-
Notifications
You must be signed in to change notification settings - Fork 12
/
Reports.ps1
159 lines (148 loc) · 8.65 KB
/
Reports.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
using namespace Microsoft.Graph.PowerShell.Models
function Get-GraphReport {
<#
.Synopsis
Gets reports from MS Graph
.Example
>Get-GraphReport -Report MailboxUsageDetail | ft "Display Name", "Storage Used (Byte)"
Displays mailbox storage used by users - note that
fields have 'friendly' names which need to be wrapped in quotes
#>
[cmdletbinding(DefaultParameterSetName="None")]
param (
#The report to Fetch
[ValidateSet(
'EmailActivityCounts', 'EmailActivityUserCounts', 'EmailActivityUserDetail',
'EmailAppUsageAppsUserCounts', 'EmailAppUsageUserCounts', 'EmailAppUsageUserDetail', 'EmailAppUsageVersionsUserCounts',
'MailboxUsageDetail', 'MailboxUsageMailboxCounts', 'MailboxUsageQuotaStatusMailboxCounts', 'MailboxUsageStorage',
'Office365ActivationCounts', 'Office365ActivationsUserCounts', 'Office365ActivationsUserDetail',
'Office365ActiveUserCounts', 'Office365ActiveUserDetail', 'Office365GroupsActivityCounts', 'Office365GroupsActivityDetail',
'Office365GroupsActivityFileCounts', 'Office365GroupsActivityGroupCounts', 'Office365GroupsActivityStorage',
'Office365ServicesUserCounts',
'OneDriveActivityFileCounts', 'OneDriveActivityUserCounts', 'OneDriveActivityUserDetail', 'OneDriveUsageAccountCounts',
'OneDriveUsageAccountDetail', 'OneDriveUsageFileCounts', 'OneDriveUsageStorage',
'SharePointActivityFileCounts', 'SharePointActivityPages', 'SharePointActivityUserCounts',
'SharePointActivityUserDetail', 'SharePointSiteUsageDetail', 'SharePointSiteUsageFileCounts',
'SharePointSiteUsagePages', 'SharePointSiteUsageSiteCounts', 'SharePointSiteUsageStorage',
'SkypeForBusinessActivityCounts', 'SkypeForBusinessActivityUserCounts', 'SkypeForBusinessActivityUserDetail',
'SkypeForBusinessDeviceUsageDistributionUserCounts','SkypeForBusinessDeviceUsageUserCounts', 'SkypeForBusinessDeviceUsageUserDetail',
'SkypeForBusinessOrganizerActivityCounts', 'SkypeForBusinessOrganizerActivityMinuteCounts',
'SkypeForBusinessOrganizerActivityUserCounts', 'SkypeForBusinessParticipantActivityCounts',
'SkypeForBusinessParticipantActivityMinuteCounts', 'SkypeForBusinessParticipantActivityUserCounts',
'SkypeForBusinessPeerToPeerActivityCounts', 'SkypeForBusinessPeerToPeerActivityMinuteCounts', 'SkypeForBusinessPeerToPeerActivityUserCounts',
'TeamsDeviceUsageDistributionUserCounts', 'TeamsDeviceUsageUserCounts', 'TeamsDeviceUsageUserDetail',
'TeamsUserActivityCounts', 'TeamsUserActivityUserCounts', 'TeamsUserActivityUserDetail',
'YammerActivityCounts', 'YammerActivityUserCounts', 'YammerActivityUserDetail', 'YammerDeviceUsageDistributionUserCounts',
'YammerDeviceUsageUserCounts', 'YammerDeviceUsageUserDetail', 'YammerGroupsActivityCounts',
'YammerGroupsActivityDetail', 'YammerGroupsActivityGroupCounts'
)]
[parameter(Mandatory=$true)]
$Report,
#Date for the report - this should be a date in the past 30 days. If specified, -Period is ignored. Reports ending in Count, Storage or pages don't support date filtering
[DateTime]$Date,
#The range of time for the report in the form "Dn" where n is the number of days. The default is D7, except for Office365Activation activation reports
[ValidateSet("D7", "D30", "D90", "D180")]
$Period,
#If specified the data will be written in CSV format to the path provided, otherwise it will be output to the pipeline
$Path
)
if ($Date) {
if ($report -match 'Counts$|Pages$|Storage$') {Write-Warning -Message 'Reports ending with Counts, Pages or Storage do not support date filtering' ; return }
if ($report -match '^Office365Activation') {Write-Warning -Message 'Office365Activation Reports do not support any filtering.' ; return }
if ($report -eq 'MailboxUsageDetail') {Write-Warning -Message 'MailboxUsageDetail does not support date filtering.' ; return}
$uri = "$GraphUri/reports/microsoft.graph.Get{0}(date={1:yyyy-MM-dd})" -f $Report , $Date
}
elseif ($Period) {
if ($report -match '^Office365Activation') {Write-Warning -Message 'Office365Activation Reports do not support any filtering.' ; return }
$uri = "$GraphUri/reports/microsoft.graph.Get{0}(period='{1}')" -f $Report , $Period
}
else {
if ($report -notmatch '^Office365Activation') {
$uri = "$GraphUri/reports/microsoft.graph.Get{0}(period='d7')" -f $Report
}
else {
$uri = "$GraphUri/reports/microsoft.graph.Get{0}" -f $Report
}
}
if ($Path) { Invoke-GraphRequest -Method GET -uri $uri -OutputFilePath $Path}
else {
$Path = [System.IO.Path]::GetTempFileName()
Invoke-GraphRequest -Method GET -uri $uri -OutputFilePath $Path
Import-Csv $Path
Remove-Item $Path
}
}
function Get-GraphSignInLog {
<#
.synopsis
Gets the audit log -requires a priviledged account
.Description
This command calls https://graph.microsoft.com/beta/auditLogs/signIns
which requires consent to use the AuditLog.Read.All Scope this can only be granted to Azure AD apps.
.Example
>
>Get-GraphSignInLog |
> select Date,UserPrincipalName,appDisplayName,ipAddress,clientAppUsed,browser,device,city,lat,long |
> Export-Excel -Path .\signin.xlsx -AutoSize -IncludePivotTable -PivotTableName Signins -PivotRows appdisplayName -PivotColumns browser -PivotData @{date='Count'} -show
Gets the sign-in Log and exports it Excel, creating a PivotTable
#>
[cmdletbinding()]
[outputtype([Microsoft.Graph.PowerShell.Models.MicrosoftGraphSignIn])]
param (
$top = 200
)
$i = 1
Write-Progress -Activity 'Getting Sign-in Auditlog'
$result = Invoke-GraphRequest -Method get -Uri "$GraphUri/auditLogs/signIns?`$top=$top" -SkipHttpErrorCheck -StatusCodeVariable status
if ($result.error) {
Write-Progress -Activity 'Getting Sign-in Auditlog' -Completed
Write-Warning "An error was returned: '$($result.error.message)' code: $($result.error.code) "
}
if ($status -notmatch "2\d\d") {Write-Warning "Status code returned was $Status ($([System.Net.HttpStatusCode]$status)) which does not look like success."}
$records = $result.value
while ($result.'@odata.nextLink' -and $records.count -lt $top) {
$i ++
Write-Progress -Activity 'Getting Sign-in Auditlog' -CurrentOperation "Page $i"
$result = Invoke-GraphRequest -Method get -Uri $result.'@odata.nextLink'
$records += $result.value
}
foreach ($r in $records) {
$r.pstypenames.add('GraphSigninLog')
$r['RiskEventTypesV2'] = $r['RiskEventTypes_V2'] ;
$null = $r.Remove('RiskEventTypes_V2'), $r.remove( "@odata.etag") ;
New-Object -TypeName MicrosoftGraphSignIn -Property $r
}
Write-Progress -Activity 'Getting Sign-in Auditlog'-Completed
}
function Get-GraphDirectoryLog {
<#
.synopsis
Gets the Directory audit log -requires a priviledged account
.Description
This command calls https://graph.microsoft.com/beta/auditLogs/directoryAudits
which requires consent to use the AuditLog.Read.All Scope this can only be granted to Azure AD apps.
#>
[cmdletbinding()]
[outputType([Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryAudit])]
param (
[switch]$all,
$Top = 100
)
$i = 1
Write-Progress -Activity 'Getting Directory Audits log'
$uri = "$GraphUri/auditLogs/directoryAudits"
if (-not $all) {$uri += "?`$Top=$Top"}
$result = Invoke-GraphRequest -Method get -Uri $uri -SkipHttpErrorCheck -StatusCodeVariable status
if ($result.error) {Write-Warning "An error was returned: '$($result.error.message)' - code: $($result.error.code) "}
$records = $result.value
while ($result.'@odata.nextLink' -and $records.Count -lt $top) {
$i ++
Write-Progress -Activity 'Getting Directory Audits log' -CurrentOperation "Page $i"
$result = Invoke-GraphRequest -Method get -Uri $result.'@odata.nextLink'
$records += $result.value
}
foreach ($r in $records) {
New-Object -TypeName MicrosoftGraphDirectoryAudit -Property $r
}
Write-Progress -Activity 'Getting Directory Audits log' -Completed
}