No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
bkoeller Update DumpDelegatesandForwardingRules.ps1
Adding mailbox SMTP forwarding via customer suggestion
Latest commit 47eab28 Mar 29, 2018
Failed to load latest commit information.
ActivityAPI-InvestigationQueries.sql Create ActivityAPI-InvestigationQueries.sql Feb 12, 2016
AzureAppEnumeration.ps1 So many fixesessesss Jan 24, 2018
AzureAppEnumerationViaGraph.ps1 muncha buncha fixes Jan 24, 2018
ConfigForO365Investigations.json Create ConfigForO365Investigations.json Feb 12, 2016
CreateAndSetPasswordsInBulk.ps1 Update CreateAndSetPasswordsInBulk.ps1 Jan 2, 2018
CreateSecureString.ps1 Create CreateSecureString.ps1 Feb 12, 2016
DumpDelegatesandForwardingRules.ps1 Update DumpDelegatesandForwardingRules.ps1 Mar 28, 2018
DumpDelegatesandForwardingRulesFromFile.ps1 Adding Remediation Help Scripts Apr 28, 2016
DumpUPNsFromGUID.ps1 Adding Remediation Help Scripts Apr 28, 2016
EnableMailboxAuditing.ps1 Update EnableMailboxAuditing.ps1 Mar 9, 2018
Get-AllTenantRulesAndForms.ps1 Update to remote powershell connection string Feb 14, 2018
InactiveUsersLast90Days.ps1 Add files via upload Oct 18, 2016
LICENSE Initial commit Feb 12, 2016
O365InvestigationDataAcquisition.ps1 Updated O365InvestigationDataAcquisition.ps1 Apr 3, 2017 Added code of conduct Dec 28, 2017
RemediateBreachedAccount.ps1 Add files via upload May 19, 2016
RemediateEmployeeLeaving.ps1 Add files via upload May 19, 2016
RequireStrongPasswordsOnAllAcounts.ps1 Adding remediations for FileSync blacklist strong passwords Jul 25, 2016 Adding updated Secure Score collector Files Feb 25, 2016
SetODBSyncFileExtensionBlacklist.ps1 Adding remediations for FileSync blacklist strong passwords Jul 25, 2016


This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API.

Prerequisites for the O365 Investigation Data Acquisition Script

Once you have selected the data store that you want to publish your Activity API data to, simply open the ConfigForO365Investigations.json file and enable and configure the attributes that are relevant to your store. Note you will have to register an application in Azure AD, then populate the config with the AppID (InvestigationAppID) and AppSecret (InvestigationAppSecret) to enable data flow for the Activity API.

Prerequisites for the Activity API

Follow the instructions in the Management Activity API: Getting Started Guide to create a new AAD application and grant it permissions to the tenant's Management Activity API.

Prerequisites for the MySQL Store Pattern

  1. If you don't already have a MySQL database, download the Windows MySQL installer. Make sure to include MySQL server, MySQL Workbench, and the ODBC and .Net connectors. (MySQL docs are here:

  2. Using the mysql command-line client, run

    CREATE DATABASE O365Investigations;

    to create the database.

  3. Populate ConfigForO365Investigations.json with your MySQL admin name and password, as well as the hostname and database name.

  4. Run the O365InvestigationDataAcquisition.ps1 script to enable the subscriptions and pull the data. Re-run regularly to continue to consume new data.

  5. Once you have enough data, open MySQL Workbench, open ActivityAPI-InvestigationQueries.sql and run the approach SQL statements to get answers to your questions.

Prerequisites for the Azure Blob Store Pattern

  1. Determine the desired storage account name and update the config file.

  2. Determine the desired container name and update the config file.

  3. Determine the account name you will use to manage the blob storage and update the config file.

  4. Run the PowerShell command

    Read-Host -AsSecureString | ConvertFrom-SecureString

    and provide the password for the account you will use to manage the Azure blob storage, then use the output as the value for AzureAccountSecureString in the ConfigForO365Investigations.json file.

Prerequisites for the SQL Azure Store Pattern

  1. Login to your Azure subscription at

  2. Ensure you have a storage account set up

  3. Select "+ New" in the upper left, then "Data + Storage", then "SQL Database"

  4. Name your new database "O365Investigations"

  5. Select an existing SQL server (and make note of the hostname), or create a new server (making note of the admin account you used to create the database)

  6. Select the source, pricing tier, resource group, and associated subscription, then click "Create".

  7. Select SQL Servers from the main navigation, select the server you just created, then click "Show Firewall Settings". In the "Firewall Settings" blade, click "Add Client IP" and add the IP address of the host where you will be running the investigations tooling from. Save and wait for confirmation that the firewall rules have been updated.

  8. Use Visual Studio, or download SQL Server Management Studio Express 2014 (for free) and connect to your new database.

  9. Create a new SQL database named "O365Investigations"

  10. Ensure you have a username and password for an account that can connect to the database.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact with any additional questions or comments.