Get alerts for Elevation of Privilege operations on all Office 365 customer tenants

Get Alerts on Elevation of Privilege Operations in Office 365

Elevation of privilege operations can be used by hackers or bad actors to give extra permissions to themselves or accounts under control.

These operations could be assigning admin roles, setting up mailbox redirections, or the ability to create eDiscovery cases to access data stored in other accounts.

In another post, I demonstrated how to monitor admin role changes in Office 365 customer tenants. While that method works, there’s a bit of work involved in setting it up and it only runs a few times a day.

Using the New-ActivityAlert cmdlet available via the Office 365 Security and Compliance Center, we can be notified minutes after a potentially suspicious Elevation of Privileges operation has occurred.

Office 365 Elevation of Privilege Alert

The following scripts will show you how to create activity alerts for Elevation of Privilege operations via PowerShell. The first one is for a single Office 365 tenant, the second one is for Microsoft Partners and will allow you to set up the activity alert on all customer tenants.

Please note that these alerts can also be set up for individual tenants via the Office 365 Security and Compliance Center at https://protection.office.com

How to use these scripts to add an Elevation of Privilege Activity Alert via PowerShell

  1. Double click either of the scripts below
  2. Create and save a file in Visual Studio code with a .ps1 extension
  3. Paste in the script and edit the $ruleEmail and $ruleName parameters as required
  4. Press F5 to run it.Elevation Of Privilege Alerts in Office 365

Some things to keep in mind

  • These scripts won’t work with multi-factor authentication on the admin account
  • You may decide to set up a separate mailbox to receive the alerts. eg. alerts@yourdomain.com. In our case we have set up a forwarder from this address to our support system.

PowerShell script to add an Elevation of Privilege alert to a single Office 365 tenant.

Keep in mind that you can do this for a single tenant via https://protection.office.com

$ruleName = "Elevation of Privilege Alert"
$ruleEmail = "alerts@yourdomain.com"
$credentials = Get-Credential

Write-Output "Getting the Security & Compliance Center cmdlets"

$Session = New-PSSession -ConfigurationName Microsoft.Exchange `
    -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ `
    -Credential $credentials -Authentication Basic -AllowRedirection

Import-PSSession $Session

$alert = $null
$alert = Get-ActivityAlert -Identity $ruleName -ErrorAction SilentlyContinue
if (!$alert) {
    $newAlert = New-ActivityAlert -Name $ruleName -NotifyUser $ruleEmail -Type ElevationOfPrivilege
    if ($newAlert) {
        Write-Host "Alert created" -ForegroundColor Green
    }
}
else {
    Write-Host "Alert already exists" -ForegroundColor Green
}
Remove-PSSession $Session

PowerShell script to add an Elevation of Privilege alert to all Office 365 customer tenants

$ruleName = "Elevation of Privilege Alert"
$ruleEmail = "alerts@yourdomain.com"

$credentials = Get-Credential
Connect-Msolservice -Credential $credentials

$customers = Get-MsolPartnerContract

foreach ($customer in $customers) {
    Write-Host "`nChecking activity alert on $($customer.name)" -ForegroundColor Blue
    $InitialDomain = Get-MsolDomain -TenantId $customer.tenantid | Where-Object {$_.IsInitial -eq $true}
    $DelegatedOrgURL = "https://ps.compliance.protection.outlook.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    $SCDS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credentials -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
    Import-PSSession $SCDS -CommandName Get-ActivityAlert, New-ActivityAlert

    $alert = $null
    $alert = Get-ActivityAlert -Identity $ruleName -ErrorAction SilentlyContinue

    if (!$alert) {
        $newAlert = New-ActivityAlert -Name $ruleName -NotifyUser $ruleEmail -Type ElevationOfPrivilege
        if ($newAlert) {
            Write-Host "Alert created for $($customer.name)" -ForegroundColor Green
        }
    }
    else {
        Write-Host "Alert already exists for $($customer.name)" -ForegroundColor Green
    }

    Remove-PSSession $SCDS

}

Was this article helpful?

Related Articles