Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Gets the Multi-Geo signin report and outputs to screen, grouped by username.
- Invoke-RestMethod -Uri "$serviceRootURl/reports/signInsFromMultipleGeographiesEvents?api-version=beta" -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" |
- Select -ExpandProperty Value |
- Group UserName |
- Foreach {
- Write-Host -ForegroundColor Yellow "----- $($_.Group[0].DisplayName) ($($_.Name)) -----"
- $_.Group | Foreach {
- Write-Host "First signin from: $($_.firstSignInFrom)"
- Write-Host "Second signin from: $($_.secondSignInFrom)"
- Write-Host "Time: $($_.timeOfSecondSignIn)"
- Write-Host "Time between: $($_.timeBetweenSignIns)"
- Write-Host "Estimated travel: $($_.estimatedTravelHours) hours"
- Write-Host ""
- }
- }
- # Gets the report for users with many failed logon attemps, before suddenly being able to sign in
- Invoke-RestMethod -Uri "$serviceRootURl/reports/signInsAfterMultipleFailuresEvents?api-version=beta" -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" | Select -ExpandProperty Value
- # Sends an email to each user informing them of the irregular sign ons the last 24 hours
- $uri = '{0}/reports/signInsFromMultipleGeographiesEvents?api-version=beta&$filter=timeOfSecondSignIn gt {1}' -f $serviceRootURl, ((Get-Date (Get-Date).AddDays(-1) -Format "u") -replace " ", "T")
- Invoke-RestMethod -Uri $uri -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" |
- Select -ExpandProperty Value |
- Foreach {
- #Send-MailMessage -From '"IT Department" <noreply@mydomain.com>' -To
- $params = @{
- Body = "<html><body>Hi,<br><br>According to our reports your account was first signed in from '$($_.firstSignInFrom)', and then $($_.timeBetweenSignIns) later, you were signed in from '$($_.secondSignInFrom)'. The estimated travel time is $($_.estimatedTravelHours) hour(s). <br><br>Please review, and if this looks suspicious to you, change your password.<br><br>- IT"
- To = ('"{0}" <{1}>' -f $_.displayName, $_.username)
- From = '"IT Department" <reply@example.com>'
- Subject = "Suspicious logon activity for your account"
- BodyAsHtml = $true
- SmtpServer = "smtp.office365.com"
- UseSSL = $true
- Credential = (Get-Credential -Message "Input office 365 credentials for sending mail")
- }
- Send-MailMessage @params
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement