PowerShell Quick Reference - Security and Compliance Center (v1.

0)
Connecting to Security and Compliance Center (SCC) Cmdlet Changes in 2018
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell- Security and Compliance Center
liveid/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session 12.31.2017 158 cmdlets
09.30.2018 190 cmdlets
MFA: Connect-IPPSSession -UserPrincipalName [email protected]
Listing Cmdlets for the SCC eDiscovery Admin
List all Commands for the Security and Compliance Center eDiscovery Admin - eDiscovery Admins create searches/holds on mailboxes, SharePoint Sites and
$Name = (Get-Module | where {$_.ModuleType -eq 'Script'}).Name OneDrive locations. They also manage/create eDiscovery case, content searches and add members to
handle these cases.
Get-Command | Where {$_.ModuleName -eq $Name}
List current eDiscovery Admins – There are zero in a greenfield Office 365 Tenant
Get-Help Teams Compliance Policy (SCC) Get-eDiscoveryCaseAdmin
Getting Help Get-TeamsRetentionCompliancePolicy
Get-Help <command> Get-TeamsRetentionComplianceRule New eDiscovery Case Admin
New-TeamsRetentionCompliancePolicy Add-eDiscoveryCaseAdmin -User [email protected]
Get-Help <command> -Examples
Get-Help <command> -Full New-TeamsRetentionComplianceRule
Remove an eDiscovery Admin
Examples Remove-TeamsRetentionCompliancePolicy Remove-eDiscoveryCaseAdmin -User [email protected]
Get-Help Set-ComplianceTag Remove-TeamsRetentionComplianceRule
Get-Help Set-ComplianceTag -Examples Set-TeamsRetentionCompliancePolicy Replace Current eDiscovery Admin
Get-Help Set-ComplianceTag -Full Set-TeamsRetentionComplianceRule Update-eDiscoveryCaseAdmin -Users [email protected],[email protected]

Documentation: https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/office-365-scc-powershell
Security and Compliance Center Admin Page – https://protection.office.com
Role Groups in the SCC Add User to Role Group
Add-RoleGroupMember -Identity Reviewer -Member Damian
Role Group Cmdlets:
Add-RoleGroupMember -Identity ComplianceAdministrator -Member “John Smith”
Get-RoleGroup – User ‘Get-RoleGroup | FL’ to get a detailed list of accounts in the SCC
Add-RoleGroupMember -Identity eDiscoveryManager -Member “Scott Schnoll”
New-RoleGroup – Add a custom group, with specific roles in the SCC
Remove-RoleGroup – Remove only custom and not built-in Role Groups
Verify Users in Role Group
Set-RoleGroup – Modify settings on existing Role Groups
Get-RoleGroupMember -Identity Reviewer
Get-RoleGroupMember -Identity ComplianceAdministrator
Cmdlet Usage:
Get-RoleGroupMember -Identity eDiscoveryManager
Get-RoleGroup | Where {$_.Name -like ‘*admin*'} | Ft
New-RoleGroup 'View-Only Auditor' -Roles 'View-Only Audit Logs' -Members George
Remove Users from Role Group
Remove-RoleGroup -Name 'View-Only Auditor'
Remove-RoleGroupMember -IdentityReviewer -Member “Greg Taylor”
Set-RoleGroup -Name 'View-Only Auditor' -Description “Users with View Only Auditing”
Remove-RoleGroupMember -Identity ComplianceAdministrator -Member “Van Hybrid”
Remove-RoleGroupMember -Identity eDiscoveryManager -Member “Jason Sherry”
$CSV = Import-CSV “CustomGroupDescriptions.csv”
Foreach ($Group in $CSV) {Set-RoleGroup -Name $Group.Name -Description
Update Role Group MemberShip
$Group.Description
Update-RoleGroupMember -Identity Reviewer -Members “Damian”,”Dave”
}
 PowerShell Quick Reference - Security and Compliance Center (v1.0)
DLP CMDLETS Device Compliance Created By:
To use Device Management cmdlets – Enable MDM for tenant first: Damian Scoles
Get-DlpCompliancePolicy
https://support.office.com/en-us/article/overview-of-mobile-device-
Get-DlpComplianceRule
management-mdm-for-office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Microsoft MVP
Get-DlpComplianceRuleV2 Book Author
Get-DlpDetectionsReport
New Device Rule – Tenant Wide, Less Options www.practicalpowershell.com
Get-DlpKeywordDictionary
New-DeviceTenantRule justaucguy.wordpress.com
Get-DlpSensitiveInformationType
Get-DlpSensitiveInformationTypeRulePackage @PPowerShell
New Device Rule – Very Specific Configuration, More Options
Get-DlpSiDetectionsReport
New-DeviceConfigurationRule
Migrate-DlpFingerprint Helpful Tips
New-DlpCompliancePolicy
** Note the two cmdlet above have Set, Get and Remove Verbs as well Tab through parameters to see all available
New-DlpComplianceRule
New-DlpComplianceRuleV2 Check for latest module version
Device Rules can be used in conjunction with Conditional Access Read the latest Microsoft Docs for SCC
New-DlpFingerprint
Get-DeviceConditionalAccessPolicy Read Teams MVP blogs for more tips
New-DlpKeywordDictionary
Get-DeviceConditionalAccessRule Use MFA for better security
New-DlpSensitiveInformationType
New-DeviceConditionalAccessPolicy Need Help – ‘Get-Help’
New-DlpSensitiveInformationTypeRulePackage
New-DeviceConditionalAccessRule Read cmdlet Synopsis for functionality
Remove-DlpCompliancePolicy
Remove-DeviceConditionalAccessPolicy
Remove-DlpComplianceRule
Remove-DeviceConditionalAccessRule Reporting Cmdlets
Remove-DlpComplianceRuleV2
Set-DeviceConditionalAccessPolicy
Remove-DlpKeywordDictionary Get-DataRetentionReport
Set-DeviceConditionalAccessRule
Remove-DlpSensitiveInformationType Get-DeviceComplianceDetailsReport
Remove-DlpSensitiveInformationTypeRulePackage REGEX Testing / Reference Get-DeviceComplianceDetailsReportFilter
Set-DlpCompliancePolicy Get-DeviceComplianceReportDate
Set-DlpComplianceRule RegEx Testing Microsoft RegEx Reference
Get-DeviceComplianceSummaryReport
Set-DlpComplianceRuleV2 Get-DeviceComplianceUserReport
Set-DlpKeywordDictionary https://regex101.com/ https://docs.microsoft.com/en-us/
https://regexr.com/ dotnet/standard/base-types/regular- Get-DlpDetectionsReport
Set-DlpSensitiveInformationType Get-DlpSiDetectionsReport
Set-DlpSensitiveInformationTypeRulePackage http://osherove.com/tools expression-language-quick-reference
Get-MailFilterListReport
Get-SupervisoryReviewPolicyReport
Cmdlet Highlight Coming Soon in v1.1 Get-SupervisoryReviewReport
Get-Label Get-LabelPolicy Get-LabelPolicyRule More On PowerShell
Get-SCInsights – provides user totals per workloads –
New-Label New-LabelPolicy Remove-Label Windows PowerShell Blog
ExO, Archive, SharePoint, OneDrive and more
Remove-LabelPolicy Remove-RecordLabel Set-LabelPolicy
blogs.msdn.com/b/powershell
Protection Alerting Script Center
technet.microsoft.com/scriptcenter
Get-ProtectionAlert MalwareAlert
New-ProtectionAlert -Category Others -Name MalwareAlert -NotifyUser [email protected] -ThreatType Malware - PowerShell Tips of the Week
Threshold 20 -TimeWindow 61 www.practicalpowershell.com/blog
Remove-ProtectionAlert MalwareAlert PowerShell Team – GitHub
Set-ProtectionAlert MalwareAlert -TimeWindow 90 https://github.com/powershell
 PowerShell Quick Reference - Security and Compliance Center (v1.0)
DLP Sensitive Information Types Working with Compliance Cases
Find existing Sensitive Information Types: Create New Case
Get-DlpSensitiveInformationType New-ComplianceCase -Name “Case # 4302-1” -Description “Legal Case – R&D – 10-2018”

Create new Sensitive Information Type with Fingerprints: Add Compliance Case Members
$Content01 = Get-Content "\\File01\HR\EmployeeInfo.docx" -Encoding byte Add-ComplianceCaseMember -Case “Case # 4302-1” -Member [email protected]
$FingerPrint01 = New-DlpFingerprint -FileData $Content01 -Description "Confidential Add-ComplianceCaseMember -Case “Case # 4302-1” -Member [email protected]
Employee Information"
New-DlpSensitiveInformationType -Name "Confidential Employee Information" - Add Searches and Holds to the Case
New-CaseHoldPolicy -Name "Hold - Damian" -Case "Case # 4302-1" -ExchangeLocation "John”
Fingerprints $FingerPrint01 -Description "Sensitive Employee Information - HR"
New-ComplianceSearch -Name “Secret Meetings” -ExchangeLocation Damian -
ContentMatchQuery "subject:Secret Meettings"
Remove old unused Sensitive Information Types:
Remove-DlpSensitiveInformationType – Name "Confidential Employee Information" Start the Search and apply a Search Action
Start-ComplianceSearch -Identity “Secret Meetings”
Change an existing Sensitive Information Type: New-ComplianceSearchAction -SearchName “Secret Meetings” -Export
Set-DlpSensitiveInformationType – Name "Confidential Employee Information"
View Existing Compliance Cases
Get-ComplianceCase

Compliance Holds and Tags

Create a new compliance tag: First, create a Hold Compliance Policy
New-ComplianceTag -Name "R&D" -RetentionAction Delete -RetentionDuration 365 - New-HoldCompliancePolicy -Name “Case 5412-10” -ExchangeLocation [email protected]
RetentionType TaggedAgeInDays
Then create one or more Hold Compliance Rules
List all current Compliance Tags New-HoldComplianceRule -Policy “Case 5412-10” -Name “Hold 2017” -ContentDateFrom “01/
Get-ComplianceTag 01/2017” -ContentDateTo “12/31/17”

Removing and existing Compliance Tag Removing policies or rules

Remove-ComplianceTag-Name "R&D" Remove-HoldCompliancePolicy “Case 5412-10”
Remove-HoldComplianceRule “Hold 2017”
Modifying an existing tag by adding a reviewer
Set-ComplianceTag -Name "R&D" -Reviewer [email protected] Modify existing rules or policies:
Set-HoldCompliancePolicy -Name “Case 5412-10” -SharePointLocation "http://
Security, Privacy and Compliance Blog standard.sharepoint.com/sites/Teams/R&D"
Set-HoldComplianceRule -Name “Hold 2017” -ContentDateFrom “07/01/17"
https://techcommunity.microsoft.com/t5/Security-Privacy-and-
Compliance/bg-p/securityprivacycompliance List policies or rules that were created previously
Get-HoldCompliancePolicy
Get-HoldComplianceRule -Name “Hold 2017”
Permissions in Security and Compliance Center
https://docs.microsoft.com/en-us/office365/securitycompliance/
permissions-in-the-security-and-compliance-center
 PowerShell Quick Reference - Security and Compliance Center (v1.0)
Admin Audit Log Auditing
View Default Admin Audit Log Settings Change Audit Config
Get-AdminAuditLogConfig Set-AuditConfig -Workload Exchange,SharePoint,OneDriveForBusiness,Intune

Search the Admin Audit Log and send Email of results Audit all operations for a workload:
New-AdminAuditLogSearch -StartDate 8/1/18 -EndDate 8/15/18 -StatusMailRecipients New-AuditConfigurationPolicy -Workload SharePoint
[email protected]
Remove existing Audit Configuration Policy
Disable/Enable Office 365 Admin Audit logs Remove-AuditConfigurationPolicy 91f20f6f-7ef9-4561-9a38-d771452d5e45
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True Audit specific operations in a workload
** Note – Changes (using Set) need to be performed in Exchange Online PowerShell New-AuditConfigurationRule -Workload Exchange,SharePoint -AuditOperation Delete

New Unified Log Search – Exchange, SharePoint, OneDrive, Intune, AzureAD and more! Modify existing Audit Configuration Rule
Search-UnifiedAuditLog -StartDate 10/1/2018 -EndDate 10/24/18 Set-AuditConfigurationRule
Or SharePoint Only - Search-UnifiedAuditLog -StartDate 10/1/2018 -EndDate 10/24/18 -
RecordType SharePoint Remove existing Audit Configuration Rule
New-AuditConfigurationRule -Identity <GUID of Rule>
Create Custom XML for DLP
Current Configutation:
https://justaucguy.wordpress.com/2014/11/21/adventures-in-custom- Get-AuditConfig
dlp-rules-part-one/ Get-AuditConfigurationPolicy
Get-AuditConfigurationRule
DLP Keyword Dictionary
Create a list of keywords to be used by DLP to protect information in your tenant Supervisory Review
First we need to create a Supervisory Policy as none exist by default:
Check settings on Existing Dictionary: New-SupervisoryReviewPolicyV2 -Name "R&D" -Reviewers [email protected] -Comment
Get-DlpKeywordDictionary -Name "Technical Docs" "Monitory R&D emails"

Create New DLP Keywords Dictionary Then create one or more Supervisory Rules:
$DLPKeywords = "Technical Specifications, Research Grant, Development New-SupervisoryReviewRule -SamplingRate 50 -Policy "R&D" -Condition
Methodologies" (Reviewee:[email protected])
$EncodedDLPKeywords = [system.Text.Encoding]::UTF8.GetBytes($DLPKeywords);
New-DlpKeywordDictionary -Name "Technical Docs" -Description "Keywords appearing in Grab reports or information on the rules / policies created:
internal docs" -FileData $EncodedDLPKeywords Get-SupervisoryReviewPolicyReport, Get-SupervisoryReviewPolicyV2
Get-SupervisoryReviewReport, Get-SupervisoryReviewRule
Remove an unneeded dictionary
Remove-DlpKeywordDictionary -Name "Technical Docs" Remove a policy (** No cmdlet for removing a rule):
Remove-SupervisoryReviewPolicyV2
Modify an Existing Dictionary (removing keywords in this case)
$DLPKeywords = "Technical Specifications, Development Methodologies" Modify existing rules/policies
$EncodedDLPKeywords = [system.Text.Encoding]::UTF8.GetBytes($DLPKeywords); Set-SupervisoryReviewPolicyV2 -Name "R&D" -Reviewers “[email protected]”
Set-DlpKeywordDictionary -Name "Technical Docs" -FileData $EncodedDLPKeywords Set-SupervisoryReviewRule -SamplingRate 25 -Policy "R&D"
 Security and Compliance Center (v1.0) – Complete Cmdlet List
Add-ComplianceCaseMember Get-LabelPolicy New-HoldComplianceRule Remove-TeamsRetentionCompliancePolicy
Add-eDiscoveryCaseAdmin Get-LabelPolicyRule New-Label Remove-TeamsRetentionComplianceRule
Add-RoleGroupMember Get-MailFilterListReport New-LabelPolicy Search-AdminAuditLog
Enable-ComplianceTagStorage Get-ManagementRole New-ProtectionAlert Set-ActivityAlert
Get-ActivityAlert Get-ProtectionAlert New-RetentionCompliancePolicy Set-AuditConfig
Get-AdminAuditLogConfig Get-Recipient New-RetentionComplianceRule Set-AuditConfigurationRule
Get-AuditConfig Get-RetentionCompliancePolicy New-RoleGroup Set-CaseHoldPolicy
Get-AuditConfigurationPolicy Get-RetentionComplianceRule New-SupervisoryReviewPolicyV2 Set-CaseHoldRule
Get-AuditConfigurationRule Get-RoleGroup New-SupervisoryReviewRule Set-ComplianceCase
Get-CaseHoldPolicy Get-RoleGroupMember New-TeamsRetentionCompliancePolicy Set-ComplianceRetentionEvent
Get-CaseHoldRule Get-SCInsights New-TeamsRetentionComplianceRule Set-ComplianceRetentionEventType
Get-ComplianceCase Get-SecurityPrincipal Remove-ActivityAlert Set-ComplianceSearch
Get-ComplianceCaseMember Get-SupervisoryReviewPolicyReport Remove-AuditConfigurationPolicy Set-ComplianceSearchAction
Get-ComplianceCaseStatistics Get-SupervisoryReviewPolicyV2 Remove-AuditConfigurationRule Set-ComplianceSecurityFilter
Get-ComplianceRetentionEvent Get-SupervisoryReviewReport Remove-CaseHoldPolicy Set-ComplianceTag
Get-ComplianceRetentionEventType Get-SupervisoryReviewRule Remove-CaseHoldRule Set-DeviceConditionalAccessPolicy
Get-ComplianceSearch Get-TeamsRetentionCompliancePolicy Remove-ComplianceCase Set-DeviceConditionalAccessRule
Get-ComplianceSearchAction Get-TeamsRetentionComplianceRule Remove-ComplianceCaseMember Set-DeviceConfigurationPolicy
Get-ComplianceSecurityFilter Get-User Remove-ComplianceRetentionEvent Set-DeviceConfigurationRule
Get-ComplianceTag Install-UnifiedCompliancePrerequisite Remove-ComplianceRetentionEventType Set-DeviceTenantPolicy
Get-ComplianceTagStorage Migrate-DlpFingerprint Remove-ComplianceSearch Set-DeviceTenantRule
Get-DataRetentionReport New-ActivityAlert Remove-ComplianceSearchAction Set-DlpCompliancePolicy
Get-DeviceComplianceDetailsReport New-AdminAuditLogSearch Remove-ComplianceSecurityFilter Set-DlpComplianceRule
Get-DeviceComplianceDetailsReportFilter New-AuditConfigurationPolicy Remove-ComplianceTag Set-DlpComplianceRuleV2
Get-DeviceCompliancePolicyInventory New-AuditConfigurationRule Remove-DeviceConditionalAccessPolicy Set-DlpKeywordDictionary
Get-DeviceComplianceReportDate New-CaseHoldPolicy Remove-DeviceConditionalAccessRule Set-DlpSensitiveInformationType
Get-DeviceComplianceSummaryReport New-CaseHoldRule Remove-DeviceConfigurationPolicy Set-DlpSensitiveInformationTypeRulePackage
Get-DeviceComplianceUserInventory New-ComplianceCase Remove-DeviceConfigurationRule Set-HoldCompliancePolicy
Get-DeviceComplianceUserReport New-ComplianceRetentionEvent Remove-DeviceTenantPolicy Set-HoldComplianceRule
Get-DeviceConditionalAccessPolicy New-ComplianceRetentionEventType Remove-DeviceTenantRule Set-LabelPolicy
Get-DeviceConditionalAccessRule New-ComplianceSearch Remove-DlpCompliancePolicy Set-ProtectionAlert
Get-DeviceConfigurationPolicy New-ComplianceSearchAction Remove-DlpComplianceRule Set-RetentionCompliancePolicy
Get-DeviceConfigurationRule New-ComplianceSecurityFilter Remove-DlpComplianceRuleV2 Set-RetentionComplianceRule
Get-DevicePolicy New-ComplianceTag Remove-DlpKeywordDictionary Set-RoleGroup
Get-DeviceTenantPolicy New-DeviceConditionalAccessPolicy Remove-DlpSensitiveInformationType Set-SupervisoryReviewPolicyV2
Get-DeviceTenantRule New-DeviceConditionalAccessRule Remove-DlpSensitiveInformationTypeRulePackage Set-SupervisoryReviewRule
Get-DlpCompliancePolicy New-DeviceConfigurationPolicy Remove-eDiscoveryCaseAdmin Set-TeamsRetentionCompliancePolicy
Get-DlpComplianceRule New-DeviceConfigurationRule Remove-HoldCompliancePolicy Set-TeamsRetentionComplianceRule
Get-DlpComplianceRuleV2 New-DeviceTenantPolicy Remove-HoldComplianceRule Start-ComplianceSearch
Get-DlpDetectionsReport New-DeviceTenantRule Remove-Label Stop-ComplianceSearch
Get-DlpKeywordDictionary New-DlpCompliancePolicy Remove-LabelPolicy Test-DataClassification
Get-DlpSensitiveInformationType New-DlpComplianceRule Remove-ProtectionAlert Update-ComplianceCaseMember
Get-DlpSensitiveInformationTypeRulePackage New-DlpComplianceRuleV2 Remove-RecordLabel Update-eDiscoveryCaseAdmin
Get-DlpSiDetectionsReport New-DlpFingerprint Remove-RetentionCompliancePolicy Update-RoleGroupMember
Get-eDiscoveryCaseAdmin New-DlpKeywordDictionary Remove-RetentionComplianceRule Validate-RetentionRuleQuery
Get-Group New-DlpSensitiveInformationType Remove-RoleGroup
Get-HoldCompliancePolicy New-DlpSensitiveInformationTypeRulePackage Remove-RoleGroupMember
Get-HoldComplianceRule New-HoldCompliancePolicy Remove-SupervisoryReviewPolicyV2
Get-Label