Auditing of Automated PowerShell Scripts

Auditing of automated PowerShell scripts.

Modern PowerShell scripting APIs, like MS Graph PowerShell and Exchange Online Management (v2.0.3 or later), allow for automation – even in an MFA-secured environment.

After you have set up all requirements for automated scripting, you can easily schedule scripts from one or more automation servers.

But how do you keep track of changes made by the scripts?

The Office 365 Management Tool for Active Directory

Perform All Daily Office 365 Management Directly From AD

Remove Your On-Premises Exchange Server

How to Identify Automated Script Changes

All automated scripts running via App Registrations are logged in the Azure Unified Audit-Log.

The ID of the scripts is composed of the organization name and the AppId from the Azure App.

In this article, we set up an Azure App with the following ID: “81d79cde-c79e-4608-ba15-8d1e66eab6bc”.

In that case the audit log can be filtered using the following ID: “skrubbeltrang.onmicrosoft.com\81d79cde-c79e-4608-ba15-8d1e66eab6bc”:

$AuditLog = Search-UnifiedAuditLog -StartDate "2022-09-19" -EndDate "2022-09-21" -UserIds "skrubbeltrang.onmicrosoft.com\81d79cde-c79e-4608-ba15-8d1e66eab6bc" -ResultSize 5000
$ConvertAudit = $AuditLog | Select-Object -ExpandProperty AuditData | ConvertFrom-Json
$ConvertAudit | Select-Object CreationTime,UserId,Operation,Workload,ObjectID,ClientIP,Parameters | ft

The output will show you in what actions (exact command and parameters!) were performed using the Azure Application identity:

PS C:\> $ConvertAudit | Select-Object CreationTime,UserId,Operation,Workload,ObjectID,ClientIP,Parameters | ft
CreationTime        UserId                                                             Operation   Workload ObjectId ClientIP            Parameters
------------        ------                                                             ---------   -------- -------- --------            ----------
2022-09-20T07:10:09 skrubbeltrang.onmicrosoft.com\81d79cde-c79e-4608-ba15-8d1e66eab6bc Set-Mailbox Exchange Lene Hau 12.7.47.34:40182 {@{Name=Identity; Value=lene.hau}, @{Name=GrantSendOnBehalfTo; Value=hans.ussing}}
2022-09-20T06:55:58 skrubbeltrang.onmicrosoft.com\81d79cde-c79e-4608-ba15-8d1e66eab6bc Set-Mailbox Exchange Lene Hau 12.7.47.34:19333 {@{Name=Identity; Value=lene.hau}, @{Name=GrantSendOnBehalfTo; Value=hans.c.orsted}}

If you’re traversing large amounts of data, you may need to tweak your way around the limitations of the Search-UnifiedAuditLog CmdLet.

Read this article for a thorough walkthrough of effective unified audit log parsing.

Consolidate AD and Office 365 Management

Hybrid Office 365 management is a real pain to many companies and organizations.

More and more are starting to consolidate AD and Office 365 management.

Most solutions introduce new web applications, are difficult to learn, and cost a fortune.

However, one solution exists that simply extends the functionality of AD Users & Computers – the admin tool loved by admins for more than two decades.

With Easy365Manager you get extra tabs on user properties that address all your needs for daily management of Office 365 and Exchange Online:

easy365manager ui
New user tab, "Office 365"
Exchange Online Mailbox properties in AD Users & Computers
New user tab, "Mailbox"

With these new tabs, anyone, including your junior IT supporters, can start setting up user calendar permissions. Something that normally requires second-level PowerShell scripting skills:

Easy365Manager is a simple .dll extension to AD Users & Computers.

It requires no infrastructure changes and can be installed in less than a minute.

Download your 30-day trial today.

Did you like this post? Maybe your friends will too!