Mailbox Migration O365 - shared mailbox permission (Network Steve Forum)

Mailbox Migration O365 - shared mailbox permission

Hi Folks, need small help or pointers related to shared mailbox permissions during migration to office 365 (exchange 2013 Hybrid)

The Case is :

In Exchange 2010 we have Security groups , Distributing group and Security group that are mail Enabled ( mix of first 2) .And we can use all these groups for granting access rights on (shared) mailboxes

In Exchange Online we only can use Mail enabled groups/objects to grant rights to mailboxes; so Distributing group and Security group that are mail Enabled

So Before we migrate a (shared) mailbox we must be ensure that the configured rights remain.. so we must verify that only Online support groups are used

So Can one help here how we can do that; see I have below script that user to report but this still requires a manual checks of groups, if we could find script something that has email address as parameter and then does lookup of mailbox config and verify if the listed object are mail-enabled groups.

$OutFile = "C:\Temp\PermissionExport.txt"
"DisplayName" + "^" + "Alias" + "^" + "Full Access" + "^" + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 
	$Mailbox.DisplayName + "^" + $Mailbox.Alias + "^" + $FullAccess + "^" + $SendAs | Out-File $OutFile -Append
}

August 27th, 2015 2:43pm

Not sure if I have got what you are saying right, but I think you want to know if $_.User listed by the current script are normal users or groups.

Get-Recipient would help you in this, but note it will only list mail-enabled objects and skip everything else.

Please find the modified part inside the ForEach

 $SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {Get-Recipient $_.User.RawIdentity -ErrorAction SilentlyContinue}

 $FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {Get-Recipient $_.User.RawIdentity}

#Adding as a seperate line so that type info is easily viewable
foreach ($SA in $SendAs)
{

$Mailbox.DisplayName + "^" + $Mailbox.Alias + "^" + $SA.DisplayName + "^" +$SA.RecipientType | Out-File $OutFile -Append

}

foreach ($FA in $FullAccess)
{

$Mailbox.DisplayName + "^" + $Mailbox.Alias + "^" + $FA.DisplayName + "^" +$FA.RecipientType | Out-File $OutFile -Append

}

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 2:20am

Hi Jugalkumar,

And for the "email address as parameter", just modify the Get-Mailbox section

Get-Mailbox -Identity ed@contoso.com

The Identity parameter specifies the mailbox that you want to view. You can use any value that uniquely identifies the mailbox.

For example:

Alias

Distinguished name (DN)
GUID
Name
Display name
LegacyExchangeDN
Email address

September 9th, 2015 2:24am

This topic is archived. No further replies will be accepted.