Office365 PowerShell Open Mailbox Audit feature

Recently the head office asked OFFICE365 to open the audit function on all mailboxes. This feature cannot be manipulated through the graphical interface, but only through PowerShell scripting.

Microsoft has provided an official script, but there is a small bug in it.

Https://technet.microsoft.com/en-us/library/dn879651.aspx#step2

I found a bug in Office365: We had individual users with an ad-synced account, a cloud-created account, and two accounts with the same name. Office365 is allowed to do so without error. But! When we use Get-mailbox XXXX | Set-mailbox, regardless of what XXX is, alias name, displayname or ID or name, and so on, he gets the same value, and then when he passes through the pipe, he always passes the DisplayName instead of the other values. In this way, when there is a duplicate name of the DisplayName exist, the system is SB, do not know which to modify, direct error!

In my own case, I deliberately modified the value of the DisplayName, not the same as the other properties, and then tracked the changes in the pipe parameters

1234	PS C:\temp> get-mailbox"yuan.li"| select name, displayname,id,aliasName    DisplayName Id      Alias----    ----------- --      -----  Yuan Li Yuan Lee    Yuan Li yuan.li

Tracking changes

123	Trace-Command-PSHost -name ParameterBinding -Expression {get-mailboxyuan.li |Set-Mailbox -AuditEnabled $true}

After a whole bunch of validations and remote calls, the last parameter he passed in was DisplayName, not the property I entered earlier in the pipeline. I don't care what I enter. The property that is passed to the pipe after it gets to the object is always displayname.

Because of this bug, beans are not recommended for direct use with the official Get-mailbox | Set-mailbox modifies the data, instead manually writes a For loop through properties such as distinguishedname to avoid accidental collisions.

Another 2 is that Office365 cannot set the default open audit, so all new accounts are not open. Beans can only set a scheduled task, allowing the script to be automatically executed daily to modify the new account settings.

In addition, after the execution, I would like to send a revised account sent me an email notification, and finally windows also wrote me a log for later viewing. The approach and ingredients of the plate surface

The following is the complete script

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061

#Create a secure string of the your password#Read-Host -AsSecureString | ConvertFrom-SecureString > c:\temp\key.txt#Check if O365 session is setup, if not, create a new one$Sessions=Get-PSSessionif(($Sessions.ComputerName -eq"outlook.office365.com") -and($Sessions.State -ne‘Broken‘)){    write-host"Detect existing Office365 session, skip.."-ForegroundColor Cyan}else{        $username= "[email protected]"    $secureStringPwd = gc C:\temp\key.txt | ConvertTo-SecureString    $creds= New-ObjectSystem.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd    $ExoSession= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds-Authentication Basic -AllowRedirection    Import-PSSession$ExoSession}#Find Mailboxes that haven‘t enabled auditing$users=get-mailbox-Filter {AuditEnabled -eq$false} | select name, alias, auditenabled, auditlogagelimit, distinguishednameforeach($userin$users){    try{        Set-Mailbox$user.distinguishedname -AuditEnabled $true-AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update -ErrorAction Stop       # Create a Windows Eventlog if needed        $username=$user.name        Write-Eventlog-Logname ‘Application‘ -Source ‘Application‘ -EventID 666 -EntryType Information -Message "$username Maibox Auditing is enabled"         }    catch{        Write-Eventlog  -Logname ‘Application‘ -Source ‘Application‘ -EventID 667 -EntryType Error -Message "$user Mailbox Auditing is failed to enable"     }  }#There are two ways to check the resut, Event Viewer or Email#Check again if the status is changed $result=foreach($user in $users){    get-mailbox $user.name | select name, alias, auditenabled, auditlogagelimit, distinguishedname} #Send Email to the admin$from = "[email protected]"$to = "[email protected]"$smtp = "smtp.office365.com" $sub = "Auditing list" $secureStringPwd = gc C:\temp\key.txt | ConvertTo-SecureString$creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd$date=get-date $htmlbody=$result| ConvertTo-Html -Body " <H1> $date Mailbox Auditing Enabled record </H1>" -CssUri C:\tmp\table.css Send-MailMessage -To $to -From $from -Subject $sub -Body ($htmlbody|Out-String) -Credential $creds -SmtpServer $smtp -DeliveryNotificationOption Never -BodyAsHtml -UseSsl -port 587 #Check from Event Viewertry{    $eventcritea = @{logname=‘Application‘;id=666}    $Events =get-winevent -FilterHashtable $eventcritea -ErrorAction Stop    ForEach ($Event in $Events) {                         $eventXML = [xml]$Event.ToXml()                      $Event | Add-Member -MemberType NoteProperty -Force -Name  Information -Value $eventXML.Event.EventData.Data                     $Event.Information             }            }catch [system.Exception] {        "Couldn‘t fine any mailbox auditing logs"}    $events| select information, id, logname, timecreated| Out-GridView-Title Status

Test results

Get the Windows log

Notification of incoming mail

After 2 days, make sure the status has changed on the Https://securescore.office.com/#!/score!

Office365 PowerShell Open Mailbox Audit feature