
The Hawk module has been designed to ease the burden on O365 administrators who are performing
a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in
the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make
data gathering easier.

YouTube Playlist: https://ww
The Hawk module has been designed to ease the burden on O365 administrators who are performing
a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in
the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make
data gathering easier.

YouTube Playlist: https://www.youtube.com/playlist?list=PL29G41eY-uQP_u-qY6_CF0e4n3nTN-r1s
Show more

Minimum PowerShell version


Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name HAWK -RequiredVersion 1.1.4

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name HAWK -Version 1.1.4

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More



(c) 2017 matbyrd@microsoft.com. All rights reserved.

Package Details


  • hawk_feedback@microsoft.com


O365 Security Audit Breach Investigation Exchange EXO Compliance Logon


Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkUserForwarding Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserMailboxAuditing Get-HawkUserInboxRule Initialize-HawkGlobalObject Search-HawkTenantEXOAuditLog Search-HawkTenantActivityByIP Start-HawkTenantInvestigation Start-HawkUserInvestigation Get-HawkTenantRBACChanges Show-HawkHelp Get-HawkTenantInboxRules Update-HawkModule Get-HawkTenantOauthConsentGrants Get-HawkTenantAzureAuthenticationLogs


This module has no dependencies.

Release Notes

1.1.4 - Fixed issue where incorrect logging cmdlet was being called
1.1.3 - Removed Compress-HawkData cmdlet
1.1.3 - Update description, URL, and Icon
1.1.2 - Fixed issue with using the wrong account to try and access the windows graph API
1.1.1 - All files related to the tenenat are now put in the \Tenant directory
1.1.1 - Reduced the number of text files generated as output
1.1.1 - Updated Get-HawkTenantAzureAuthenticationLogs to use user credentials instead of APP credentials
1.1.0 - New Cmdlet Get-HawkTenantAzureAuthenticationLogs will gather Azure AD Sign In logs if you have P1 or P2 license
1.0.1 - Fixed issue with date range validation failing occasionally
1.0.0 - BREAKING CHANGE - HawkUser cmdlets now take -UserPrincipalName instead of -User
1.0.0 - -UserPrincipalName supports providing list of UPNs or array of objects with UserPrincipalName properties
1.0.0 - Fixed minor issue with incorrect output to the screen when testing for EXO connections
28.5 - Added command Get-HawkTenantOauthConsentGrants for gathering Oauth grant information (more cmdlets coming in this vein)
28.4 - Removed test code that was blocking update-hawkmodule from updating the module


Version History

Version Downloads Last updated
4.0 3,623 2/23/2025
3.2.4 11,880 1/8/2025
3.2.3 359 1/7/2025
3.1.2 10,643 12/1/2024
3.1.0 39,476 3/30/2023
3.0.0 4,255 4/9/2022 4,687 5/7/2021 28 5/7/2021
2.0.2 31 5/7/2021
2.0.1 514 3/31/2021
2.0.0 1,239 1/5/2021
1.15.1 225 12/19/2020
1.15.0 3,415 12/19/2019
1.14.3 52 12/18/2019
1.14.2 366 11/13/2019
1.14.1 27 11/13/2019
1.14.0 461 9/25/2019
1.13.6 308 8/29/2019
1.13.3 61 8/26/2019
1.13.2 76 8/22/2019
1.13.1 54 8/21/2019
1.13.0 58 8/20/2019
1.12.1 30 8/20/2019
1.12.0 27 8/20/2019
1.10.1 412 7/9/2019
1.9.0 27 7/9/2019
1.8.8 29 7/9/2019
1.8.7 366 6/14/2019
1.8.6 342 5/24/2019
1.8.5 34 5/23/2019
1.8.4 59 5/21/2019
1.8.3 70 5/16/2019
1.8.2 29 5/16/2019
1.8.1 47 5/14/2019
1.8.0 30 5/14/2019
1.7.1 364 4/23/2019
1.6.13 177 4/12/2019
1.6.11 75 4/3/2019
1.6.9 535 12/13/2018
1.6.8 25 12/13/2018
1.6.7 33 12/12/2018
1.6.6 29 12/12/2018
1.6.5 30 12/12/2018
1.6.4 27 12/11/2018
1.6.3 84 12/10/2018
1.6.1 198 11/13/2018
1.6.0 29 11/13/2018
1.5.0 72 11/8/2018
1.4.0 82 10/30/2018
1.3.2 160 10/1/2018
1.3.1 31 10/1/2018
1.2.6 52 9/27/2018
1.2.5 29 9/27/2018
1.2.4 103 9/6/2018
1.2.3 203 7/19/2018
1.2.2 108 6/29/2018
1.2.1 46 6/26/2018
1.2.0 32 6/25/2018
1.1.4 (current version) 344 5/18/2018
Show less