$mcastoken = "MCASTOKEN"
connect-azuread
$name = get-azureaddomain | where {($_.name -like '*.onmicrosoft.com') -and ($_.name -notlike '*.mail.onmicrosoft.com')} | select name
$name.name
$ShortName = $name.Name.Replace(".onmicrosoft.com","")
$mcasuri = "https://"+$shortname+".eu2.portal.cloudappsecurity.com"   

$policies = "$mcasuri/cas/api/v1/policies/"
$policyv1 =  "$mcasuri/cas/api/v1/policy/"
$policy =  "$mcasuri/cas/api/policy/"

##notify new risky app##

$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"LOW","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"actions":{},"saasId":11161,"consoleFilters":"{\"permissionLevel\":{\"eq\":[1,2,0]}}","name":"Notify_New_OauthApp","policyType":"APP_PERMISSION","dbQuery":"{\"isInternal\": false, \"appStatus\": {\"$ne\": 2}, \"severity\": {\"$in\": [1, 2, 0]}, \"saasId\": 11161}","lastModified":1591274955563.7683,"lastUserModified":1591274955563.7683,"stories":[0],"msFlowCheckboxChecked":false,"msFlowId":null,"_tid":98226952,"editMode":true,"story":0,"emailAlerts":true,"readOnly":false,"matchesCount":0}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/app_permissions/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'

##Notify_GrantConsent_NewThirdPartyApp##

$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"LOW","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"threshold":5,"perApp":true,"actions":{},"uniqueTargetOnly":true,"consoleFilters":"{\"activity.eventType\":{\"eq\":[\"EVENT_CATEGORY_GRANT_CONSENT\",\"11161:EVENT_O365_AAD_CONSENT_TO_APPLICATION:Consent to application.\"]}}","selectedRate":"all","name":"Notify_GrantConsent_NewThirdParty_App","policyType":"AUDIT","lastModified":1593506992437.7751,"lastUserModified":1593504464772.6526,"stories":[0],"msFlowCheckboxChecked":false,"msFlowId":null,"windowSizeInMillis":1,"dbQueryMongo":"{\"eventTypeValue\": {\"$in\": [\"EVENT_O365_AAD_CONSENT_TO_APPLICATION\", \"EVENT_O365_AAD_ESTS_CONSENT_GRANT\"]}}","_tid":98226952,"customMessage":"","autoModified":{"lastUpdateTime":"2020-06-30T08:49:52.476Z","lastReason":"policy validation task","oldData":{"lastModified":1593504464772.6526}},"editMode":true,"story":0,"emailAlerts":true,"readOnly":false,"matchesCount":0,"windowSizeInMinutes":30}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/activity/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


##upload malware block##

$body = @'
{"alertDailyLimit":5,"enableAlerts":true,"enabled":true,"alertSeverity":"HIGH","contentFilters":[],"customMessageRaw":"","provider":"malware","policySubType":"SESSION","consoleFilters":{"service":{"descendantof":[]},"device.tags":{"neq":["000000220000000000000000","000000230000000000000000"]}},"folderSelection":{"folders":[],"type":0},"templateId":"","policyType":"INLINE","displayDescription":"CONSOLE_POLICIES_TEMPLATE_POLICY_DESCRIPTION_BLOCK_UPLOAD_MALWARE","alertSmsRecipients":[],"displayName":"CONSOLE_POLICIES_TEMPLATE_POLICY_NAME_BLOCK_UPLOAD_MALWARE","name":"Block_Uploading_Malware","serviceSelectionType":"ALL","customMessage":"","alertEmailRecipients":[],"emailSettingsDisabled":false,"stories":["0"],"inlineActions":[{"type":"block","params":{},"notification":{"mailRecipients":[]}}],"selectedCategoryType":"FileUpload","description":"Block Uploading Malware","smsAlerts":false,"emailAlerts":false,"msFlowCheckboxChecked":false,"msFlowId":null}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/policy/session/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'

##Label Exchange Downloads noncompliant devices##

$body = @'
{"alertDailyLimit":5,"enableAlerts":true,"enabled":true,"alertSeverity":"LOW","contentFilters":[],"customMessageRaw":"","provider":"","policySubType":"SESSION","consoleFilters":{"service":{"descendantof":[20893]},"device.tags":{"neq":["000000220000000000000000","000000230000000000000000"]}},"folderSelection":{"type":0,"folders":[]},"templateId":null,"emailSettingsDisabled":false,"serviceSelectionType":"ALL","selectedCategoryType":"FileDownload","alertSmsRecipients":[],"alertEmailRecipients":["emailadress"],"name":"ExchangeOnline_Protect_and_Label_Downloads","stories":["3"],"msFlowId":null,"inlineActions":[{"type":"protect","params":{"protectWithCustomPermissions":"false","labelId":"26d1773b-9fd3-409f-bf05-e08258fd0b92"},"notification":{"mailRecipients":[]}}],"policyType":"INLINE","lastModified":1592211329092.753,"lastUserModified":1592211329092.753,"customMessage":"","blockableEvents":[],"proxyDbQuery":"{\"device.tags\": {\"$nin\": [\"000000220000000000000000\", \"000000230000000000000000\"]}}","proxyBlacklistFilterQueries":"{\"service\": \"{\\\"$or\\\": [{\\\"appId\\\": 20893}, {\\\"saasId\\\": 20893}]}\"}","_tid":98226952,"smsAlerts":false,"emailAlerts":true,"msFlowCheckboxChecked":false}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/policy/session/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


##Notify_Labelremoved##

$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"LOW","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"threshold":5,"perApp":true,"actions":{},"uniqueTargetOnly":true,"consoleFilters":"{\"activity.eventType\":{\"eq\":[\"15600:EVENT_O365_ONEDRIVE_GENERIC:FileSensitivityLabelApplied\",\"15600:EVENT_O365_ONEDRIVE_GENERIC:FileSensitivityLabelChanged\",\"15600:EVENT_O365_ONEDRIVE_GENERIC:FileSensitivityLabelRemoved\",\"20892:EVENT_O365_TASK_RMS_UNPROTECT_FILE:rmsUnprotectFile\",\"20595:EVENT_ADALLOM_TASK_RMS_UNPROTECT_FILE:rmsUnprotectFile\",\"15600:EVENT_O365_TASK_RMS_UNPROTECT_FILE:rmsUnprotectFile\"]}}","selectedRate":"all","displayDescription":null,"displayName":null,"name":"Notify_When_Label_removed","customMessage":"","stories":[0],"policyType":"AUDIT","description":null,"thresholds":{},"rawThresholds":null,"lastModified":1592819674004.8362,"lastUserModified":1592819674004.8362,"msFlowCheckboxChecked":false,"msFlowId":null,"windowSizeInMillis":1,"dbQueryMongo":"{\"$or\": [{\"eventTypeValue\": {\"$in\": [\"EVENT_O365_TASK_RMS_UNPROTECT_FILE\", \"EVENT_O365_ONEDRIVE_GENERIC\"]}, \"$or\": [{\"mainInfo.rawOperationName\": {\"$in\": [null]}}, {\"mainInfo.rawOperationName\": {\"$in\": [\"FileSensitivityLabelApplied\", \"FileSensitivityLabelChanged\", \"rmsUnprotectFile\", \"FileSensitivityLabelRemoved\"]}}]}, {\"eventTypeValue\": \"EVENT_O365_TASK_RMS_UNPROTECT_FILE\", \"$or\": [{\"mainInfo.rawOperationName\": {\"$in\": [null]}}, {\"mainInfo.rawOperationName\": \"rmsUnprotectFile\"}]}, {\"eventTypeValue\": \"EVENT_ADALLOM_TASK_RMS_UNPROTECT_FILE\", \"$or\": [{\"mainInfo.rawOperationName\": {\"$in\": [null]}}, {\"mainInfo.rawOperationName\": \"rmsUnprotectFile\"}], \"appId\": {\"$in\": [20595, 2146455667]}}]}","_tid":98226952,"autoModified":{"lastUpdateTime":"2020-01-31T11:21:57.250Z","lastReason":"policy validation task","oldData":{"lastModified":1580466298284.639}},"readOnly":false,"matchesCount":0,"editMode":true,"story":0,"emailAlerts":true,"windowSizeInMinutes":30}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/activity/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


==============================================================

##team external user added##

$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"LOW","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"story":0,"threshold":5,"perApp":true,"actions":{},"windowSizeInMinutes":30,"consoleFilters":"{\"activity.eventType\":{\"eq\":[\"28375:EVENT_O365_TEAMS_GENERIC:MemberAdded\"]},\"service\":{\"eq\":[28375]},\"user.tags\":{\"eq\":[{\"role\":2,\"adv\":true},\"000000200000000000000000\"]}}","selectedRate":"all","displayDescription":"CONSOLE_POLICIES_TEMPLATE_POLICY_DESCRIPTION_TEAMS_EXTERNAL_USER_WAS_ADDED","displayName":"CONSOLE_POLICIES_TEMPLATE_POLICY_NAME_TEAMS_EXTERNAL_USER_WAS_ADDED","description":"","windowSizeInMillis":1,"policyType":"AUDIT","stories":[0],"name":"External_User_was_added_to_teams","thresholds":{},"rawThresholds":"{}","emailAlerts":true,"smsAlerts":false}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/activity/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


##Teams access level changed##
$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"MEDIUM","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"threshold":5,"perApp":true,"actions":{},"consoleFilters":"{\"activity.eventType\":{\"eq\":[\"28375:EVENT_O365_TEAMS_TEAM_SETTING_CHANGED:TeamSettingChanged\"]},\"text\":{\"eq\":\"private to public\"},\"service\":{\"eq\":[28375]}}","selectedRate":"all","displayDescription":"CONSOLE_POLICIES_TEMPLATE_POLICY_DESCRIPTION_TEAMS_ACCESS_LEVEL_WAS_CHANGED","displayName":"CONSOLE_POLICIES_TEMPLATE_POLICY_NAME_TEAMS_ACCESS_LEVEL_WAS_CHANGED","description":"This policy is triggered when a team's access level is changed from private to public.","windowSizeInMillis":1,"policyType":"AUDIT","stories":[0],"name":"Team_access_level_changed","thresholds":{},"rawThresholds":"{}","lastModified":1594732007780.0872,"lastUserModified":1594732007780.0872,"msFlowCheckboxChecked":false,"msFlowId":null,"uniqueTargetOnly":false,"dbQueryMongo":"{\"eventTypeValue\": \"EVENT_O365_TEAMS_TEAM_SETTING_CHANGED\", \"$and\": [{\"$or\": [{\"mainInfo.rawOperationName\": {\"$in\": [null]}}, {\"mainInfo.rawOperationName\": \"TeamSettingChanged\"}]}, {\"$or\": [{\"appId\": 28375}, {\"saasId\": 28375}]}, {\"$or\": [{\"user.userName\": \"private to public\"}, {\"mainInfo.activityResult.message\": \"private to public\"}, {\"mainInfo.activityResult.isSuccess\": \"private to public\"}, {\"mainInfo.prettyOperationName\": \"private to public\"}, {\"mainInfo.rawOperationName\": \"private to public\"}, {\"mainInfo.eventObjects\": {\"$elemMatch\": {\"$or\": [{\"serviceObjectType\": \"private to public\"}, {\"name\": \"private to public\"}, {\"id\": \"private to public\"}, {\"value\": \"private to public\"}]}}}]}]}","_tid":98226952,"editMode":true,"story":0,"readOnly":false,"matchesCount":0,"windowSizeInMinutes":30,"emailAlerts":true,"smsAlerts":false}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/activity/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


##team created##

$body = @'
{"enabled":true,"templateId":"default","enableAlerts":true,"alertDailyLimit":5,"alertSeverity":"LOW","alertEmailRecipients":[{"value":"emailadress","label":"emailadress"}],"alertSmsRecipients":[],"threshold":5,"perApp":true,"actions":{},"uniqueTargetOnly":true,"consoleFilters":"{\"activity.eventType\":{\"eq\":[\"28375:EVENT_O365_TEAMS_TEAM_CREATED:TeamCreated\"]}}","selectedRate":"all","name":"Team_is_created_notify","policyType":"AUDIT","lastModified":1594725669646.4565,"lastUserModified":1594725669646.4565,"stories":[0],"msFlowCheckboxChecked":false,"msFlowId":null,"windowSizeInMillis":1,"dbQueryMongo":"{\"eventTypeValue\": \"EVENT_O365_TEAMS_TEAM_CREATED\", \"$or\": [{\"mainInfo.rawOperationName\": {\"$in\": [null]}}, {\"mainInfo.rawOperationName\": \"TeamCreated\"}]}","_tid":98226952,"customMessage":"","autoModified":{"lastUpdateTime":"2020-04-26T13:28:40.372Z","lastReason":"policy validation task","oldData":{"lastModified":1587904838525.8518}},"readOnly":false,"matchesCount":0,"editMode":true,"story":0,"emailAlerts":true,"windowSizeInMinutes":30}
'@
Invoke-RestMethod –Uri $mcasuri/cas/api/v1/policy/activity/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'


##prevent copy paste##
$body = @'
{"alertDailyLimit":5,"enableAlerts":true,"enabled":true,"alertSeverity":"MEDIUM","contentFilters":[{"enabled":false,"type":"CustomActivities","params":{"presetRegex":null,"name":"","unlessPattern":null,"hideContext":true,"content":{"caseSensitive":false,"filterType":"KEYWORD","keyword":""},"searchInContent":true,"searchInFileName":false,"searchInMetaData":false},"contentFilterTimestamp":1594813433679.407}],"customMessageRaw":"","provider":"adallom","policySubType":"SESSION","consoleFilters":{"trafficFormatter":{"eq":["EVENT_TRAFFIC_ACTIVITY_CUT_OR_COPY","EVENT_TRAFFIC_ACTIVITY_PASTE"]},"device.tags":{"neq":["000000220000000000000000","000000230000000000000000","000000060000000000000000"]}},"folderSelection":{"type":0,"folders":[]},"policyType":"INLINE","displayDescription":"Mooinie","displayName":"mooinie","name":"Prevent_copy_paste_From_Not_compliant_devices","customMessage":"","stories":["3"],"inlineActions":[{"type":"block","params":{},"notification":{"mailRecipients":[]}}],"selectedCategoryType":"CustomActivities","description":"This policy prevents the ability to copy paste from non compliant devices","emailSettingsDisabled":false,"serviceSelectionType":"SOME","alertSmsRecipients":[],"alertEmailRecipients":[],"msFlowId":null,"lastModified":1594813433679.1782,"lastUserModified":1594813433679.1782,"proxyDbQuery":"{\"device.tags\": {\"$nin\": [\"000000220000000000000000\", \"000000230000000000000000\", \"000000060000000000000000\"]}}","proxyBlacklistFilterQueries":"{\"trafficFormatter\": \"{\\\"eventType\\\": {\\\"$in\\\": [2424871, 2424872]}}\"}","_tid":98934864,"smsAlerts":false,"emailAlerts":false,"templateId":null,"msFlowCheckboxChecked":false}
'@

Invoke-RestMethod –Uri $mcasuri/cas/api/policy/session/ –Headers @{authorization = "Token $mcastoken" } –Method Post -Body $body -ErrorAction Stop -ContentType 'application/json'