Manage Office 365 Groups with PowerShell
There are a few compelling reasons to move to Office 365, and in my opinion, Office 365 Groups are...
I recently did a webinar for ENow. The webinar was mostly demos of PowerShell commands you can use to get auditing and reporting data in your Office 365 tenant. In this blog post, I’m going to focus on providing those PowerShell commands so that you can use “follow along” in your Office 365 tenant.
I’ve divided this blog post up into sections. Each section focuses on a series of related tasks you can accomplish with PowerShell commands in your Office 365 tenant.
Mailbox auditing is not turned on by default in Office 365. The first thing we’re going to want to know is the status of mailbox auditing for our mailboxes. Once you understand whose mailbox is being audited for what, turning on mailbox auditing is a simple Set-Mailbox command to turn on mailbox auditing. Though the use of the pipeline, a Get-Mailbox can be used to turn on mailbox auditing for all mailboxes.
Get-Mailbox Nathan | Format-List Audit*
Get-Mailbox Nathan | Select -ExpandProperty AuditAdmin
Get-Mailbox Nathan | Select -ExpandProperty AuditOwner
Get-Mailbox Nathan | Select -ExpandProperty AuditDelegate
Get-Mailbox | Format-Table Name, AuditEnabled -AutoSize
Get-Mailbox | Where-Object {$_.AuditEnabled -Eq "True"} | Format-Table Name, AuditEnabled -AutoSize
Get-Mailbox | Where-Object {$_.AuditEnabled -Ne "True"} | Format-Table Name, AuditEnabled -AutoSize
Set-Mailbox –Identity Joe –AuditEnabled $True
Get-Mailbox | Where-Object {$_.AuditEnabled -Ne "True"} | Set-Mailbox -AuditEnabled $True
Once you have mailbox auditing turned on, there is still some configuration to do. A list of the default items that are audited can be found on TechNet, but you can change those settings to match your organization’s needs.
Additionally, you can control the length of time audit items are retained. Items can be kept for a maximum time of nearly 68 years. It’s important to remember that those audit items are stored in the user’s mailbox, and will count against their mailbox size limit. If you need to free up space, setting the retention period to a shorter (or zero) retention time and forcing the managed folder assistant to run on that mailbox will free up space immediately.
Set-Mailbox –Identity Joe -AuditAdmin None –AuditDelegate None -AuditOwner None
Get-Mailbox Joe | Format-List Audit*
Set-Mailbox -Identity Joe -AuditDelegate Create, FolderBind, HardDelete, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update
Set-Mailbox –Identity Joe –AuditEnabled $False
Get-Mailbox Joe | Format-List Audit*
Set-Mailbox Joe -AuditLogAgeLimit 24855.03:14:07
Get-Mailbox Joe | Format-List Audit*
Get-MailboxFolderStatistics Nathan | Where-Object {$_.Name -eq "Audits"} | Format-Table Name, ItemsInFolder, FolderSize -AutoSize
Set-Mailbox Joe -AuditLogAgeLimit 00:00:00
Start-ManagedFolderAssistant Joe
Get-MailboxFolderStatistics Joe | Where-Object {$_.Name -eq "Audits"} | Format-Table Name, ItemsInFolder, FolderSize -AutoSize
Enabled and configured is the way to get data into your mailbox audit log, but eventually you’re going to want to get data out too. PowerShell can allow you to configure some pretty powerful mailbox audit log searches. If you need to know who deleted what, and when they did it the answer is only a single command away.
Search-MailboxAuditLog Nathan -ShowDetails
Search-MailboxAuditLog Nathan -ShowDetails -ResultSize 10 | Format-Table Operation, OperationResult, LogonType, LastAccessed -AutoSize
Search-MailboxAuditLog Nathan -ShowDetails -StartDate 04/10/2016 -EndDate 04/12/2016 | Where-Object {$_.Operation -Eq "MoveToDeletedItems" -Or $_.Operation -Eq "HardDelete" -Or $_.Operation -Eq "SoftDelete"-And $_.FolderPathName -Eq "\Inbox"} | Format-Table Operation, OperationResult, LogonType, LastAccessed, FolderPathName, SourceItemSubjectsList -AutoSize
New-MailboxAuditLogSearch -Name "Demo Search Mailbox" -Mailboxes Nathan -ShowDetails -LogonTypes Delegate -StartDate 4/6/2016 -EndDate 4/7/2016 -StatusMailRecipients Nathan@MCSMLab.com
Get-AuditLogSearch
Get-AdminAuditLogConfig
Search-AdminAuditLog -Cmdlets Set-* | Format-Table CmdletName, Caller, RunDate, Succeeded -AutoSize
Search-AdminAuditLog –StartDate 04/01/2016 –EndDate 04/10/2016 –ExternalAccess $True | Out-GridView
Search-AdminAuditLog –StartDate 04/01/2016 –EndDate 04/10/2016 –ExternalAccess $True | Sort CmdletName | Group CmdletName | Format-Table Count, Name
New-AdminAuditLogSearch -Name "Demo Search Admin" -StartDate 1/1/2016 -EndDate 4/7/2016 -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota -StatusMailRecipients Nathan@MCSMLab.com
Get-AuditLogSearch
Office 365 is more than just Exchange. While SharePoint and OneDrive for Business are not themselves able to provide the level of auditing you can find in Exchange, Microsoft has enabled a unified audit log based on Exchange that has the ability to audit actions against files stored in SharePoint and OneDrive for Business sites.
The unified audit log must be enabled from the Office 365 Security & Compliance center, but once that is done you’ll have access to all kinds of information about what is going on with your files within Office 365.
Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ResultSize 1
$Output = Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ResultSize 1
$Results = ConvertFrom-Json -InputObject $Output.AuditData
$Results
Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ObjectIds "5-4 Auditing and Reporting for Office 365.pptx" | Where-Object {$_.Operations -Eq "FileModified"} | Format-Table UserIds, Operations, CreationDate -AutoSize
Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType AzureActiveDirectory | Format-Table CreationDate, Operations, UserIds -AutoSize
Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType AzureActiveDirectoryAccountLogon | Format-Table CreationDate, Operations, UserIds -AutoSize
The Office 365 Reporting web service is a set of canned reports that can give you different sets of usage information for your Office 365 tenant. If you need to figure out how much spam your organization is receiving, or how your Skype for Business conference service is being used.
There are web based reports available. You can find a list of them on MSDN. Below I have a list of PowerShell commands that you can use within an Exchange Online PowerShell session to gather usage information about your Office 365 tenant.
Get-MxRecordReport -Domain mcsmlab.com
Get-OutboundConnectorReport -Domain mcsmlab.com
Get-MessageTrace -SenderAddress nathan@mcsmlab.com -StartDate 05/2/2016 -EndDate 05/4
Get-MailTrafficSummaryReport -Category TopMailSender -StartDate 01/1/2016 -EndDate 01/30/2016
Get-MailTrafficSummaryReport -Category TopSpamRecipient -StartDate 01/1/2016 -EndDate 01/30/2016
Get-StaleMailboxDetailReport | Sort username -Unique | Format-Table TenantName, UserName, WindowsLiveID, LastLogin, DaysInactive
Get-ConnectionByClientTypeDetailReport -StartDate 04/1/2016 -EndDate 04/10/2016
Get-CsConferenceReport -ReportType Monthly -StartDate 01/01/2016 -EndDate 01/31/2016
Get-CsAVConferenceTimeReport -ReportType Monthly -StartDate 01/01/2016 -EndDate 01/31/2016
Microsoft has recently added the Security & Compliance Center to Office 365. This is a portal that is intended to give administrators a central place for security and compliance functionality across all the Office 365 applications. While that goal has not yet been meet, there is still good reporting information available here.
The Security & Compliance Center has its own separate PowerShell connection URI. You can find instructions for how to connect to this PowerShell URI in TechNet.
Get-Command -Module tmp_vjigxxwl.faa
Get-DeviceConfigurationPolicy | Format-Table Name, CreatedBy, DistributionStatusget-mail
Get-HoldCompliancePolicy
Get-eDiscoveryCaseAdmin
Get-ComplianceSearch | Format-Table
Get-ComplianceSearch -Identity "Test Search" | Format-Table Name, CreatedTime, Items, Size
Get-ComplianceSearch -Identity "Specific Job" | Format-Table Name, CreatedTime, Items, Size
New-ComplianceSearchAction -SearchName "Specific Job" -Purge -PurgeType SoftDelete
Get-ComplianceSearchAction | Format-Table SearchName, JobStartTime, JobProgress, Status
Of course the ways in which you can use PowerShell to gather information about your Office 365 tenant and what is going on there are nearly infinite. Flexibility is PowerShell’s greatest strength. Hopefully this blog post, and the associated webinar, give you a good start down the road of figuring out how to meeting your organizations auditing and reporting needs in Office 365 with PowerShell. If you have any questions, feel free to post them below or reach out to me on Twitter @MCSMLab.
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.
There are a few compelling reasons to move to Office 365, and in my opinion, Office 365 Groups are...
Office 365 is Microsoft's premier cloud service, and the clear leader in the "back office" server...