Get-MailDetailATPReport extends support for non-ATP customers

Those of you that are interested in the various reports in Microsoft 365 are likely aware that a while back, Microsoft deprecated a bunch of Exchange Online “reporting” cmdlets and replaced them with alternative methods as detailed in this table. There was a small hiccup however – the Get-MailDetailATPReport cmdlet, which is positioned as the replacement for many of the deprecated “reporting” cmdlets only returned results in tenants that had ATP licensing (now Defender for Office 365).

The screenshot below illustrates the behavior of the Get-MailDetailATPReport cmdlet in such a tenant. The first cmdlet serves to show that there are at least few messages received in the examined timeframe. In a ATP-enabled tenant, running the Get-MailDetailATPReport cmdlet without using the –EventType parameter to scope the results should return entries for all messages with “Delivered” status. If the tenant was not enabled for ATP however, zero entries were returned, as shown by the second cmdlet. Lastly, the third cmdlet shows the set of SKUs available in the tenant – none of them includes ATP/Defender for Office 365.

This in turn meant that many organizations were left without a viable replacement. You can find various community posts discussing this and other similar issues online, for example this post over at Q&A, as this situation persisted for more than an year.

Now, in a proof that nagging does actually work on occasion, I’m happy to share the news that Microsoft has addressed this issue and the Get-MailDetailATPReport cmdlet should cover more scenarios even in non-licensed tenants. At the very least, you should get a broader set of results now, including messages in the “Message passed” category, on any tenant and regardless of the presence of an Defender for Office 365 SKU. Do note that some Event types are still restricted to only organizations that have the proper/required licensing, i.e. you will not see “File detonation” events on a non-licensed tenant.

Here are some illustrations on how the cmdlet works now, across various tenant configurations. The first screenshot below shows the result in a Office 365 E3 Developer tenant, whereas the second one is from an Microsoft 365 Kiosk one (actually the same tenant that I used to illustrate the issue, but the trial SKUs therein expired and I replaced them with new trial). Both tenants do not have a Defender for Office 365 service plan/SKU included, but the cmdlet does return a set of results matching the output of Get-MessageTrace.

You’re welcome 🙂

P.S. The “companion” Get-MailTrafficATPReport cmdlet does not seem to have been updated, but since it only returns counts, I can live with that.

This entry was posted in Exchange Online, Microsoft 365, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.