Azure Tenants without 0365 Email script failure about sparrow HOT 6 CLOSED

Interesting, perhaps we need to add a switch to disable the O365 check

from sparrow.

Maybe I'm misreading the issue, but what if you comment out line 475:
Get-UALData -ExportDir $ExportDir -StartDate $StartDate -EndDate $EndDate -ExchangeEnvironment $ExchangeEnvironment -AzureEnvironment $AzureEnvironment -Verbose

Do you still receive the error?

from sparrow.

I don't think you're misreading the issue. I commented line 475 and re-ran and got the export files successfully generated. I had attempted to identify which line(s) would be required...but #notadev. Thanks! I still think it would be an improvement to have a switch but simply adding this to the documentation would also be sufficient. I'm closing the issue.

from sparrow.

Perhaps I closed too soon without verifying what the output results should be after commenting out 475. In my scenario, I only got two .csv files. ApplicationGraphPermissions.csv and Domain_list.csv.

What I don't have, and perhaps it's a good sign, is that there's no files for AppRoleAssignment_Operations_Export.csv, AppUpdate_Operations_Export.csv, Consent_Operations_Export.csv, Domain_Operations_Export.csv,PSLogin_Operations_Export.csv,SAMLToken_Operations_Export.csv,ServicePrincipal_Operations_Export.csv

from sparrow.

Thank you for clarifying. Sparrow relies on being able to look at the unified audit log of a tenant organization, which is part of the Exchange Online PowerShell cmdlets (https://docs.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps).

Without Exchange Online, you will only receive those two .csv files.

from sparrow.

Thanks for the clarification. And those two files are pretty benign in what they're going to show. the UAL stuff is really where the IOC or other unknown activities to be investigated would be.

from sparrow.