Parameter Attribute DataType Description Allowed Values
AlertBy Write StringArray[] Specifies the scope for aggregated alert policies
AlertFor Write StringArray[] This parameter is reserved for internal Microsoft use
AggregationType Write String Specifies how the alert policy triggers alerts for multiple occurrences of monitored activity None, SimpleAggregation, AnomalousAggregation, CustomAggregation
Category Write String Specifies a category for the alert policy
Comment Write String Specifies an optional comment
Disabled Write Boolean Enables or disables the alert policy
Ensure Write String Specify if this alert should exist or not. Present, Absent
Filter Write String The Filter parameter uses OPATH syntax to filter the results by the specified properties and values
Name Key String Specifies the unique name for the alert policy
NotificationCulture Write String Specifies the language or locale that's used for notifications. For example, da-DK for Danish
NotificationEnabled Write Boolean NotificationEnabled true or false
NotifyUserOnFilterMatch Write Boolean Specifies whether to trigger an alert for a single event when the alert policy is configured for aggregated activity
NotifyUserSuppressionExpiryDate Write DateTime Specifies whether to temporarily suspend notifications for the alert policy. Until the specified date-time, no notifications are sent for detected activities.
NotifyUserThrottleThreshold Write UInt32 Specifies the maximum number of notifications for the alert policy within the time period specified by the NotifyUserThrottleWindow parameter. Once the maximum number of notifications has been reached in the time period, no more notifications are sent for the alert.
NotifyUserThrottleWindow Write UInt32 Specifies the time interval in minutes that's used by the NotifyUserThrottleThreshold parameter
NotifyUser Write StringArray[] Specifies the SMTP address of the user who receives notification messages for the alert policy. You can specify multiple values separated by commas
Operation Write StringArray[] Specifies the activities that are monitored by the alert policy
PrivacyManagementScopedSensitiveInformationTypes Write StringArray[] PrivacyManagementScopedSensitiveInformationTypes
PrivacyManagementScopedSensitiveInformationTypesForCounting Write StringArray[] PrivacyManagementScopedSensitiveInformationTypesForCounting
PrivacyManagementScopedSensitiveInformationTypesThreshold Write UInt64 PrivacyManagementScopedSensitiveInformationTypesThreshold
Severity Write String specifies the severity of the detection Low, Medium, High, Informational
ThreatType Write String Specifies the type of activities that are monitored by the alert policy Activity, Malware, Phish, Malicious, MaliciousUrlClick, MailFlow
Threshold Write UInt32 Specifies the number of detections that trigger the alert policy within the time period specified by the TimeWindow parameter. A valid value is an integer that's greater than or equal to 3.
TimeWindow Write UInt32 Specifies the time interval in minutes for number of detections specified by the Threshold parameter. A valid value is an integer that's greater than 60 (one hour).
VolumeThreshold Write UInt32 Volume Threshold
Credential Write PSCredential Credentials of the Global Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
CertificatePassword Write PSCredential Username can be made up to anything but password will be used for CertificatePassword
CertificatePath Write String Path to certificate used in service principal usually a PFX file.
AccessTokens Write StringArray[] Access token used for authentication.


This resource configures a Protection Alert in Security and Compliance Center.


Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • None
  • Update

    • None

Application permissions

  • Read

    • None
  • Update

    • None


Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
        [Parameter(Mandatory = $true)]
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
        SCProtectionAlert 'CustomSuspiciousEmailSendingPatternDetected'
            AggregationType         = "None";
            Category                = "ThreatManagement";
            Comment                 = "User has been detected as sending suspicious messages outside the organization and will be restricted if this activity continues. -V1.0.0.1";
            Credential              = $Credscredential;
            Disabled                = $False;
            Ensure                  = "Present";
            Name                    = "Custom Suspicious email sending patterns detected";
            NotificationEnabled     = $True;
            NotifyUser              = @("");
            NotifyUserOnFilterMatch = $False;
            Operation               = @("CompromisedWarningAccount");
            Severity                = "Medium";

        SCProtectionAlert 'CustomEmailMessagesFromAcampaignRemovedAfterDelivery'
            AggregationType         = "None";
            Category                = "ThreatManagement";
            Comment                 = "Emails messages from a campaign were delivered and later removed -V1.0.0.2";
            Credential              = $Credscredential;
            Disabled                = $False;
            Ensure                  = "Present";
            Filter                  = "(Mail.IsMailZAPSuccessful -eq 1) -and Mail.IsCampaignZapped -eq 1 -and (Mail.TenantPolicyFinalVerdictSource -ne 'PhishEdu') -and (Mail.TenantPolicyFinalVerdictSource -ne 'SecOps') -and (Mail.TenantPolicyFinalVerdictSource -ne 'ThirdPartyFiltering')";
            Name                    = "Custom Email messages from a campaign removed after delivery​";
            NotificationEnabled     = $False;
            NotifyUser              = @("TenantAdmins");
            NotifyUserOnFilterMatch = $False;
            Severity                = "Informational";
            ThreatType              = "Malicious";