Hi Folks, need small help or pointers related to shared mailbox permissions during migration to office 365 (exchange 2013 Hybrid)

The Case is :

In Exchange 2010 we have Security groups , Distributing group and Security group that are mail Enabled ( mix of first 2) .And we can use all these groups for granting access rights on (shared) mailboxes

In Exchange Online we only can use Mail enabled groups/objects to grant rights to mailboxes; so Distributing group andSecurity group that are mail Enabled

So Before we migrate a (shared) mailbox we must be ensure that the configured rights remain.. so we must verify that only Online support groups are used

So Can one help here how we can do that; see I have below script that user to report but this still requires a manual checks of groups, if we could find script something that has email address as parameter and then does lookup of mailbox config and verify if the listed object are mail-enabled groups. 

$OutFile = "C:\Temp\PermissionExport.txt"
"DisplayName" + "^" + "Alias" + "^" + "Full Access" + "^" + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 
	$Mailbox.DisplayName + "^" + $Mailbox.Alias + "^" + $FullAccess + "^" + $SendAs | Out-File $OutFile -Append
}

Hi,

Generally in On-premises Exchange server, the Full Access permission, Send As permission and Send On Behalf permission can only be assigned with Security Group (both mail-enabled and non-mail enabled). It can't be added with Distribution Groups (Mail-enabled universal distribution groups can be used only to distribute messages.)

If you want to remove the non-mail enabled security group from shared mailbox full access permission and send as permission list, we can try to list all permissions settings for shared mailbox then remove the non-mail enabled security group manually.

In your posting, the script can export all permissions list for shared mailbox to txt file. Then we can list all mail-enabled security group:

Get-DistributionGroup

Please pay attention to distribution group which the GroupType value includes SecurityEnabled. Compare these security group with the permission list, and remove the non-mail enabled security group.

Regards,

If you want repair your exchange server database then you try this simple EDB to PST converter tool to repair any type of error and migrate EDB files into PST outlook file format you can save you EDB file in Office 365 file format as well. Read more: edbtopst.com