Monitoring with PowerShell: Monitoring M365 Service Communications

Microsoft has decided to move the old service communication API to Graph endpoints, which is pretty handy for us as Microsoft partners because it makes it a little bit easier to retrieve these issues programmatically, and be aware of them before the client gives us a call at times.

The new API has 3 different types of information for us; Messages which can be anything from “Basic Authentication is going away” to “Windows365 is now available”. There’s also Issues which are all known issues with the service at that moment, combined with a HealthOverview which is our target of today; are the services available or in recovery.

For these scripts we need the Secure Application Model as always, we’ll also need to make some changes to the permissions we’re granting.

The script

So, before we get started, lets add our permissions.

  • Go to the Azure Portal.
  • Click on Azure Active Directory, now click on “App Registrations”.
  • Find your Secure App Model application. You can search based on the ApplicationID.
  • Go to “API Permissions” and click Add a permission.
  • Choose “Microsoft Graph” and “Delegated permission”.
  • Add the “ServiceHealth.Read.All” and “ServiceMessage.Read.All” permission.
  • Finally, click on “Grant Admin Consent for Company Name.

So we’re not going to pick up each incident as an alert – there’s a lot of incidents that really don’t impact users. We’re filtering on anything that is not just an advisory so has some user impact, and we’re also ignoring incidents that have already been closed by Microsoft.

######### Secrets #########
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'LongRefreshToken'
######## Secrets #########
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
  
write-host "Creating body to request Graph access for each client." -ForegroundColor Green
$Authbody = @{
    'resource'      = 'https://graph.microsoft.com'
    'client_id'     = $ApplicationId
    'client_secret' = $ApplicationSecret
    'grant_type'    = "client_credentials"
    'scope'         = "openid"
}
 
  
write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
$status = foreach ($Customer in $Customers) {
    $ClientToken = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$($customer.tenantid)/oauth2/token" -Body $Authbody -ErrorAction Stop
    $headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
    write-host "Processing $($customer.DefaultDomainName)"

    $nextURL = "https://graph.microsoft.com/beta/admin/serviceAnnouncement/issues"
    $ReturnedData = do {
        $Data = (Invoke-RestMethod -Uri $nextURL -Method GET -Headers $headers)
        if ($data.value) { $data.value } else { ($Data) }
        $nextURL = $data.'@odata.nextLink'
    } until ($null -eq $NextURL)
    $BadStatus = $ReturnedData | Where-Object { $_.IsResolved -ne $true -and $_.classification -ne "Advisory" }

    if ($BadStatus) {
        [PSCustomObject]@{
            Tenantname = $customer.DefaultDomainName
            Status     = $BadStatus
        }
    }
}

if($status){
    write-host "Alert - Issues have been found in M365 tenants"
    $status
}

And that’s it! as always, Happy PowerShelling 🙂

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.