{"id":1530,"date":"2018-04-03T08:09:04","date_gmt":"2018-04-03T06:09:04","guid":{"rendered":"https:\/\/msb365.abstergo.ch\/?p=1530"},"modified":"2023-06-23T13:26:16","modified_gmt":"2023-06-23T11:26:16","slug":"powershell-commands-for-exchange-and-office-365-part-3","status":"publish","type":"post","link":"https:\/\/www.msb365.blog\/?p=1530","title":{"rendered":"PowerShell commands for Exchange and Office 365 \u2013 Part 3"},"content":{"rendered":"<p>It look\u2019s like I will start a series with this kind of articles. Thank you guys for your resonance and all of your feedback over the different channels\u2026<\/p>\n<p>Today, I will continue with some new commands for you. However, even this time it is the same mind set like in the previous articles <a href=\"https:\/\/msb365.abstergo.ch\/?p=1202\" target=\"_blank\" rel=\"noopener\">10 Usefull PowerShell cmdlets for Exchange<\/a> and <a href=\"https:\/\/msb365.abstergo.ch\/?p=1388\" target=\"_blank\" rel=\"noopener\">Another 10 useful PowerShell cmdlets<\/a> some of the commands you may know and some are maybe new to you\u2026<\/p>\n<p>At the end of this article I will add some bonus content for you. I hope you will like it\u2026<\/p>\n<p>\ud83d\ude42<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#1 \u2013 Get-ExchangeServerAccessLicense<\/h2>\n<p>\u00a0<\/p>\n<p>This command applies to Exchange server 2016 on-premises and returns a list of licenses in your Exchange organization.<\/p>\n<p>If you run the following command:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-ExchangeServerAccessLicense<\/pre>\n<p>\u00a0<\/p>\n<p>You will receive an output which will look like this:<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-1531\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/1-3.png\" alt=\"\" width=\"550\" height=\"116\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/1-3.png 550w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/1-3-300x63.png 300w\" sizes=\"(max-width: 550px) 100vw, 550px\" \/><\/p>\n<p>By piping it to the Format-List cmdlet, you also will be able to see UnitLabel and RunspaceID:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-ExchangeServerAccessLicense | fl<\/pre>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-1532\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/2-3.png\" alt=\"\" width=\"485\" height=\"337\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/2-3.png 485w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/2-3-300x208.png 300w\" sizes=\"(max-width: 485px) 100vw, 485px\" \/><\/p>\n<p>I guess\u00a0 you will not be using this command daily, but if you have to make an audit in a new customer\u2019s Exchange environment, it shows you straight away, how many and which Exchange servers are in use.<\/p>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#2 \u2013 Get-HealthReport<\/h2>\n<p>\u00a0<\/p>\n<p>This command is also only available in on-premise Exchange environments.<\/p>\n<p>On Microsoft Technet, there are many amazing scripts for reporting and\/or health checks. However, sometimes these scripts are not needed, or you want to build a script on your own for health reporting for Exchange.<\/p>\n<p>For that PowerShell has a simple command, which is called:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-HealthReport<\/pre>\n<p>\u00a0<\/p>\n<p>Whith this command we are able to check a few things\u2026 As an example, if we run:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-HealthReport \u2013Identity EXC-SRV01 \u2013RollupGroup<\/pre>\n<p>\u00a0<\/p>\n<p>We receive the following answer:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-1533\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/3-3.png\" alt=\"\" width=\"587\" height=\"478\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/3-3.png 587w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/3-3-300x244.png 300w\" sizes=\"(max-width: 587px) 100vw, 587px\" \/><\/p>\n<p>The list is even longer, but this is enough to understand for what we can use this command. It shows us the state of services and includes the transition time.<\/p>\n<p>\u00a0<\/p>\n<p>The following list contains the health values that are returned:<\/p>\n<ul>\n<li>Online<\/li>\n<li>Partially Online<\/li>\n<li>Offline<\/li>\n<li>Sidelined<\/li>\n<li>Functional<\/li>\n<li>Unavailable<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>In the Microsoft Technet article, you can also find the following parameters for this command:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Parameter<\/strong><\/td>\n<td><strong>Required<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><em>Identity<\/em><\/td>\n<td>Required<\/td>\n<td>Microsoft.Exchange.Configuration.Tasks.ServerIdParameter<\/td>\n<td>The\u00a0<em>Identity<\/em>\u00a0parameter specifies the Exchange server that you want to view. You can use the following values to identify the server:<\/p>\n<ul>\n<li>Name<\/li>\n<li>Distinguished name (DN)<\/li>\n<li>FQDN<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><em>GroupSize<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Int32<\/td>\n<td>The\u00a0<em>GroupSize<\/em>\u00a0parameter determines the size of the group to process against for a rollup. The default value is 12.<\/td>\n<\/tr>\n<tr>\n<td><em>HaImpactingOnly<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Management.Automation.SwitchParameter<\/td>\n<td>The\u00a0<em>HaImpactingOnly<\/em>\u00a0switch filters the results to only the monitors that have\u00a0<strong>HaImpacting<\/strong>set to\u00a0True. You don\u2019t need to specify a value with this switch.<\/td>\n<\/tr>\n<tr>\n<td><em>HealthSet<\/em><\/td>\n<td>Optional<\/td>\n<td>System.String<\/td>\n<td>The\u00a0<em>HealthSet<\/em>\u00a0parameter filters the results by the specified health set. Monitors that are similar or are tied to a component\u2019s architecture are grouped to form a\u00a0<em>health set<\/em>. You can determine the collection of monitors (and associated probes and responders) in a given health set by using the\u00a0<strong>Get-MonitoringItemIdentity<\/strong>\u00a0cmdlet.<\/td>\n<\/tr>\n<tr>\n<td><em>MinimumOnlinePercent<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Int32<\/td>\n<td>The\u00a0<em>MinimumOnlinePercent<\/em>\u00a0parameter specifies the number of members in the group to be functioning with rollup information Degraded instead of Unhealthy. The default value is 70 percent.<\/td>\n<\/tr>\n<tr>\n<td><em>RollupGroup<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Management.Automation.SwitchParameter<\/td>\n<td>The\u00a0<em>RollupGroup<\/em>switch specifies that the health data is rolled up across servers with redundancy limits. You don\u2019t need to specify a value with this switch.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#3 \u2013 Connect-MsolService<\/h2>\n<p>\u00a0<\/p>\n<p>As the name says, this command belongs to Azure AD and Office 365.<\/p>\n<p>The Connect-MsolService cmdlet attempts to initiate a connection to Azure Active Directory. You must specify a credential, as a PSCredential object, or specify the CurrentCredentials parameter to use the credentials of the current user.<\/p>\n<p>\u00a0<\/p>\n<p>This command can be used with different optional parameters.<\/p>\n<p>As example if you use simply the command like this:<\/p>\n<p>\u00a0<\/p>\n<pre>Connect-MsolService<\/pre>\n<p>\u00a0<\/p>\n<p>This command attempts to initiate a connection with Azure Active Directory. Since no credential is provided, the cmdlet prompts you to enter your username and password.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1534\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/4-2.png\" alt=\"\" width=\"567\" height=\"367\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/4-2.png 567w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/03\/4-2-300x194.png 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/p>\n<p>If you are using the command like this example:<\/p>\n<p>\u00a0<\/p>\n<pre>Connect-MsolService -Credential $Credential -AzureEnvironment AzureChinaCloud<\/pre>\n<p>\u00a0<\/p>\n<p>It will attempts to initiate a connection to AzureChinaCloud with Azure Active Directory using the credential provided. The credential must be of the type PSCredential. To obtain a credential object, use the Get-Credential cmdlet.<\/p>\n<p>\u00a0<\/p>\n<p>Below you can see a list of optional parameters, which you can use for the Connect-Msol cmdlet:<\/p>\n<pre>-AdGraphAccessToken # Specifies the AD Graph access token to use to connect to Azure Active Directory.\r\n-AzureEnvironment # Specifies the deployment type to use to connect to Azure Active Directory in different region.\r\n-Credential # Specifies the credential to use to connect to Azure Active Directory.\r\n-MsGraphAccessToken # Specifies the MS Graph access token to use to connect to Azure Active Directory\r\n<\/pre>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#4 \u2013 Get-MsolDomain<\/h2>\n<p>\u00a0<\/p>\n<p>This command is also, like the previous one, usable for the Azure AD. After you have successfully logged in to your subscription with the Connect-MsolService, you can use the Get-MsolDomain cmdlet.<\/p>\n<p>If you run just the basic command:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-MsolDomain<\/pre>\n<p>\u00a0<\/p>\n<p>It will list you all domains, which are added to your tenant\/subscription. You will be able to see the domain name, status and authentication type.<\/p>\n<p>\u00a0<\/p>\n<p>Of course, you also have some optional parameters you can run it with:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-MsolDomain\r\n\u00a0\u00a0 [-Status <DomainStatus>]\r\n\u00a0\u00a0 [-Authentication <DomainAuthenticationType>]\r\n\u00a0\u00a0 [-Capability <DomainCapabilities>]\r\n\u00a0\u00a0 [-TenantId <Guid>]\r\n\u00a0\u00a0 [<CommonParameters>]<\/pre>\n<p>\u00a0<\/p>\n<p>How this could help us? Well, if you have to make an audit or you have to administrate a company tenant with multiple domains and you need to figure out which domains are verified, you can run this command:<\/p>\n<p>\u00a0<\/p>\n<pre>Get-MsolDomain \u2013Status Verified<\/pre>\n<p>\u00a0<\/p>\n<p>Here are some more optional parameters for this command:<\/p>\n<p>\u00a0<\/p>\n<pre>-Capability # Specifies the filter for domains that have the specified capability assigned.\r\n-Status # Specifies the filter to return only domains with the specified status. Valid values are: Verified, Unverified, and PendingDeletion.\r\n-TenantId # Specifies the unique ID of the tenant on which to perform the operation. The default value is the tenant of the current user. This parameter applies only to partner users.<\/pre>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#5 \u2013 Get-FederationTrust<\/h2>\n<p>\u00a0<\/p>\n<p>Finally a command, which we can use for Exchange online and Exchange on-premise (2016). However, some parameters and settings may be exclusive to one environment or the other.<\/p>\n<p>\u00a0<\/p>\n<p>Creating federations between Exchange organizations today is already state of the art. With a federation we are able to, for example, see the free\/busy information between organizations and other things. If you want to know more about federation between Exchange, I can recommend you the <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/jj657462(v=exchg.150).aspx\" target=\"_blank\" rel=\"noopener\">LINK HERE<\/a> to the right Technet article.<\/p>\n<p>However, today we want to know more about the specific command to check how it looks like with federation trusts.<\/p>\n<p>The first command we can run is this one:<\/p>\n<pre>Get-FederationTrust | Format-List<\/pre>\n<p>Running this command we will receive a lot of information\u2019s about all trusts we have in our organization.<\/p>\n<p>A similar command we also can use to get more information\u2019s is the Get-FederationInformation command. Use the Get-FederationInformation cmdlet to get federation information, including federated domain names and target URLs, from an external Exchange organization.<\/p>\n<p>As example if we enter the following command:<\/p>\n<pre>Get-FederationInformation -DomainName contoso.com<\/pre>\n<p>We will get a bulk of information like:<\/p>\n<pre>RunspaceId\r\nTargetApplicationUri\r\nDomainNames\r\nTargetAutodiscoverEpr\r\nTokenIssuerUris\r\nIdentity\r\nIsValid\r\nObjectState<\/pre>\n<p>The Get-FederationInformation cmdlet retrieves federation information from the domain specified. Results from the cmdlet can be piped to the New-OrganizationRelationship cmdlet to establish an organization relationship with the Exchange organization being queried.<\/p>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#6 \u2013 Redirect-Message<\/h2>\n<p>\u00a0<\/p>\n<p>Use the Redirect-Message cmdlet to drain the active messages from all the delivery queues on a mailbox server, and transfer those messages to another mailbox server. This cmdlet is available only in on-premises Exchange.<\/p>\n<p>That means, if the queue on one server is higher than on another one, we can redirect messages to the other server. That makes sure, that we do not run into troubles. The command for this example can be:<\/p>\n<pre>Redirect-Message -Server Mailbox01 -Target Mailbox02<\/pre>\n<p>When a message queue is drained, the active messages in the queues on the source mailbox server are routed to the target mailbox server. After the messages are received and queued by the target mailbox server, the messages are made redundant.<\/p>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#7 \u2013 Get-HybridMailflow<\/h2>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>Lets jump to a command, which is available only on Exchange online\u2026<\/p>\n<p>The Get-HybridMailflow cmdlet is used to view the configuration of message transport settings for hybrid deployments that were created with the Hybrid Configuration wizard.<\/p>\n<p>\u00a0<\/p>\n<p>So if we run the command:<\/p>\n<pre>Get-HybridMailflow<\/pre>\n<p>We will receive informations about:<\/p>\n<pre>RunspaceId\r\nOutboundDomains\r\nInboundIPs\r\nOnPremisesFQDN\r\nCertificateSubject\r\nSecureMailEnabled\r\nCentralizedTransportEnabled\r\nIdentity\r\nIsValid\r\nObjectState<\/pre>\n<p>This information helps us if we need to configure new message transport settings in the EOP service for a hybrid deployment. For that we simply change the \u201cGet\u201d verb to:<\/p>\n<p>\u00a0<\/p>\n<pre>Set-HybridMailflow<\/pre>\n<p>\u00a0<\/p>\n<p>For this commands we have a bulk of parameters which you can see below:<\/p>\n<p>\u00a0<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Parameter<\/strong><\/td>\n<td><strong>Required<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><em>CentralizedTransportEnabled<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Boolean<\/td>\n<td>The\u00a0<em>CentralizedTransportEnabled<\/em>\u00a0parameter specifies that the Exchange Online organization routes all outbound mail messages to external recipients to the on-premises Exchange organization. The on-premises Exchange organization then routes the messages to the external recipients. The valid input for the\u00a0<em>CentralizedTransportEnabled<\/em>\u00a0parameter is\u00a0$true\u00a0or\u00a0$false. The default value is\u00a0$true.<\/td>\n<\/tr>\n<tr>\n<td><em>CertificateSubject<\/em><\/td>\n<td>Optional<\/td>\n<td>System.String<\/td>\n<td>The\u00a0<em>CertificateSubject<\/em>\u00a0parameter specifies the principal name of the certificate used for secure mail flow between the on-premises Exchange and Exchange Online organizations.<\/td>\n<\/tr>\n<tr>\n<td><em>Confirm<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Management.Automation.SwitchParameter<\/td>\n<td>The\u00a0<em>Confirm<\/em>\u00a0switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.<\/p>\n<ul>\n<li>Destructive cmdlets (for example,\u00a0<strong>Remove-*<\/strong>\u00a0cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:\u00a0-Confirm:$false.<\/li>\n<li>Most other cmdlets (for example,\u00a0<strong>New-*<\/strong>\u00a0and\u00a0<strong>Set-*<\/strong>\u00a0cmdlets) don\u2019t have a built-in pause. For these cmdlets, specifying the\u00a0<em>Confirm<\/em>\u00a0switch without a value introduces a pause that forces you acknowledge the command before proceeding.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><em>InboundIPs<\/em><\/td>\n<td>Optional<\/td>\n<td>Microsoft.Exchange.Data.IPRange[]<\/td>\n<td>The\u00a0<em>InboundIPs<\/em>\u00a0parameter specifies the IP addresses of the on-premises mail transport servers configured as part of the hybrid deployment. These must point to either Exchange 2010 SP2 Hub Transport or Edge Transport servers.<\/td>\n<\/tr>\n<tr>\n<td><em>OnPremisesFQDN<\/em><\/td>\n<td>Optional<\/td>\n<td>Microsoft.Exchange.Data.Fqdn<\/td>\n<td>The\u00a0<em>OnPremisesFQDN<\/em>\u00a0parameter specifies the fully qualified domain name (FQDN) of the outbound smart host in the on-premises Exchange organization to use for centralized transport. This is either an on-premises Exchange 2010 SP2 Hub Transport or Edge Transport server.<\/td>\n<\/tr>\n<tr>\n<td><em>OutboundDomains<\/em><\/td>\n<td>Optional<\/td>\n<td>Microsoft.Exchange.Data.SmtpDomainWithSubdomains[]<\/td>\n<td>The\u00a0<em>OutboundDomains<\/em>\u00a0parameter specifies SMTP domains configured for the hybrid deployment.<\/td>\n<\/tr>\n<tr>\n<td><em>SecureMailEnabled<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Boolean<\/td>\n<td>The\u00a0<em>SecureMailEnabled<\/em>\u00a0parameter specifies that all messages sent between the on-premises Exchange and the Exchange Online organizations must use the Transport Layer Security (TLS) protocol and the assigned digital certificate. The valid input for the\u00a0<em>SecureMailEnabled<\/em>parameter is\u00a0$true\u00a0or\u00a0$false. The default value is\u00a0$true.<\/td>\n<\/tr>\n<tr>\n<td><em>WhatIf<\/em><\/td>\n<td>Optional<\/td>\n<td>System.Management.Automation.SwitchParameter<\/td>\n<td>The\u00a0<em>WhatIf<\/em>\u00a0switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don\u2019t need to specify a value with this switch.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#8 \u2013 Get-SmimeConfig<\/h2>\n<p>\u00a0<\/p>\n<p>This command applies to Exchange Online and Exchange Server 2016.<\/p>\n<p>If you want to know more about what S\/MIME is, or for what we can use it, I can recommend you the following <a href=\"https:\/\/msb365.abstergo.ch\/?p=1037\" target=\"_blank\" rel=\"noopener\">LINK HERE<\/a>.<\/p>\n<p>\u00a0<\/p>\n<p>Here, I want to do a short introducion of the Get-SmimeConfig cmdlet.<\/p>\n<p>By running the command without any additional parameter like:<\/p>\n<pre>Get-SmimeConfig<\/pre>\n<p>We will be able, to see all current settings for S\/MIME at the OWA. This can help us to, e.g. set the S\/MIME configuration to allow users the choice of signing messages, limit the Certificate Revocation List (CRL) retrieval time-out to 10 seconds, and specify the 128 bit RC2 encryption algorithm.<\/p>\n<p>Sounds complicated? Here\u2019s the command for this example:<\/p>\n<pre>Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true -OWACRLRetrievalTimeout 10000 -OWAEncryptionAlgorithms 6602:128<\/pre>\n<p><strong><span style=\"color: #ff0000;\">Warning<\/span><\/strong>: The Set-SmimeConfig cmdlet can change several important parameters than can reduce the overall level of message security. Review your organization\u2019s security policy before you make any changes.<\/p>\n<p>You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they\u2019re not included in the permissions assigned to you.<\/p>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<h2>#9 \u2013 Get-PhishFilterPolicy<\/h2>\n<p>\u00a0<\/p>\n<p>This more specific command applies to Exchange Online and Exchange Online Protection (EOP)<\/p>\n<p>If you need to define new phishing policies with the command:<\/p>\n<pre>Set-PhishFilterPolicy<\/pre>\n<p>It helps to see the current configuration.<\/p>\n<p>To do that you can set tree types of parameters:<\/p>\n<ul>\n<li>Detailed (Required) The Detailed switch specifies whether to return detailed information in the results. You don\u2019t need to specify a value with this switch.<\/li>\n<li>SpoofAllowBlockList (Required) The SpoofAllowBlockList switch specifies whether to return a summary view of detected spoof activity. You don\u2019t need to specify a value with this switch.<\/li>\n<li>SpoofType (Optional) The SpoofType parameter filters the results by the type of spoofing. Valid values are: Internal or External<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>So, if we want to get a detailed list of senders that appear to be sending spoofed emails to our organization, we can run this command:<\/p>\n<pre>Get-PhishFilterPolicy-Detailed -SpoofAllowBlockList -SpoofType Internal<\/pre>\n<p>The Get-PhishFilterPolicy with the SpoofAllowBlockList switch returns the following information:<\/p>\n<pre>-\u00a0Sender\/sender domain: The true sending domain that's found in the DNS record of the source messaging server. If no domain is found, the source messaging server's IP address is shown.\r\n-\u00a0SpoofedUser: The sending email address if the domain is one of your organization's domains, or the sending domain if the domain is external.\r\n- MailVolume: The number of messages.\r\n-\u00a0UserComplaints: The number of user complaints.\r\n-\u00a0Authentication: Indicates whether the message has passed any type of authentication (explicit or implicit).\r\n-\u00a0Last seen: The date when the sending email address or domain was last seen by Office 365.\r\n-\u00a0Decision set by: Specifies whether Office 365 set the spoofing policy as allowed or not allowed to spoof, or if it was set by an admin.\r\n-\u00a0AllowedToSpoof: The three possible values are Yes (messages that contain any spoofed sender email addresses in your organization are allowed from the source messaging server), No (messages that contain any spoofed sender email addresses in your organization are not allowed from the source messaging server), and Partial (messages that contain some spoofed sender email addresses in your organization are allowed from the source messaging server.\r\n-\u00a0Spoof Type: Indicates whether the domain is internal to your organization or external.<\/pre>\n<p>\u00a0<\/p>\n<p>By having all information we need, we can, for example configure the phish filter policy to block or allow all spoofed email messages from a source messaging server:<\/p>\n<p><strong>Step 1<\/strong>: Write the summary output of the Get-PhishFilterPolicy cmdlet to a CSV file.<\/p>\n<pre>Get-PhishFilterPolicy -Identity Default -SpoofAllowBlockList | Export-CSV \"C:\\My Documents\\Summary Spoofed Senders.csv\"<\/pre>\n<p><strong>Step 2<\/strong>: Add or modify the TrueSender, and AllowedToSpoof values in the CSV file, save the file, and then read the file and store it in a variable named $UpdateSummarySpoofedSenders.<\/p>\n<pre>$UpdateSummarySpoofedSenders = Get-Content -Raw \"C:\\My Documents\\Summary Spoofed Senders.csv\"<\/pre>\n<p><strong>Step 3<\/strong>: Use the $UpdateSummarySpoofedSenders variable to configure the phish filter policy.<\/p>\n<pre>Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSummarySpoofedSenders<\/pre>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>#10 \u2013 Get-SpoofMailReport<\/h2>\n<p>\u00a0<\/p>\n<p>Spoofing has long been one of the biggest issues with email and with the move to cloud services in the last few years it has become an ever hotter topic. That\u2019s why the last command for this article applies only to the cloud-based services (Exchange Online and EOP).<\/p>\n<p>Use the Get-SpoofMailReport cmdlet to view information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender\u2019s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different.<\/p>\n<p>To get a report about the insider spoofing detections in our organization during the month February 2018, we can use this command:<\/p>\n<pre>Get-SpoofMailReport -StartDate 02\/01\/2018 -EndDate 02\/28\/2018<\/pre>\n<p>The spoof mail report is a feature in Advanced Threat Protection that you can use to query information about insider spoofing detection in the last 30 days. For the reporting period, which you specify, the Get-SpoofMailReport cmdlet returns the following information:<\/p>\n<p>\u00a0<\/p>\n<ul>\n<li>Date\u00a0\u00a0 Date the message was sent.<\/li>\n<li>Event Type\u00a0\u00a0 Typically, this value is SpoofMail.<\/li>\n<li>\u00a0Direction\u00a0\u00a0 This value is Inbound.<\/li>\n<li>Domain\u00a0\u00a0 The sender domain. This corresponds to one of your organization\u2019s accepted domains.<\/li>\n<li>Action\u00a0\u00a0 Typically, this value is GoodMail or CaughtAsSpam.<\/li>\n<li>Spoofed Sender\u00a0\u00a0 The spoofed email address or domain in your organization from which the messages appear to be coming.<\/li>\n<li>True Sender\u00a0\u00a0 The organizational domain of the PTR record, or pointer record, of the sending IP address, also known as the reverse DNS address. If the sending IP address does not have a PTR record, this field will be blank and the Sender IP column will be filled in. Both columns will not be filled in at the same time.<\/li>\n<li>Sender IP\u00a0\u00a0 The IP address or address range of the source messaging server. If the sending IP address does have a PTR record, this field will be blank and the True Sender column will be filled in. Both columns will not be filled in at the same time.<\/li>\n<li>\u00a0Count\u00a0\u00a0 The number of spoofed messages that were sent to your organization from the source messaging server during the specified time period.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<hr \/>\n<p>\u00a0<\/p>\n<h2>### BONUS ###<\/h2>\n<p>\u00a0<\/p>\n<p>Insert time stamps into PowerShell outputs<\/p>\n<p>For your PowerShell tasks, you can have a time stamp in a series of commands, so you can determine how long a single step occurs, or to use it as a logging mechanism for your scripts.<\/p>\n<p>To insert a time stamp, enter one of the following commands as a single line into your .ps1 file:<\/p>\n<p>Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Output example<\/p>\n<pre>\"$(Get-Date -format g) Start logging\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0              2\/5\/2008 9:15 PM Start logging\r\n\r\n\"$(Get-Date -format F) Start logging\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0              Tuesday, February 05, 2008 9:15:13 PM Start logging\r\n\r\n\"$(Get-Date -format o) Start logging\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0               2008-02-05T21:15:13.0368750-05:00 Start logging\r\n\r\n\"$(get-date -format yyyyMMdd-HHmmss) Start logging\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 20180329-164314 Start logging\r\n<\/pre>\n<p>There are many other formats for the Get-Date command, but these four options would generally suite most applications for time stamp purposes.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It look\u2019s like I will start a series with this kind of articles. Thank you guys for your resonance and all of your feedback over the different channels\u2026 Today, I will continue with some new commands for you. However, even this time it is the same mind set like in the previous articles 10 Usefull [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3019,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[12,1923,2,3],"tags":[],"class_list":["post-1530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-microsoft-365","category-exchange","category-powershell"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/1530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1530"}],"version-history":[{"count":10,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/1530\/revisions"}],"predecessor-version":[{"id":5246,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/1530\/revisions\/5246"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/media\/3019"}],"wp:attachment":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}