Tuesday, August 14, 2018

I’m puzzled by new-protectionalert

Microsoft is transitioning Office 365 Activity Alerts which I have talked about configuring here with PowerShell:

Create Office 365 Activity Alerts using PowerShell

to Alert Policies which you can see in the console here:

image

You will notice that I have been able to go in and create two of my own alerts (test and Test 2). I did this via the web console. I performed this web console configuration on a Microsoft 365 Business tenant.

Working with the web console is the slow way to get things done. PowerShell is best practice if you want to do things quickly and make them repeatable.

My thinking was, if I can configure these alerts in the web console I “should” also be able to that in PowerShell.

Initially, I thought you could using this new PowerShell command:

new-protectionalert

Now the information for this actual command is a bit sparse but I started working backwards from the alerts I created in the web console.

image

As you can see from the above, when I was able to work out a command that seemed to execute I was greeted with the error:

Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365

Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alert can be created.

which seems to indicate I don’t have the license, but yet I can create what I believe to be an identical alert in the web console. Basically, I just want an alert when someone marks an email as “Phish”.

image

In Powershell I’m using the parameter:

-filter "Activity.SubmissionType -eq 'Phish'"

which would seem to me to be the same thing. Yet, I’m told that I don’t have the right license??

In the end, I want to create a PowerShell script that allows me to configure these commands so that they can be easily applied. Currently, at the moment, I’m a bit confused on how to exactly achieve this.