TenLens
Back to script library
Entra / Microsoft 365 · Compliance & audit

Get service alerts (Graph)

Retrieve Microsoft 365 service health alerts using the Microsoft Graph Security API and report active issues.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -Scopes SecurityEvents.Read.All -NoWelcome

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-MgGraph -Scopes SecurityEvents.Read.All -NoWelcome
 
[array]$Alerts = Get-MgSecurityAlert -All -PageSize 999
If (!$Alerts) {
    Write-Host "No security found"
    Break
}
 
$Report = [System.Collections.Generic.List[Object]]::new()
 
ForEach ($Alert in $Alerts) {
    $ExtraInfo = $Null
    Switch ($Alert.Title) {
        "Email messages containing phish URLs removed after delivery" {
             $User = $Alert.UserStates.UserPrincipalName[1]
        }
        "User restricted from sending email" {
            $User = $Alert.UserStates.UserPrincipalName
        }
        "Data Governance Activity Policy" {
            $User = "N/A"
        }
        "Admin Submission Result Completed" {
            $User = $Alert.UserStates.UserPrincipalName[0]
            $ExtraInfo = "Email from " + $Alert.UserStates.UserPrincipalName[1] + " reported for " + $Alert.UserStates.UserPrincipalName[2]
        }
        Default {
            $User = $Alert.UserStates.userPrincipalName
        }
    } # End Switch
 
    If ([string]::IsNullOrEmpty($Alert.Description)) {
        $AlertDescription = "Office 365 alert"
    } Else {
        $AlertDescription = $Alert.Description
    }
 
    # Unpack comments
    [String]$AlertComments = $Null; $i = 0
    ForEach ($Comment in $Alert.Comments) {
        If ($i -eq 0) {
            $AlertComments = $Comment; $i++
        } Else {
            $AlertComments = $AlertComments + "; " + $Comment
        }
    }
 
    Switch ($Alert.Status) {
        "newAlert"   { $Color = "ff0000"  }
        "inProgress" { $Color = "ffff00"  }
        "Default"    { $Color = "00cc00"  }
    }
 
    $ReportLine = [PSCustomObject][Ordered]@{
        Title       = $Alert.Title
        Category    = $Alert.Category
        User        = $User
        Description = $AlertDescription
        Date        = Get-Date($Alert.EventDateTime) -format g
        Status      = $Alert.Status
        Severity    = $Alert.Severity
        ViewAlert   = $Alert.SourceMaterials[0]
        Comments    = $AlertComments
        ExtraInfo   = $ExtraInfo
        Color       = $Color
    }
    $Report.Add($ReportLine)
 
} # End ForEach
 
$Report | Out-GridView -Title "Office 365 Security Alerts" -PassThru
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.