In this article, we will explore how to monitor Microsoft 365 email and mailbox activity with PowerShell, including how to set up alerts for specific events, such as suspicious logins or email forwarding, and how to analyze mailbox activity using PowerShell scripts.

Getting started with Microsoft 365 PowerShell

To get started with Microsoft 365 PowerShell, you'll need to install the Microsoft Online Services Sign-In Assistant and the Azure Active Directory PowerShell for Graph modules. You can download these modules from the Microsoft website or install them using the PowerShell Gallery.

Once you have installed the required modules, you can connect to your Microsoft 365 tenant by running the following command in PowerShell:

1. Connect-MsolService

This will prompt you to enter your Microsoft 365 admin credentials. Once you have authenticated, you can start using PowerShell to manage your Microsoft 365 environment.

Monitoring email activity with PowerShell

To monitor email activity in Microsoft 365, you can use the Get-MessageTrace PowerShell cmdlet. This cmdlet allows you to retrieve a list of emails sent or received within a specific time frame.

For example, to retrieve a list of all emails sent or received in the last 24 hours, you can run the following command:

1. Get-MessageTrace -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)

This will return a list of all emails sent or received within the last 24 hours, including details such as the sender, recipient, subject, and date/time.

Setting up alerts for suspicious activity

To set up alerts for suspicious activity in Microsoft 365, you can use the New-AlertRule PowerShell cmdlet. This cmdlet allows you to create custom alerts based on specific events, such as failed logins, email forwarding, or mailbox delegation.

For example, to create an alert for failed logins, you can run the following command:

1. New-AlertRule -Name "Failed Login Alert" -Description "Alert on failed login attempts" -Severity High -Service EXO -EventType Audit.AzureActiveDirectory -EventTypeValue SignInFailed -NotifyUser User1@contoso.com

This will create an alert rule that triggers when a failed login attempt occurs and sends a notification to the specified user.

Analyzing mailbox activity with PowerShell

To analyze mailbox activity in Microsoft 365, you can use PowerShell scripts to retrieve detailed information about mailbox usage, such as mailbox size, item count, and activity statistics.

For example, to retrieve the size and item count for all mailboxes in your organization, you can run the following script:

1. Get-Mailbox |Select-Object DisplayName, @{Name="Size (MB)";Expression={(Get-MailboxStatistics $_.Identity).TotalItemSize.Value.ToMB()}}, @{Name="Items";Expression={(Get-MailboxFolderStatistics $_.Identity -FolderScope All-IncludeOldestAndNewestItems).ItemCount}}

This will return a list of all mailboxes in your organization, along with their size and item count.

Conclusion

In conclusion, monitoring Microsoft 365 email and mailbox activity with PowerShell can be a powerful tool for managing your organization's email security and compliance. With PowerShell, you can quickly and easily automate the process of monitoring email activity, set up alerts for suspicious activity, and analyze mailbox activity using custom scripts. By taking advantage of PowerShell's flexibility and automation capabilities, you can improve your organization's email security and compliance, and ensure that your users are using email responsibly and securely.