Exchange Online Administration
Table of Contents
Introduction
Below are some common Exchange Online administrative tasks requiring PowerShell to get the job done. Microsoft as of January 2020 encouraged the adoption of the new Exchange Online v2 cmdlets, or abbreviated as EXO v2, for admin tasks.
On a slightly separate topic, I would recommend limiting your administrator account the required privileges and for limited periods; a great way to implement this is via Privileged Identity Management (PIM) that allows admins activate an eligible role(s) which then require written justification for an approver to grant their temporary privilege. This feature is available as part on an Azure AD Premium P2 license.
An alternative to PIM is to delegate a privileged role to fewer administrators or have create discrete admin account per administrator that is scoped to a specific role, ie: exchadmin.simon@magrin.one; this can be cumbersome to manage and could impose another risk if not secured properly. I would strongly avoid having highly privileged shared admin account as this limits any audit trail for when things go wrong.
PowerShell Modules for Exchange Online
To download the latest Exchange Online PowerShell modules:
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
To update the Exchange Online Modules:
Update-Module -Name ExchangeOnlineManagement
Calendars
In this example, Bob Barker requires Alice Jones to have ‘Editor’ delegation:
Add-MailboxFolderPermission -Identity bob.barker@magrin.one:\Calendar -User alice.jones@magrin.one -AccessRights Editor
Now Bob Barker requires Alice Jones to only have ‘Reader’ delegation:
Add-MailboxFolderPermission –Identity bob.barker@magrin.one:\calendar -User alice.jones@magrin.one -AccessRights Reviewer
Bob Barker requests to have Alice Jones’ delegation rights to his calendar removed:
Remove-MailboxFolderPermission -Identity bob.barker@magrin.one:\Calendar -User alice.jones@magrin.one
Assuming no one as access Bob's calendar while he's on leave, we need to clear a meeting room booking:
While this command does as requested, you cannot selectively define which meeting room or resource to free up; the only option is to remove all calendar events this person made for a particular date. You also need to define the date in US format: mm-dd-yyyy.
Email Addresses
To update an email alias via on premise Active Directory (AD Connect):
- Open Active Directory Users and Computers
- Locate the user in the OU
- Select the 'Custom Attribute' tab
- Scroll down to proxyAddresses
- Add a proxyAddress value:
smtp:bobby.barker@magrin.one - The next time AD Connect synchronises the alias will appear
To set the Primary SMTP address, the proxyAddresses AD object attribute needs to have the prepending SMTP: in uppercase, as illustrated below:
SMTP:bob.barker@magrin.one
All other address with a prepending lowercase smtp: will become aliases to the account:
SMTP:bob.barker@magrin.one
smtp:bobby.barker@magrin.one
To update email alias for an Azure/Office 365 admin account:
Connect-MsolService
Get-MsolUser -UserPrincipalName admin@magrin.one
Set-MsolUser -UserPrincipalName admin@magrin.one -AlternateEmailaddresses simon@magrin.one
Office 365 Groups
At the time of writing, you can't add email aliases or create a redirect rule to Office 365 Groups. However, an alias email can be added via Exchange Online PowerShell:
Set-UnifiedGroup -Identity Office365Group@magrin.one -EmailAddresses @{Add="alias@magrin.one"}
To change the email Primary SMTP address:
Set-UnifiedGroup -Identity "Office365Group" -PrimarySmtpAddress "office365@magrin.one"
To set Mail enabled Office 365 Groups to be visible in Global Address List (GAL):
- First begin by listing all groups:
Get-UnifiedGroup | Where-Object {$_.AccessType -eq 'Private'} | Sort-Object whencreated | Out-GridView - Make the groups’ email address visible in Outlook:
Set-UnifiedGroup -Identity Team-Accounting -HiddenFromExchangeClientsEnabled:$False
Note: Changing the value from $False to $True hides the groups’ address in the Global Address List.
Mailbox Restoration
There are a couple of ways to do this; either restore the account or perform a soft-delete restore. I will discuss both options and when to use them.
Soft-delete from Azure AD or Active Directory (AD) on premise:
If the account was deleted within 30 days, simply restore the deleted object either from Azure AD or on premise AD; if the latter, also perform an Azure AD Connect sync, allowing 30 minutes to an hour for the mailbox to reappear. Confirm that the Primary SMTP and alias addresses are correct.
Restoring user's mailbox:
Assuming you have a Retention Policy enabled and how it's configured, you can recover a deleted user's mailbox past 30 days by performing a soft-delete restore.
Examples where this is applicable could be rehire requiring access to their prior emails, accidental deletion of a user who was on extended leave, restoring a mailbox to a new hire working on a project, etc...
Note: For an on premise AD account, restore or recreate the users AD account and perform a Azure AD Connect sync and wait 30 minutes for the synchronization to occur.
- Confirm that the account has been restored and their license has been applied
- Connect to the Exchange Admin PowerShell identity of the soft deleted mailbox:
Get-Mailbox –SoftDeletedMailbox -Identity "alice.jones" | fl *ExchangeGuid*
ExchangeGuid: 11223344-1234-1234-1234-112233445566
- Retrieve the identity of the newly created mailbox for the restored account:
Get-Mailbox -identity "alice.jones" | fl *ExchangeGuid*
ExchangeGuid: 55667788-6789-6789-6789-778899001122
- Request a mailbox restore request, mapping the source mailbox (soft-deleted) to the newly provisioned (empty) mailbox:
New-MailboxRestoreRequest -SourceMailbox "11223344-1234-1234-1234-112233445566" -TargetMailbox "55667788-6789-6789-6789-778899001122" -AllowLegacyDNMismatch
Note: Depending on the size of the soft-deleted mailbox, this may take several minutes to hours to complete the restore.
- Confirm the restore status:
Get-MailboxRestoreRequest
- Finally, monitor the Item count increasing until the figure stops, indicating the mailbox has been restored:
Get-MailboxStatistics -Identity alice.jones
Room Bookings
Room Finders are essentially distribution lists; to view existing lists:
Get-DistributionGroup MainOfficeLevel1
To remove a Room Finder list:
Remove-DistributionGroup -Identity MainOfficeLevel1@magrin.one
To create a Room Finder list:
$Rooms = Get-Mailbox -RecipientTypeDetails RoomMailbox |Where-Object {$_.Alias -ne 'CommonRoom'} | select -ExpandProperty Alias $Rooms | Add-DistributionGroupMember -Identity "Available Rooms"
Extend Meeting Room booking days:
Get-MailBox "Meeting Room 1" | Set-CalendarProcessing -BookingWindowInDays 365
You can achieve the same under the Exchange admin center > recipients > resources > open the resource > under 'booking options' update the 'Maximum booking lead time (days):' to the desired value.
Review Mailbox Forwarding and Delegation Access
Below is a script that will query Azure AD and Exchange Online and will generate three CSV files, detailing user mail rules, external forwarding rules and users who have delegated access to other mailboxes.
This is great for regular audits to ensure your Exchange posture is updated, following up or revoking unnecessary forwarding rules and delegations when people have moved around the organization.
Connect-MsolService
Connect-ExchangeOnline
$allUsers = @()
$AllUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | Select-Object ObjectID, UserPrincipalName, FirstName, LastName, StrongAuthenticationRequirements, StsRefreshTokensValidFrom, StrongPasswordRequired, LastPasswordChangeTimestamp | Where-Object {($_.UserPrincipalName -notlike "*#EXT#*")}
$UserInboxRules = @()
$UserDelegates = @()
foreach ($User in $allUsers)
{
Write-Host "Checking inbox rules and delegates for user: " $User.UserPrincipalName;
$UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalname | Select-Object Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Where-Object {($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null)}
$UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName | Where-Object {($_.IsInherited -ne "True") -and ($_.User -notlike "*SELF*")}
}
$SMTPForwarding = Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName,ForwardingAddress,ForwardingSMTPAddress,DeliverToMailboxandForward | where {$_.ForwardingSMTPAddress -ne $null}
$UserInboxRules | Export-Csv .\MailForwardingRulesToExternalDomains.csv
$UserDelegates | Export-Csv .\MailboxDelegatePermissions.csv
$SMTPForwarding | Export-Csv .\Mailboxsmtpforwarding.csv
Open the exported CSV files to review the forwarding rules and delegations.