PhoneGet Quote
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890


PowerShell scripts for Office 365 security

Data security is a major concern for most enterprises that use Office 365. Though the Office 365 Security and Compliance Center offers various security reports, IT admins have to rely on PowerShell scripts to fetch details that the Security and Compliance Center doesn't provide.

Throughout the examples below, we'll use the email ID for the user John.

Data Loss Prevention (DLP) policy report

Get-MailDetailDlpPolicyReport -StartDate 03/01/2019 -EndDate 03/07/2019

This code lists the data loss prevention (DLP) activities of the first week of March, 2019.

Mailbox Retention policy report

Get-Mailbox -ResultSize unlimited | format-table UserPrincipalName,RetentionPolicy,RetentionUrl,RetentionComment,RetentionHoldEnabled, StartDateForRetentionHold,EndDateForRetentionHold 

This code displays the retention policy details of all the mailboxes in your organization.

Password Never Expires report

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }

This code displays the list of users and the value of the "Password Never Expires" setting.

Mailbox Quota Changes

New-AdminAuditLogSearch -Name "Mailbox Quota Change Audit" -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/24/2019 -EndDate 02/12/2019 -StatusMailRecipients,

This code lists all the administrator audit log entries that match the following criteria and emails the results to

  • Cmdlets:Set-Mailbox
  • Parameters:UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota
  • StartDate: 01/24/2019
  • EndDate: 02/12/2019

Mailbox admin activities

Search-MailboxAuditLog -Identity john -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000

This code retrieves mailbox audit log entries for actions performed by Admin and Delegate logon types between 1/1/2019 and 12/31/2019 on John's mailbox. A maximum of 2,000 log entries can be returned.

O365 Manager Plus' pre-configured reports

O365 Manager Plus, ManageEngine's Office 365 reporting, auditing, monitoring, and management solution, comes with more than 700 preconfigured reports on Azure AD, Exchange Online, Skype for Business, OneDrive for Business, Yammer, and other Office 365 services.

When it comes to security, taking a reactive approach can be a grave mistake. O365 Manager Plus' security reports make it easy to be proactive; these pre-configured reports can be generated in a single click, scheduled to run at regular intervals, and emailed to administrators.

Some of O365 Manager Plus' reports include:

  • User Mailbox Security
  • Shared Mailbox Security
  • Mailbox Retention Policy
  • Mailbox On Hold
  • Mailbox Auditing
  • Admin Roles
  • Exchange Admin Roles
  • User Password Settings
  • Last Password Change
  • Recently Added Member to Role
  • Recently Removed Member from Role
  • Updated Company Contact Information
  • Exchange Admin Activity
  • Azure Admin Activity
  • InPlace Hold & eDiscovery Activity
  • Litigation Hold Activity
  • Mailbox Quota Changes
  • Mailbox Size Changes
  • Mailbox Permission Changes
  • Mailbox Delegate Changes
  • Mailbox Created
  • Mailbox Deleted
  • User Activities Reports
  • Non-Owner Mailbox Access
  • Send As Activities by Non-Owners
  • Mailbox Login Activities
  • Exchange User Activities

Advantages of O365 Manager Plus reporting

Advanced filters: Use property and condition-based filters to retrieve the data you need without lengthy PowerShell scripts.

Historical data: Office 365 only retains data for up to 180 days (although some subscription plans retain data for only 30 days). O365 Manager Plus reports, on the other hand, present all data from the date of installation.

Embed in dashboard: O365 Manager Plus' dashboard is customizable, which enables you to add graphs from reports onto it. This helps you to take a quick look at the information most important to your organization's security, including the mail traffic summary, top email senders and receivers, and client device usage. This dashboard can be embedded in any of your webpages to facilitate constant monitoring.

Schedule reports: Reports can be scheduled to be generated at regular intervals to reduce the burden of manually generating reports.

Export or email: Reports can be exported to PDF, XLS, HTML, or CSV formats and emailed to the administrator.

Delegate reports: Securely delegate the task of report generation to technicians and IT staff without giving them full access to the Office 365 Admin Center.

A holistic Office 365 administration solution