Event Viewer Cmdlets

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message

To connect to Office 365 Powershell

$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

# Run this command when you're all done!
Remove-PSSession $Session

If you get "the specified module msonline was not loaded" then download the Windows Azure Active Directory Module for Windows PowerShell.

Use the following command to export a list of all users in Office 365. Selecting their name, email address and showing if they have a license.

Get-MSolUser | Select DisplayName,UserPrincipalName,IsLicensed | Export-csv c:\temp\Users.csv

Use the following command to force all users password to change at next logon.

Get-MsolUser | Set-MsolUser -ForceChangePasswordOnly $true -ForceChangePassword $true

Use the following command to force all users to have Password complexity.

Get-MsolUser | Set-MsolUser –StrongPasswordRequired $True

Use the follow commands to force a single user to change their password at next logon.

Set-MsolUserPassword -UserPrincipalName [email protected] -ForceChangePasswordOnly $true -ForceChangePassword $true

Use the following commands to use a csv file to select users to change their passwords at next logon.

Get-MsolUser -All | Export-Csv -NoTypeInformation C:\temp\DOMAIN365.csv

$users = Import-Csv C:\temp\DOMAIN365.CSV
$users | foreach {Get-MsolUser -UserPrincipalName $_.userprincipalname | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true}

If you have thousands of users in Office 365 you can use addition variables to select users, i.e. select users by Country.

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $tr

To connect to Security and Compliance portion of Office 365

Set-ExecutionPolicy -ExecutionPolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Remove-PSSession $Session

To Search the Admin Audit Log

-Append is acting like a loop to gather more than 250k results.

Search-AdminAuditLog -ResultSize 250000 -StartDate 03/01/2017 -EndDate 04/13/2017 | Export-Csv -NoTypeInformation C:\temp\AdminAuditlog01.csv

Search-AdminAuditLog -ResultSize 250000 -StartDate 03/01/2017 -EndDate 04/13/2017 | Export-Csv -NoTypeInformation -Append C:\temp\AdminAuditlog01.csv

To enable and search the Mailbox Audit logs

Use the following command to check whether mailbox auditing is enabled or disabled.

Get-Mailbox | fl *audit*

Get-Mailbox -Identity "UserName" | fl *audit*

Use the following command to enable mailbox audit logging.

Get-Mailbox | Set-Mailbox -AuditEnabled $true -auditadmin copy,create,folderbind,harddelete,messagebind,move,movetodeleteditems,sendas,sendonbehalf,softdelete,update -auditdelegate create,folderbind,harddelete,move,movetodeleteditems,sendas,sendonbehalf,softdelete,update -auditowner create,harddelete,mailboxlogin,move,movetodeleteditems,softdelete,update

Use the follow command to search the mailbox audit log for a user. Using the -Append to see more than 1k results.

Search-MailboxAuditLog -StartDate 04/12/2017 -EndDate 04/13/2017 -ShowDetails -Identity "User Name" -ResultSize 1000 | Export-Csv -NoTypeInformation C:\temp\MailboxAuditLogTest.csv

Search-MailboxAuditLog -StartDate 04/12/2017 -EndDate 04/13/2017 -ShowDetails -Identity "User Name" -ResultSize 1000 | Export-Csv -NoTypeInformation -Append C:\temp\MailboxAuditLogTest.csv

To search the Unified Audit logs

Use the following command to search the audit log for a user, using the -Append to see more than 5k results.

Search-UnifiedAuditLog -startdate 03/01/2017 -EndDate 04/13/2017 -ObjectIds "[email protected]" -SessionId "MSTest" -ResultSize 5000 | Export-Csv -NoTypeInformation C:\temp\UnifiedAuditLog01.csv

Search-UnifiedAuditLog -startdate 03/01/2017 -EndDate 04/13/2017 -ObjectIds "[email protected]" -SessionId "MSTest" -ResultSize 5000 | Export-Csv -NoTypeInformation -Append C:\temp\UnifiedAuditLog01.csv

Use the follow command to search the audit log for all users, using the -Append to see more than 5k results.

Search-UnifiedAuditLog -startdate 04/10/2017 -EndDate 04/13/2017 -SessionId "MSTest" -ResultSize 5000 | Export-Csv -NoTypeInformation C:\temp\UnifiedAuditLogAllUsers01.csv

Search-UnifiedAuditLog -startdate 04/17/2017 -EndDate 04/18/2017 -SessionId "MSTest" -ResultSize 5000 | Export-Csv -NoTypeInformation C:\temp\UnifiedAuditLogAllUsersBreach01.csv

References:

https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx

https://technet.microsoft.com/en-us/library/dn144876(v=exchg.150).aspx

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports

https://technet.microsoft.com/en-us/library/ff459250(v=exchg.160).aspx#Parameters

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/

results matching ""

    No results matching ""