Create Office 365 Activity Alerts using PowerShell

In a previous article:

Create Office 365 Alerts

I detailed how to create Office 365 Activity alerts using the browser. I will point out how important it is to have appropriate alerts set for your tenant, especially when you generally don’t get many configured . your tenant by default.

Of course doing administration tasks via a browser is the slow way to get things done. A much better approach is to use PowerShell and let the script do the heavy lifting.

The first step in this process is to take a look at the following article:

Search the audit log in the Office 365 Security and Compliance center

and locate the heading – Auditing activities which contains a list of the actions that will trigger an alert. There are plenty of things here so pick those that make the most sense and remember that lots and lots of alerts generally doesn’t improve security, it simply creates information overload.

The alert I’ll chose to illustrate is FileMalwareDetected.

Next step is connect to the Office 365 Security and Compliance Center with PowerShell. I’m not going to show you how to do that here as it is easily located elsewhere like here:

Connect to Office 365 Security & Compliance Center PowerShell

With that done, you can now execute the actual commands to configure activity alerts with PowerShell.

$fileandpagepolicyparams = @{
“Name” = “File and Page Alert”;
“operation” = “Filemalwaredetected”;
“notifyuser” = $notifyusers;
“userid” = $userids;
“Description” = “SharePoint anti-virus engine detects malware in a file.”;

$result=New-ActivityAlert @fileandpagepolicyparams

Basically, what I’m doing here is creating an array called $fileandpagepolicyparams that contains all the options required for the command that will set the alert. Doing it this way makes it easier to what’s going on and make any additions if needed in my opinion.

The New-ActivityAlert command takes all those array parameters as inputs when an alert is now created.

The $notifyusers are the users you want to receive emails when alerts occurs. The $userids are the users you wish to trigger alerts. If you leave $userids empty it will apply the alert to all users in the tenant.


You can see the result above once that command is run.

Now the idea is to build a script that configures all the activity alerts you desire and then apply them to a tenant.


As you can see above, I generally create about a dozen or so alert policies this way that monitor for a range of activities I believe should have alerts configured for. However, you need to decide what makes sense for you.

Now be very, very careful when you configure activity alerts via PowerShell. Ensure you get all the parameters 100% correct and you check the alert policies in the web interface when you are testing your script, because errors in the script don’t get reported and you end configuring an activity alert that does nothing all because you got a parameter wrong!

June Office 365 Webinar Resources

Slides from this month’s webinar are at:

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

Watch out for next month’s webinar.

Saving Office 365 Login Credentials with PowerShell

I need to log into lots and lots of different Office 365 tenants all the time. Having an easier way to do this and prevent fat fingering the wrong information is a big time saver for me. This is even more the case when I use PowerShell.

I therefore decided that it would be easier to have the ability to save tenant credentials to a local file and then recall these as needed. To save the credentials to an XML file use the command:

Get-Credential | Export-CliXml -Path c:\downloads\tenant.xml

This will prompt you for a login and password as normal but then save the results into an XML in the location you specified.


If you look at the XML file created, you can see the username as expected but you’ll notice that the password has been saved securely rather than in plain text.

It is important to note here that this file now contains the access details to the tenant. You need to ensure that the file remains secure because if someone else manages to get it they maybe able to login to the tenant! Beware!

To extract the details from the file and save them into a variable you can use in PowerShell use the following command:

$credential=import-clixml -path c:\downloads\tenant.xml

now you can connect to Office 365 services as normal using:

connect-msolservice –credential $credential

and you you won’t be prompted for the login details.

Hopefully, I’ve covered all the steps in the video above, so you can see it all in action from end to end.

Enabling Office 365 mailbox auditing

You may not be aware that by default Office 365 mailbox auditing isn’t turned on. Don’t believe me? Well check out this article, especially the first paragraph:

Enable mailbox auditing in Office 365

which says:

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won’t appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

If you want to check your own tenant then connect to Exchange Online with PowerShell and run this command:

get-mailbox | select userprincipalname,auditenabled

You’ll probably see that all the mailboxes don’t have auditing enabled.

To enable auditing, simply run this command:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

and then run the first command again to verify it is now enabled for all mailboxes.

You also need to appreciate that out of the box, not all items are audited and you may need to adjust these options, also using PowerShell. The options you can audit for are:

Mailbox auditing actions

I’ll cover how to set these in an upcoming article.

Configuring an Office 365 SPAM filtering policy with PowerShell

I recently wrote an article that shows you how to configure the spam policy in Office 365 using the web interface. If you missed that you can find it here:

Configuring an Office 365 SPAM filtering policy

Doing this multiple times via the web interface is a lot of work. A better approach is to use PowerShell. So once, how have connected to Exchange Online PowerShell, run these two commands:

$policyparams = @{
“name” = “Configured Policy”;
‘Bulkspamaction’ =  ‘movetojmf’;
‘bulkthreshold’ =  ‘7’;
‘highconfidencespamaction’ =  ‘movetojmf’;
‘inlinesafetytipsenabled’ = $true;
‘markasspambulkmail’ = ‘on’;
‘increasescorewithimagelinks’ = ‘off’
‘increasescorewithnumericips’ = ‘on’
‘increasescorewithredirecttootherport’ = ‘on’
‘increasescorewithbizorinfourls’ = ‘on’;
‘markasspamemptymessages’ =’on’;
‘markasspamjavascriptinhtml’ = ‘on’;
‘markasspamframesinhtml’ = ‘on’;
‘markasspamobjecttagsinhtml’ = ‘on’;
‘markasspamembedtagsinhtml’ =’on’;
‘markasspamformtagsinhtml’ = ‘on’;
‘markasspamwebbugsinhtml’ = ‘on’;
‘markasspamsensitivewordlist’ = ‘on’;
‘markasspamspfrecordhardfail’ = ‘on’;
‘markasspamfromaddressauthfail’ = ‘on’;
‘markasspamndrbackscatter’ = ‘on’;
‘phishspamaction’ = ‘movetojmf’;
‘spamaction’ = ‘movetojmf’;
‘zapenabled’ = $true

new-hostedcontentfilterpolicy @policyparams

The first basically sets up an array of all the parameters you are going to see into the spam policy. It makes it easier to adjust if you need to.

The second command creates a new policy based off this array that will be called ‘Configured Policy’.

However, after running these two commands you aren’t quite done yet because you have created the policy BUT you actually need to create a rule that uses this policy to do that use the following:

$ruleparams = @{
‘name’ = ‘Configured Recipients’;
‘hostedcontentfilterpolicy’ = ‘Configured Policy’;
## this needs to match the above policy name
‘recipientdomainis’ = ‘’;
## this needs to match the domains you wish to protect in your tenant
‘Enabled’ = $true

New-hostedcontentfilterrule @ruleparams

You’ll need to ensure the policy names match as noted and you include the domains you wish to protect.


Once this has been completed, if you go and look in your Exchange Admin area, under protection and spam filter, you should see a new policy called ‘Configured Recipients’ that was created by the above script commands.

Save the script away and run it as many times as you need. That should make life easier!

Free CIAOPS Yammer support network


I am happy to announce that I have set up a free CIAOPS Patron support network on Yammer that is focused on the Microsoft Cloud. In there I have groups on Azure, Microsoft 365, Office 365, Windows 10 and more. Members can ask questions, reply to posts as well as a share interesting information to help others.

Although access to this network is free it is by invite only, so if you want access you’ll need to send me an email ( requesting access.

I’ve done this in Yammer for a few reasons. Firstly, it is going to give me the experience of managing a ‘larger’ Yammer external network. This will hopefully improve both my technical experience with the product but also skill me more on how to successfully implement adoption. Secondly, I’ve hopefully giving people a way to get a feel for what Yammer is all about, how it works and what benefits it provides. Yammer for me is probably the most important adoption tool as I have said before:

Focus on the “me” services first

so hopefully giving people a reason to come and experience Yammer for themselves will give them a better idea of what role it can play in a business.

Again, this offering is free but by invite only. To secure your invite just email me at