{"id":341,"date":"2020-03-09T18:02:50","date_gmt":"2020-03-09T18:02:50","guid":{"rendered":"http:\/\/certcent.io\/?p=341"},"modified":"2020-03-09T18:02:50","modified_gmt":"2020-03-09T18:02:50","slug":"office-365-security-tips-and-tricks-using-powershell-monitoring-exchange-admin-events","status":"publish","type":"post","link":"https:\/\/certcent.io\/index.php\/2020\/03\/09\/office-365-security-tips-and-tricks-using-powershell-monitoring-exchange-admin-events\/","title":{"rendered":"Office 365 Security: Tips and Tricks using Powershell monitoring Exchange Admin events."},"content":{"rendered":"<p><strong>What are Exchange Admin events?<\/strong><br \/>\nEvents like adding, changing, or removing objects in your portal.<br \/>\n<strong>Prerequisites: <\/strong><br \/>\nA modern version of Powershell, most Windows 10 and Windows 2016+<br \/>\n<strong>First create your session to your Office 365 portal:<\/strong><\/p>\n<pre class=\"lang:default decode:true \" title=\"Create the session to your Office 365 portal.\">$Session = New-PSSession -ConnectionUri https:\/\/outlook.office365.com\/powershell-liveid\/  -ConfigurationName Microsoft.Exchange -Credential $credentials -Authentication Basic -AllowRedirection<\/pre>\n<div>\n<strong><strong>Run the search command in a script block against your session and output to grid:<br \/>\n<\/strong><\/strong><\/p>\n<pre class=\"lang:default decode:true \" title=\"Powershell command in script block against session\">Invoke-Command -ScriptBlock { Search-UnifiedAuditLog  -recordtype ExchangeAdmin -enddate \"3\/9\/2020\" }  -Session $session | Out-GridView<\/pre>\n<p>References: https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/exchange\/policy-and-compliance-audit\/search-unifiedauditlog?view=exchange-ps\n<\/p><\/div>\n<p><!--EndFragment --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What are Exchange Admin events? Events like adding, changing, or removing objects in your portal. Prerequisites: A modern version of Powershell, most Windows 10 and Windows 2016+ First create your session to your Office 365 portal: $Session = New-PSSession -ConnectionUri https:\/\/outlook.office365.com\/powershell-liveid\/ -ConfigurationName Microsoft.Exchange -Credential $credentials -Authentication Basic -AllowRedirection Run the search command in a script&hellip; <a class=\"more-link\" href=\"https:\/\/certcent.io\/index.php\/2020\/03\/09\/office-365-security-tips-and-tricks-using-powershell-monitoring-exchange-admin-events\/\">Continue reading <span class=\"screen-reader-text\">Office 365 Security: Tips and Tricks using Powershell monitoring Exchange Admin events.<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts\/341"}],"collection":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":0,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"wp:attachment":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}