Get alerts for Elevation of Privilege operations on all Office 365 customer tenants
Elevation of privilege operations can be used by hackers or bad actors to give extra permissions to themselves or accounts under control.
These operations could be assigning admin roles, setting up mailbox redirections, or the ability to create eDiscovery cases to access data stored in other accounts.
In another post, I demonstrated how to monitor admin role changes in Office 365 customer tenants. While that method works, there’s a bit of work involved in setting it up and it only runs a few times a day.
Using the New-ActivityAlert cmdlet available via the Office 365 Security and Compliance Center, we can be notified minutes after a potentially suspicious Elevation of Privileges operation has occurred.
The following scripts will show you how to create activity alerts for Elevation of Privilege operations via PowerShell. The first one is for a single Office 365 tenant, the second one is for Microsoft Partners and will allow you to set up the activity alert on all customer tenants.
Please note that these alerts can also be set up for individual tenants via the Office 365 Security and Compliance Center at https://protection.office.com
How to use these scripts to add an Elevation of Privilege Activity Alert via PowerShell
- Double click either of the scripts below
- Create and save a file in Visual Studio code with a .ps1 extension
- Paste in the script and edit the $ruleEmail and $ruleName parameters as required
- Press F5 to run it.
Some things to keep in mind
- These scripts won’t work with multi-factor authentication on the admin account
- You may decide to set up a separate mailbox to receive the alerts. eg. [email protected]. In our case we have set up a forwarder from this address to our support system.
PowerShell script to add an Elevation of Privilege alert to a single Office 365 tenant.
Keep in mind that you can do this for a single tenant via https://protection.office.com
$ruleName = "Elevation of Privilege Alert" $ruleEmail = "[email protected]" $credentials = Get-Credential Write-Output "Getting the Security & Compliance Center cmdlets" $Session = New-PSSession -ConfigurationName Microsoft.Exchange ` -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ ` -Credential $credentials -Authentication Basic -AllowRedirection Import-PSSession $Session $alert = $null $alert = Get-ActivityAlert -Identity $ruleName -ErrorAction SilentlyContinue if (!$alert) { $newAlert = New-ActivityAlert -Name $ruleName -NotifyUser $ruleEmail -Type ElevationOfPrivilege if ($newAlert) { Write-Host "Alert created" -ForegroundColor Green } } else { Write-Host "Alert already exists" -ForegroundColor Green } Remove-PSSession $Session
PowerShell script to add an Elevation of Privilege alert to all Office 365 customer tenants
$ruleName = "Elevation of Privilege Alert" $ruleEmail = "[email protected]" $credentials = Get-Credential Connect-Msolservice -Credential $credentials $customers = Get-MsolPartnerContract foreach ($customer in $customers) { Write-Host "`nChecking activity alert on $($customer.name)" -ForegroundColor Blue $InitialDomain = Get-MsolDomain -TenantId $customer.tenantid | Where-Object {$_.IsInitial -eq $true} $DelegatedOrgURL = "https://ps.compliance.protection.outlook.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name $SCDS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credentials -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection Import-PSSession $SCDS -CommandName Get-ActivityAlert, New-ActivityAlert $alert = $null $alert = Get-ActivityAlert -Identity $ruleName -ErrorAction SilentlyContinue if (!$alert) { $newAlert = New-ActivityAlert -Name $ruleName -NotifyUser $ruleEmail -Type ElevationOfPrivilege if ($newAlert) { Write-Host "Alert created for $($customer.name)" -ForegroundColor Green } } else { Write-Host "Alert already exists for $($customer.name)" -ForegroundColor Green } Remove-PSSession $SCDS }
Leave a Reply
Want to join the discussion?Feel free to contribute!