Manage alert policies with Security & Compliance Center PowerShell

security Jul 03, 2020

Information is a precious good. Keep an eye on specific accounts and knowing when someone gets unauthorized access to a critical account can be your life saver. But how do you manage this within your Microsoft tenant? Therefore alert policies are exactly what is needed. You can setup a policy to trigger an alert as soon as an account connects to any Microsoft cloud service.

Move to alert policies in the Office 365 Security & Compliance center of your tenant. This hidden tab can serve you massive information about a wide spectrum of specific user activities. From this point alert policies can be created.
createalertpolicy
The example shows a policy who sends an email to when "Test User 6" is logged on. Always make sure you write a simple understandable description or even create a documentation on what you do. (Of course you should always do this ;)) To my experience I can take up to 24 hours until the policy really gets functional.

Alert policy is now already created. This is how the notification on email looks like: (can need up to 4 hours to recieve)
emailnotification

Alright, but how do I manage my policies?

Normally this is an easy thing. But unfortunately not in my case, alert policies are listed in the portal on "Alerts>Alert polices". I can't explain it to myself but there are no elements in my tenant visible. Luckily these policies are accessible also through Security & Compliance Center PowerShell, that is a modified PowerShell version. Now here the steps to follow:

  1. Login to Exchange Admin Center and move to "Hybrid".
  2. Download the module and execute it. (use old school Internet Explorer for best practice)
    exchangehybridmfa
  3. Optional Winrm (Windows remote management) can sometimes block basic authentication you can check this with: "winrm get winrm/config/client/auth" -> Basic = "true" is what to look for. If the value is false you have to temporarily set it to true with "winrm set winrm/config/client/auth @{Basic="true"}"
  4. Now execute the downloaded PowerShell version use "Connect-IPPSSession -UserprincipalName user@domain.com" and authenticate (Important: MFA is possible with this method)
    powershellconnectippssession
  5. Were good to go: run "Get-ActivityAlert | Format-List Disabled,Name,Description,Operation,userId,NotifyUser" this shows basic formated values of all created alert policies.
    powershellalertpolicies
    Perfect! Additional helpful commands are:

Remove Activity Alerts

Use "Remove-Activity Alert "NAME""
Official Microsoft site

Edit Activity Alerts

Change Description

Use "Set-Activity Alert "NAME" -Description "NEW DESCRIPTION" "

Disable Alert

Use "Set-Activity Alert "NAME" -Disable "Ture/False" "

Change users to notify

Use "Set-Activity Alert "NAME" -NotifyUser "UPN" "

Official Microsoft site

Niklas Tinner

Young IT Nerd.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.