I'm finding the O365 and Exchange Admin portals to be quite unreliable when it comes to viewing, setting, and changing permissions on Exchange objects. Retrieval times are slow and timeouts frequently occur. It's particularly frustrating when the current permissions finally appear and I quickly realize that they're not right, that some entries are missing. Our multi-geo environment undoubtedly makes this worse. It's just quicker and easier to use PowerShell, so I'm going to share the various commands and one-liners that I use on a regular basis to get the job done.
In almost all instances, a mailbox or a user can be referenced in a command parameter using their userprincipalname, email address or even their full name enclosed in double quotes. For example, you can use "jdirt@redneck.org", "JoeDirt@redneck.org" or "Joe Dirt" and Exchange will quickly and correctly locate and use the right object. There are always exceptions, but I haven't run into one yet. In the examples below, wherever you see "<mailboxaddress>" or "<useraddress>", you can substitute one of these IDs.
Mailbox Permissions - this is usually just a case of either adding or removing the FullAccess. Since completing our migration to Exchange Online, I'm finding that most of our shared mailboxes have a lot of stale permissions, be it unresolved SIDs or deleted O365 accounts.
The first step is to review the current permissions:
Get-MailboxPermission <mailboxaddress>
That works fine, but the output includes a lot of extra information you don't necessarily need or care about, and some of the stuff you do care about gets truncated. Here's what I use to get just the output I'm interested in.
Get-MailboxPermission <mailboxaddress> | where {$_.isinherited -eq $false -AND $_.user -notlike "NT AUTHORITY*"} | select user, accessrights | sort user
This removes the default and inherited permissions, and in most cases, the output doesn't get truncated. That final Sort helps when I need to copy multiple user strings to the clipboard so I can use Get-Clipboard to pull them into a variable.
The following commands handle the permissions changes.
Add-MailboxPermission <mailboxaddress> -AccessRights FullAccess -User <useraddress>
Remove-MailboxPermission <mailboxaddress> -AccessRights FullAccess -User <useraddress> -Confirm:$false
Next time, I'll cover the Send-As and Send On Behalf Of permissions.
Tuesday, March 31, 2020
Subscribe to:
Posts (Atom)