-
-
Notifications
You must be signed in to change notification settings - Fork 1
Getting Started
You can install Osprey in two ways:
- Open up a PowerShell terminal and type the command
Install-Module -Name Osprey
and follow the prompts to install. - Download the installation script install.ps1 from the GitHub repository and run it.*
*If installing with an administrative session, install as normal. If installing not as an admin, add the switch -Scope CurrentUser
.
Osprey requires the following modules be installed. Installing Osprey using the Install-Module command will automatically install the prerequisites. If not, you need to use Install-Module and install the following modules:
- PSFramework (minimum version 1.9.310)
- ExchangeOnlineManagement (min. vers. 3.4.0)
- Microsoft.Graph.Authentication (min. vers. 2.19.0)
- Microsoft.Graph.Identity.DirectoryManagement (min. vers. 2.19.0)
- Microsoft.Graph.Applications (min. vers. 2.19.0)
- Microsoft.Graph.Users (min. vers. 2.19.0)
As of 8/16/24, running Osprey while having ExchangeOnlineManagement version 3.5.0+1 and Microsoft.Graph version 2.20.0+ causes errors. Downgrade one of the modules to the version above to resolve the errors.
You must have an account with administrative access to the tenant you want to investigate.
TBD: Least privilege admin account information here.
You also need to create a folder where you would like the investigation logs to go. I suggest something easy to type, such as c:\osprey.
Depending on how you installed Osprey, you may need to load it into your PowerShell session with Import-Module -Name Osprey
. You may need to import the prerequisite modules as well, if you get an error.
Next, you just have to run Start-Osprey
and initialization will begin. You will need to agree to the EULA, and then you will be prompted to connect to the required modules with an M365 account with administrative permissions.
After connecting to Exchange Online and consenting to the Graph scope, you just need to choose the timeframe you are investigating, then you're good! Osprey should be initialized.
You can change the investigation parameters or investigate a different tenant by rerunning Start-Osprey
and following the prompts.
If your investigations are going into the wrong tenant folder or you are running into issues with the graph commands, you may have not been connected with your intended tenant. This happens if you are investigating different tenants often. Simply rerun Start-Osprey and choose to rerun with another tenant. This will clear all your existing module connections.