Manage alert policies with Security & Compliance Center PowerShell
Information is a precious good. Keep an eye on specific accounts and knowing when someone gets unauthorized access to a critical account can be your life saver. But how do you manage this within your Microsoft tenant? Therefore alert policies are exactly what is needed. You can setup a policy to trigger an alert as soon as an account connects to any Microsoft cloud service.
Move to alert policies in the Office 365 Security & Compliance center of your tenant. This hidden tab can serve you massive information about a wide spectrum of specific user activities. From this point alert policies can be created.
The example shows a policy who sends an email to when "Test User 6" is logged on. Always make sure you write a simple understandable description or even create a documentation on what you do. (Of course you should always do this ;)) To my experience I can take up to 24 hours until the policy really gets functional.
Alert policy is now already created. This is how the notification on email looks like: (can need up to 4 hours to recieve)
Alright, but how do I manage my policies?
Normally this is an easy thing. But unfortunately not in my case, alert policies are listed in the portal on "Alerts>Alert polices". I can't explain it to myself but there are no elements in my tenant visible. Luckily these policies are accessible also through Security & Compliance Center PowerShell, that is a modified PowerShell version. Now here the steps to follow:
- Login to Exchange Admin Center and move to "Hybrid".
- Download the module and execute it. (use old school Internet Explorer for best practice)
- Optional Winrm (Windows remote management) can sometimes block basic authentication you can check this with: "winrm get winrm/config/client/auth" -> Basic = "true" is what to look for. If the value is false you have to temporarily set it to true with "winrm set winrm/config/client/auth @{Basic="true"}"
- Now execute the downloaded PowerShell version use "Connect-IPPSSession -UserprincipalName user@domain.com" and authenticate (Important: MFA is possible with this method)
- Were good to go: run "Get-ActivityAlert | Format-List Disabled,Name,Description,Operation,userId,NotifyUser" this shows basic formated values of all created alert policies.
Perfect! Additional helpful commands are:
Remove Activity Alerts
Use "Remove-Activity Alert "NAME""
Official Microsoft site
Edit Activity Alerts
Change Description
Use "Set-Activity Alert "NAME" -Description "NEW DESCRIPTION" "
Disable Alert
Use "Set-Activity Alert "NAME" -Disable "Ture/False" "
Change users to notify
Use "Set-Activity Alert "NAME" -NotifyUser "UPN" "