blog.icewolf.ch

Let's talk about IT!

posts - 2247, comments - 295, trackbacks - 0

My Links

Post Categories

icewolf

Wednesday, January 25, 2023

Exchange Online: Use Test-Message to verify your Transport- and DLP Rules

Hi All,

In the Microsoft 365 Message Center https://admin.microsoft.com/#/MessageCenter there is an Announcement about Test-Message where you can test the Transport Rules and DLPRules.

FIX: Exchange Transport rule (ETR) or Data Loss Prevention (DLP) rule is not working as expected

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/fix-exchange-transport-rule-etr-or-data-loss-prevention-dlp-rule/ba-p/3033869

Test-Message

https://learn.microsoft.com/en-us/powershell/module/exchange/test-message?view=exchange-ps

Test-Message -Sender m.muster@icewolf.ch -Recipients postmaster@icewolf.ch -SendReportTo a.bohren@icewolf.ch -TransportRules -UnifiedDLPRules

Let's have a look at my Transport Rules

Get-TransportRule

Now i get two Reports: "Transport Rule Tracing Report"

and a "DLP Rules Tracing Report"

Regards

Andres

posted @ Thursday, January 26, 2023 11:39 AM | Filed Under [ Exchange ]

Analyze AzureAD SignIn Logs with PowerShell

Hi All,

I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.

I've started at the Azure AD Signin Logs and filtered by UPN

https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/SignIns

Next step was Graph Explorer where i found the needed Permissions

###############################################################################
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')

Let's connect with these Permissions (they need Admin Consent and i already have that)

#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All

By default you only get 1000 Rows

#Get Signins
$Signins = Get-MgAuditLogSignIn
$Signins.Count

Let's check the Details of one Record

#Show Details of one Record
$Signins[0] | fl

Do we have SignIns where RiskState is set?

#List RiskState
$Signins | where {$_.RiskState -ne "none"}

By using a Filter you can search for UPN and with the "-All" Parameter you get all Records that match the Filter

###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################

#Search for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count

Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in

#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime

If you just need the last couple SignIns use this command

#Get latest 10 Signins for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime