EAC for outbound spam quarantine notifications and moved that to its own alert policy in the Security and Compliance portal. For some reason, the setting for email notification was not carried over to the new alert policy. So we've got 70 tenants that we need to make sure we have email notifications for in case of a compromised account.

 

I would have liked to just edit the default MS-created alert policy that is called "User restricted from sending email" using the Set-ProtectionAlert cmdlet but apparently you cannot use this cmdlet to edit default alert policies. You can only modify alerts you have created using New-ProtectionAlert cmdlet.

 

Soooooooooooooo..... I've been trying to find a way to use New-ProtectionAlert to create a new Alert Policy with the same Operation trigger {Compromised Account} and it works fine when using the Exchange Online Powershell Module on one customer but I'm not trying to do that 70 times... so I've been looking around for ways to use my delegated admin credentials to connect to each of our tenants and create this alert policy for each of them.

 

I am trying to use this one as a template https://gcits.com/knowledge-base/get-alerts-elevation-privilege-operations-office-365-customer-tenan... - unfortunately I just cannot get this to work.

 

This is what I've got:

 

 

$ruleName = "CCS Security - Outbound Spam" 
$ruleEmail = "help@company.net"

$credentials = Get-Credential

Connect-Msolservice -Credential $credentials

$customers = Get-MsolPartnerContract

foreach ($customer in $customers) {

Write-Host "\`nChecking activity alert on $($customer.name)" -ForegroundColor Blue
$InitialDomain = Get-MsolDomain -TenantId $customer.tenantid | Where-Object {$\_.IsInitial -eq $true}

$DelegatedOrgURL = "<a href="https://ps.compliance.protection.outlook.com/powershell-liveid?DelegatedOrg="+$InitialDomain.Name" target="_blank">https://ps.compliance.protection.outlook.com/powershell-liveid?DelegatedOrg="+$InitialDomain.Name</a>

$SCDS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credentials -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection

Import-PSSession $SCDS -CommandName Get-ProtectionAlert, New-ProtectionAlert


$alert = $null
$alert = Get-ProtectionAlert -Identity $ruleName -ErrorAction SilentlyContinue


if (!$alert) 
$newAlert = New-ProtectionAlert -Name $ruleName -Category ThreatManagement -NotifyUser 

$ruleEmail -ThreatType "Activity" -Description "Alert CCS to any spam quarantined user" -AggregationType none -Operation CompromisedAccount

if ($newAlert) {
Write-Host "Alert created for $($customer.name)" -ForegroundColor Green

}
}
else {
Write-Host "Alert already exists for $($customer.name)" -ForegroundColor Green
}

Remove-PSSession $SCDS
}

 


When I run that I get this:

 

WARNING: Your connection has been redirected to the following URI: 
"<a href="https://nam03b.ps.compliance.prot" target="_blank">https://nam03b.ps.compliance.prot</a>
ection.outlook.com/powershell-liveid?DelegatedOrg=customer.onmicrosoft.com;PSVersion=5.1.17134.85
8 "
New-PSSession : [nam03b.ps.compliance.protection.outlook.com] Connecting to remote server 
nam03b.ps.compliance.protection.outlook.com failed with the following error message : Access is 
denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\test\ALL!_OutboundSpamNotify.ps1:13 char:13
+ $SCDS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential ...

 

 

Looking online I've seen that that Access Denied means that obviously that my user does not have access to Exchange Online for that customer but I've delegated admin for all of our tenants and I can perform other scripts with my credentials that work just fine.

Any insight or help would be appreciated.

2 Replies
Highlighted
Solution

Officially, connecting to ExO/SCC PowerShell via this method is not supported. Use the Connect-IPPSSession cmdlet instead, with the -DelegatedOrganization switch. If it doesn't work there either, you most likely have a permission issue.

Highlighted

@Vasil Michev Thank you so much. I had seen that parameter but didn't know what kind of string it wanted. 

Now using:

Connect-IPPSession -UserPrincipalName my@email.com -DelegatedOrganization mytenant.onmicrosoft.com

I can successfully connect to my tenants - hopefully I can get this script working now!