PowerShell scripts for Microsoft 365 Security Reports
Data security is a major concern for most enterprises that use Microsoft 365. Though the Microsoft 365 Security and Compliance Center offers various security reports, IT admins have to rely on PowerShell scripts to fetch details that the Security and Compliance Center doesn't provide.
Throughout the examples below, we'll use the email ID john@example.com for the user John.
Data Loss Prevention (DLP) policy report
Get-MailDetailDlpPolicyReport -StartDate 03/01/2019 -EndDate 03/07/2019
This code lists the data loss prevention (DLP) activities of the first week of March, 2019.
Mailbox Retention policy report
Get-Mailbox -ResultSize unlimited | format-table UserPrincipalName,RetentionPolicy,RetentionUrl,RetentionComment,RetentionHoldEnabled, StartDateForRetentionHold,EndDateForRetentionHold
This code displays the retention policy details of all the mailboxes in your organization.
Password Never Expires report
Get-AzureADUser -All $true | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
This code displays the list of users and the value of the "Password Never Expires" setting.
Mailbox Quota Changes
New-AdminAuditLogSearch -Name "Mailbox Quota Change Audit" -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/24/2019 -EndDate 02/12/2019 -StatusMailRecipients john@example.com,
This code lists all the administrator audit log entries that match the following criteria and emails the results to john@example.com:
- Cmdlets:Set-Mailbox
- Parameters:UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota
- StartDate: 01/24/2019
- EndDate: 02/12/2019
Mailbox admin activities
Search-MailboxAuditLog -Identity john -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000
This code retrieves mailbox audit log entries for actions performed by Admin and Delegate logon types between 1/1/2019 and 12/31/2019 on John's mailbox. A maximum of 2,000 log entries can be returned.
M365 Manager Plus' pre-configured reports
M365 Manager Plus, ManageEngine's Microsoft 365 reporting, auditing, monitoring, and management solution, comes with more than 700 preconfigured reports on Azure AD, Exchange Online, OneDrive for Business, Yammer, and other Microsoft 365 services.
When it comes to security, taking a reactive approach can be a grave mistake. M365 Manager Plus' security reports make it easy to be proactive; these pre-configured reports can be generated in a single click, scheduled to run at regular intervals, and emailed to administrators.
Some of M365 Manager Plus' reports include:
- User Mailbox Security
- Shared Mailbox Security
- Mailbox Retention Policy
- Mailbox On Hold
- Mailbox Auditing
- Admin Roles
- Exchange Admin Roles
- User Password Settings
- Recently Removed Member from Role
- Recently Added Member to Role
- Last Password Change
- Updated Company Contact Information
- Exchange Admin Activity
- Azure Admin Activity
- InPlace Hold & eDiscovery Activity
- Litigation Hold Activity
- Mailbox Quota Changes
- Mailbox Size Changes
- Mailbox Permission Changes
- Mailbox Delegate Changes
- Mailbox Created
- Mailbox Deleted
- User Activities Reports
- Non-Owner Mailbox Access
- Send As Activities by Non-Owners
- Mailbox Login Activities
- Exchange User Activities
Advantages of M365 Manager Plus reporting
Advanced filters: Use property and condition-based filters to retrieve the data you need without lengthy PowerShell scripts.
Historical data: Microsoft 365 only retains data for up to 180 days (although some subscription plans retain data for only 30 days). M365 Manager Plus reports, on the other hand, present all data from the date of installation.
Embed in dashboard: M365 Manager Plus' dashboard is customizable, which enables you to add graphs from reports onto it. This helps you to take a quick look at the information most important to your organization's security, including the mail traffic summary, top email senders and receivers, and client device usage. This dashboard can be embedded in any of your webpages to facilitate constant monitoring.
Schedule reports: Reports can be scheduled to be generated at regular intervals to reduce the burden of manually generating reports.
Export or email: Reports can be exported to PDF, XLSX, HTML, or CSV formats and emailed to the administrator.
Delegate reports: Securely delegate the task of report generation to technicians and IT staff without giving them full access to the Microsoft 365 Admin Center.
