Getty Images

Boost Exchange Online automation with Azure Functions

Admins can use the event-driven functionality in Microsoft's serverless offering and build event-driven workflows for a more efficient management approach.

Managing Exchange Online is not just about email. Administrators must deal with challenges related to security threats and efficient data management. That requires new management methods.

Traditional tools and scripts might not address admin needs with the agility and efficiency required in today's fast-paced environment. Azure Functions, a serverless computing service, is a highly scalable, event-driven execution environment that can automate many tasks without requiring a dedicated infrastructure. This offering helps administrators quickly respond to events such as security alerts and system updates.

The automation capabilities of Azure Functions are not just about speed. They also open new possibilities for Exchange Online management that were challenging or impossible with traditional methods.

What are Azure Functions?

Azure Functions let IT professionals run code responding to events or triggers without managing a technology stack or server deployments. The functions are small pieces of code that perform various tasks, such as processing data or integrating with other cloud services, making them versatile tools for a wide range of users.

Azure Functions support various programming languages, including C#, JavaScript, Python and PowerShell, to give users a choice for the most suitable option. Azure Functions are serverless, and customers only pay for compute time consumed, which reduces the cost and complexity of running code at scale.

Azure Functions vs. standard Exchange Online management tools

Administrators traditionally use a combination of PowerShell scripts, manual work in the portal and third-party tools for managing Exchange Online. Although these methods have advantages, they also have disadvantages, particularly regarding scalability, flexibility and ongoing infrastructure maintenance.

One of the main advantages of Azure Functions is scalability. Azure Functions' event-driven model can automatically scale up to meet an organization's growing needs, regardless of the load.

Another benefit is flexibility. Azure Functions supports various triggers, such as HTTP requests, timer-based executions and hooks into other Azure services, making them more versatile options for automating management tasks.

Azure Functions eliminate the need for maintaining the underlying technical architecture that comes with traditional management tools. This abstraction lets admins focus solely on the code.

Azure Functions integrate with Azure Logic Apps and other Azure services for developing complex workflows that react to real-time events. For example, you can trigger an Azure Function on incoming email, process the email content and automatically update a database or send a notification.

The consumption-based pricing model keeps costs low, especially for tasks that don't run continuously.

Prerequisites and costs of Azure Functions

Before you start managing Exchange Online with Azure Functions, it's essential to understand the prerequisites and associated costs. This groundwork ensures a smooth initiation to use Azure Functions effectively for Exchange Online management tasks.

Before you use any Azure service, you must set up an account and choose a subscription plan that suits your organization's needs and budget. Azure offers various subscription options, including pay-as-you-go, for flexibility and cost control.

It is also necessary to have a good understanding of cloud concepts, serverless computing basics and programming languages supported by Azure Functions. If you plan to manage Exchange Online, you will benefit by building your knowledge of the hosted email platform and PowerShell scripting for Exchange. Microsoft provides extensive documentation and learning paths for Azure Functions and Exchange Online to get you started.

Set up a development environment on your local machine to develop and test Azure Functions. This environment includes installing the Azure Functions Core Tools; a code editor, such as Visual Studio Code; and the extensions for Azure. This setup lets you create, test and run functions locally before deploying them to Azure.

How to factor in the Azure Function costs

Azure Functions costs are calculated based on the number of executions, execution time and memory usage of your functions.

Microsoft's pricing calculator helps you manage and estimate monthly costs effectively. Azure offers a free grant of executions and execution time per month, which can significantly reduce costs for many organizations.

Azure's built-in monitoring tools identify and optimize resource-intensive functions. Implementing best practices, such as optimizing your code for efficiency and choosing the right triggers, can reduce execution times and memory usage, leading to lower costs.

How to use Azure Functions for Exchange Online management

This section gives a detailed look into specific scenarios suited for Azure Functions, illustrating its capabilities in real-time email analysis, dynamic reports based on security events and customized mailbox activity monitoring.

Real-time email analysis

One of the standout features of Azure Functions is its functionality to process and analyze emails instantly, offering spam detection, sentiment analysis and automated responses.

Use the following guidance to understand how to build a function for email, such as scanning incoming email for phishing attempts and automatically alerting the IT security team if suspicious content is detected:

  • Trigger. Use an HTTP trigger or integrate with Microsoft 365 to initiate the function upon the arrival of new email.
  • Code. Implement logic in your function to analyze the email content, such as checking for specific keywords, assessing sentiment using AI services or identifying spam characteristics.
  • Action. Depending on the analysis, the function can take an action: flag the email, trigger an alert, move the email to a folder or reply to the sender.

Dynamic reports based on security events

Administrators can use Azure Functions to react to security-related events in Exchange Online to generate and distribute dynamic reports that provide insights into potential security issues.

The following instructions create a weekly report that aggregates all failed login attempts, highlights potential brute-force attacks and examines the origin of these attempts:

  • Trigger. Set up an Azure Functions trigger for specific security events logged in Exchange Online, such as failed login attempts or creation of suspicious email forwarding rules.
  • Code. Write functions to query security logs, aggregate relevant data and format it into a comprehensive report.
  • Action. Automate distribution of these reports to the security team or relevant stakeholders through email or integration with team collaboration tools.

Customized mailbox activity monitoring

Admins can use Azure Functions to track specific actions within user mailboxes, alerting administrators to unusual activity or policy violations. For example, the function can detect a user sending sensitive files outside the organization and automatically initiates a security protocol to warn the security team and the user's manager:

  • Trigger. Use Azure Functions to monitor mailbox activities, such as deleting an email after a short period or forwarding an email to external domains.
  • Code. Develop logic within the function to identify activities that deviate from established norms or policies.
  • Action. Set up notifications or alerts to inform administrators or users of detected activities, enabling swift response to potential issues.

How to manage Exchange Online with Azure Functions

To illustrate how to use Azure Functions to manage Exchange Online, the following section explains how to monitor mailbox activity using PowerShell and the Exchange Online Management module. The following scripts will connect to Exchange Online search the unified audit log for certain actions from the last 90 days.

Microsoft's documentation explains how to set up the required permissions.

Connect-ExchangeOnline `
-AppId $clientId `
-CertificateThumbprint $certificateThumprint `
-Organization $organization

$StartDate = (Get-Date).AddDays(-90);
$EndDate = (Get-Date)
$Operations = @("HardDelete", "SoftDelete")

$Records = Search-UnifiedAuditLog `
-StartDate $StartDate `
-EndDate $EndDate `
-Operations $Operations `
-SessionCommand ReturnLargeSet
$Results = $Records

Disconnect-ExchangeOnline -Confirm:$false

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $Results
    Headers = @{
        "Content-Type" = "application/json"
    }
})

Use the following PowerShell code to call the Azure Function.

$uri = 'https://func.azurewebsites.net/api/MailActivityMonitor'

$headers = @{
"Content-Type" = "application/json"
}

$body = @{}

$response = Invoke-RestMethod `
	-Uri $uri `
	-Method Get `
	-Body $body `
	-Headers $headers

$response | Select-Object UserIds, Operations, CreationDate | ConvertTo-Json
Exchange Online audit log information.
Azure Functions pulls in audit log data from Exchange Online to retrieve information, such as when a user permanently deletes an item.

Get more control from Exchange Online with Azure Functions

For admins who want more management flexibility, integrating Azure Functions with Exchange Online extends automation capabilities with help from the Microsoft Graph PowerShell SDK and direct API calls.

To tap into the full potential of this combination, become familiar with PowerShell scripting, the Microsoft Graph API and the specific requirements of the tasks at hand. Once comfortable with these technologies, implement highly complex monitoring tasks, such as tracking emails received and deleted within a timeframe.

The journey to fully automated, efficient and secure email management is ongoing. But it's a little closer to reality for admins who embrace these tools.

Liam Cleary is founder and owner of SharePlicity, a technology consulting company that helps organizations with internal and external collaboration, document and records management, business process automation, automation tool deployment, and security controls and protection. Cleary's areas of expertise include security on the Microsoft 365 and Azure platforms, PowerShell automation, and IT administration. Cleary is a Microsoft MVP and a Microsoft Certified Trainer.

Dig Deeper on IT operations and infrastructure management