<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

–A–

AlternateEmailAddresses, users that have at least one

Get-MsolUser -all | where {($_.AlternateEmailAddresses.count -gt 0)} | ft UserPrincipalName,AlternateEmailAddresses

automap a shared mailbox, remove for several users

You can't just remove automapping. Instead, you must remove full access rights and then add full access again but this time with the automapping set to $false instead of default $true

specify the shared mailbox:

$sharedMailbox = "wantToShare@yourDomain.com"

verify the existing permissions on this shared mailbox. I normally use this in order to get rid of inherited permissions:

Get-Mailbox $sharedMailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select-Object user, AccessRights

But if you run the simpler version, you might see a "SID" tucked in there somewhere:

Get-Mailbox $sharedMailbox | Get-MailboxPermission

In at least one instance, I did get a SID and it was inherited. This may cause a problem.

populate array with delegates who you're going to remove and then add back permissions (but without automapping):

$delegates = @("user1@yourDomain.com", "user2@yourDomain.com", "user3@yourDomain.com")
$delegates | %{Remove-MailboxPermission -Identity $_ -User $sharedMailbox -AccessRights FullAccess -Confirm:$false}

I sometimes get the following message:

WARNING: Can't remove the access control entry on the object "CN=your user,OU=yourTenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR10A004,DC=PROD,DC=OUTLOOK,DC=COM" for account "NAMPR10A004\share53598-1921233685" because the ACE doesn't exist on the object.

which doesn't make sense. But I proceed anyway.

$delegates | %{Add-MailboxPermission -Identity $_ -User $sharedMailbox  -AccessRights FullAccess -AutoMapping:$false}

verify:

$delegates | %{Get-Mailbox | Get-MailboxPermission -user $_}

I have yet to find any PowerShell command that actually tells the status of automapping. The command above merely verifies that the individuals still are delegates to the target shared mailbox with full access.

–B–

–C–

calendar, allow someone else to view

Add-MailboxFolderPermission whoseCalYouWantRead@yourDomain.com:\Calendar -User whoNeedsAccess@yourDomain.com -AccessRights FolderVisible,ReadItems

calendar, who has what permissions?

Get-MailboxFolderPermission -Identity whoseCalWantToKnowPerms@yourDomain.com:\Calendar

conference rooms, filter out from list of mailboxes- see mailbox types, filter out types

contact, find and remove a contact with the same name as a user

Find

$DepartingUserIdentity = "someUser";

Get-ADObject -LDAPFilter "objectClass=Contact" -Properties Name,mail,DistinguishedName  | Where-Object{$_.mail -like "$($DepartingUserIdentity)*"} | ft Name, mail, DistinguishedName

Remove

$EmployeeDetails = Get-ADUser $DepartingUserIdentity -properties *

Get-ADObject -Filter {(cn -eq $EmployeeDetails.Name) -and (objectClass -eq "Contact")} | Remove-ADObject -Confirm:$False

or hard-coded name instead of using a variable:

Get-ADObject -Filter {(cn -eq "Some User") -and (objectClass -eq "Contact")} | Remove-ADObject -Confirm:$False

contacts, display "proxyAddresses" and "targetAddress"

contacts on the cloud don't really have the same "proxyAddresses" or "targetAddress" as local AD contacts. Instead, they have "externalEmailAddress" and "emailAddresses" analogs:

Get-MailContact | select DisplayName,alias, externalEmailAddress, emailAddresses

–D–

delegate a mailbox to another user - see permissions - assign mailbox permissions/delegation of one user to another user

delegates don't show up as expected in Outlook

You've added delegates to a user with full access rights. And they show up just fine in WebMail. But not in Outlook. Answer: you have to take away full access and then add it back again with Automapping

$Delegates = Get-Mailbox | Get-MailboxPermission -user 'someUser@yourDomain.com'
$Delegates | %{Remove-MailboxPermission -Identity $_.Identity -user $_.User -AccessRights FullAccess -Confirm:$False}
$Delegates | %{Add-MailboxPermission -Identity $_.Identity -user $_.User -AccessRights FullAccess -AutoMapping:$True}

delegates for a (normally shared) mailbox

Get-Mailbox someuser | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select-Object user, AccessRights

delegated mailboxes that a user has access to

Get-Mailbox | Get-MailboxPermission -user 'someUser@yourDomain.com'

delegated mailboxes that a user has FullAccess

find

$DepartingUserIdentity = "someUser";

Get-Mailbox | Get-MailboxPermission -user $DepartingUser

(or another way)

Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match $DepartingUserIdentity}

Or, with an individual, hard-coded email address:

Get-Mailbox | Get-MailboxPermission -user 'someUser@yourDomain.com'

(or another way)

Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match "someUser"}

The most common permission we need to worry about is “FullAccess”.

Remove

Attempt to remove “FullAccess” in one fell swoop fails because we run out of threads

Get-Mailbox | Get-MailboxPermission -user $DepartingUser | % {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}

Error is

Remove-MailboxPermission : The session WinRM1, 24b1bbc8-5f00-4836-b7c0-097b589ed891, outlook.office365.com is not available to run commands.  The session availability is Busy.

Which means trying to do too much at once.

But split this up into 2 parts, seems to work better

$targetUsers = Get-Mailbox | Get-MailboxPermission -user $DepartingUser

$targetUsers | % {Remove-MailboxPermission -identity $_.Identity -user $_.User -AccessRights FullAccess -InheritanceType All -confirm: $false}

delegated mailboxes that a user has SendOnBehalfTo

find

$DepartingUserIdentity = "someUser";

Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match $DepartingUserIdentity}

remove

delegates, generate list

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

deleted mailboxes, list - see also deleted users (soft deleted), list

Get-Mailbox -SoftDeletedMailbox | Select DisplayName,ExchangeGuid,PrimarySmtpAddress,ArchiveStatus,DistinguishedName | Out-GridView -Title "Select Mailbox and GUID" -PassThru

deleted mailbox, recover mailbox when synced user associated with that deleted mailbox is still present

First, get the ExchangeGUID of the deleted mailbox

get-mailbox -SoftDeletedMailbox -identity somedeleteduser | fl ExchangeGUID

Simlarly, get the ExchangeGUID of the target user. Make sure this target user has an email licenses of some kind and that we've logged in at least once - to create an empty mailbox to migrate into

get-mailbox -identity userWhoLostHisMailbox | fl ExchangeGUID

Copy the stuff from the deleted mailbox to the target, using the ExchangeGUIDs you got above as appropriate:

new-MailboxRestoreRequest -SourceMailbox "8c86592c-5cb7-4bc5-8b06-7f6a57b84d2b" -TargetMailbox "4c587005-e303-4689-aed7-564e49b0734b" -AllowLegacyDNMismatch

deleted mailbox, recover a soft deleted / disconnected mailbox merged to another user on exchange online - So You Need To Recover A Soft Deleted / Disconnected Mailbox Merged To Another User On Exchange Onlines

disabled accounts, filter out from list of mailboxes - see mailbox types, filter out types

distribution group, bulk change WindowsEmailAddress of cloud-only (exclude those synced with local AD)

$distGroup = Get-DistributionGroup | ? {$_.isdirsynced -eq 0 -and ($_.WindowsEmailAddress.split("@")[1] -match "yourdomain.com")}

Optional: inspect first before proceding to the command that actually applying our changes:

$distGroup | ft name, proxyAddresses

Now proceed to actually do what we set out to do: set "PrimarySmtpAddress" for all users which had corresponding "PrimarySmtpAddress" correpsonding to our domain:

$distgGp | %{Set-DistributionGroup -identity $_.identity -WindowsEmailAddress ($_.WindowsEmailAddress.split("@")[0] +"@yourTenant.onmicrosoft.com")}

Note that we could have done all this in one command without the intermediate variable. But it's nice to actually see the group we intend to change things before we actually apply changes (using the Set-DistributionGroup command) just to make sure.

domain, list all emails for

Get-MsolUser | where {($_.userprincipalname -match "yourDomain.com")}

or

Get-Mailbox *yourDomain.com

list shared mailboxes for a domain with who has permissions on them

Get-Mailbox *yourDomain.com | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select-Object Identity, User, AccessRights

–E–

–F–

FullAccess delegated, to which users does a particular user have this access? - see delegated mailboxes that a user has FullAccess

–G–

GAL - see Global Address List (GAL) (or Offline Address Book / OAB), suppress entries

Get-MailboxStatistics

individual

Get-MailboxStatistics -Identity "someUser@yourTenant.com"

By default, this command also gives the LastLogonTime but it does not give what we care most about: how big the dang box actually is. So make sure that shows up in the output, too.

Get-MailboxStatistics -Identity "someUser@yourTenant.com" | ft DisplayName, ItemCount, TotalItemSize

for a domain

What if you only care about a certain domain's emails?

Get-MsolUser | where {($_.userprincipalname -match "yourDomain.com")} | % {Get-MailboxStatistics $_.userprincipalname}

Sometimes this causes and error for some records which don't exist

The specified mailbox "someUser@yourDomain.com" doesn't exist.

You can try this instead to bypass that error

Get-Mailbox *yourDomain.com | Get-MailboxStatistics

But this might find duplicate names:

The specified mailbox "Some User" isn't unique.


for the whole tenant

get-mailbox | get-mailboxstatistics | select DisplayName,ItemCount,TotalItemSize | export-csv "MailboxSizes.csv"

this often finds the same problem with duplicate names
Also, this only gives the mailbox size in MB/GB with actual size behind in parentheses. I usually split this cell in Excel using the data function. It'd be nice if I could find a PowerShell command that would do all this in one fell swoop. Maybe someday.

Global Address List (GAL) (or Offline Address Book / OAB), suppress entries - the key is either:


Cloud only (not local AD)

This first section assumes that you want to change this attribute for cloud-only IDs that are not synced with local AD.

To list mailboxes showing the status of this attribute

Get-Mailbox | Sort-Object HiddenFromAddressListsEnabled,displayName | ft identity,displayName,HiddenFromAddressListsEnabled

list individuals whose status is false or null

Get-Mailbox | ? {($_.HiddenFromAddressListsEnabled -eq $true) -or ($_ .HiddenFromAddressListsEnabled -eq $null) } | ft identity,displayName,HiddenFromAddressListsEnabled

how to change this attribute for an individual

If a user has an email license, the following two commands will work to find …

Get-Mailbox -Identity someuser@yourTenant.onmicrosoft.com | ft identity,displayName,HiddenFromAddressListsEnabled

…and remove them from showing up in the GAL or OAB

Set-Mailbox -Identity someuser@yourTenant.onmicrosoft.com -HiddenFromAddressListsEnabled $true

 

Bulk method #1: Set-MailUser

But what if these users don't have an email license but have that annoying "HiddenFromAddressListsEnabled" set to "$false" (the default)? They'll still show up in the GAL and you can't get at them using the Get-Mailbox command as we do above! This comes up if we had a user that was synced with local AD and an email license, deleted him, and then restored him and take away his email license. We do this, for instance, if we move him from one tenant to another but decide to let him hang around in some capacity with no email license but perhaps a SharePoint license. Assume that we only care about "real" emails and not emails ending with "*.onmicrosoft.com". This command all by itself finds them:

Get-MailUser | Where {($_.UserPrincipalName -like '*onmicrosoft.com') -and ($_.HiddenFromAddressListsEnabled -eq $False)

And then this following command goes one step further to gets rid of the offending "HiddenFromAddressListsEnabled" by setting it to "true".

Get-MailUser | Where {($_.UserPrincipalName -like '*onmicrosoft.com') -and ($_.HiddenFromAddressListsEnabled -eq $False)} | ForEach-Object {Set-MailUser $_.userprincipalname -HiddenFromAddressListsEnabled $true}

 

Bulk method #2: Set-Mailbox

Sometimes, even though these users don't have a license, using the Set-Mailbox command instead of Set-MailUser works anyway:

$onmicrosoftUsersNotHidden = Get-Mailbox *onmicrosoft.com -filter {HiddenFromAddressListsEnabled -eq $False}

Note that, unlike other commands, for Get-Mailbox it seems that using Where in a pipe after the initial command won't filter properly. Instead, you must apply the filter immediately after the Get-Mailbox with a simple wildcard - "*onmicrosoft.com" in this case

Optional: make sure we have the right users before actually applying our changes:

$onmicrosoftUsersNotHidden | ft userPrincipalName,displayName,HiddenFromAddressListsEnabled

Now proceed to actually do what we set out to do: hide these users from showing up in the GAL

$onmicrosoftUsersNotHidden | % {Set-Mailbox -identity -identity $_.identity -HiddenFromAddressListsEnabled $true}


local AD users (not cloud-only)

$DepartingUserIdentity = "someUser";

Set-ADUser -identity $DepartingUserIdentity -add @{msExchHideFromAddressLists = $True}

Or maybe “replace” instead of “add” if the value is not null (haven't tested)

GUID for a mailbox

Get-Mailbox -identity someuser | select DisplayName, GUID, ExchangeGUID

–H–

HiddenFromAddressListsEnabled - this cloud attribute is equivalent to msExchHideFromAddressLists in local AD

–I–

–J–

–K–

kiosk mailbox, filter out from list of mailboxes - see mailbox types, filter out types

–L–

last mailbox login time - see Get-MailboxStatistics

–M–

mailbox types, filter out types

filter out:

Get-Mailbox -ErrorAction SilentlyContinue -identity $_.UserPrincipalName `
    -Filter {(-not(RecipientTypeDetailsValue -eq 'SharedMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'RoomMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'EquipmentMailbox')) -and (ExchangeUserAccountControl -ne 'AccountDisabled') `
    -and (HiddenFromAddressListsEnabled -eq $false) -and (MailboxPlan -notlike "ExchangeOnlineDeskless*")} | `
    Sort-Object MailboxPlan, Identity | `
    Select-Object DisplayName, WindowsEmailAddress, MailboxPlan | Export-Csv "EmailList.csv"

I could not filter out Kiosks. When I try to filter, you always get 0 records. But you can sort. So, sort, include that value in the display & lop off bottom records.

mailbox size - see Get-MailboxStatistics

mailboxes which are deleted, list - see deleted mailboxes, list

most recent mailbox login time - see Get-MailboxStatistics

msExchHideFromAddressLists - this local AD attribute is equivalent to HiddenFromAddressListsEnabled in the cloud

–N–

–O–

Off-line Address Book (OAB), suppress entries from - see Global Address List (GAL), suppress entries

out of office message, specify

Initialize some variables

$message = "Hi. Thank you for your email. Bob Smith has left the company.
Please update your records with our accounts email address: accounts@yourDomain.com "
$EmployeeDetails = Get-ADUser Bob.Smith -properties *

Run the command

Set-MailboxAutoReplyConfiguration -Identity $EmployeeDetails.Mail -AutoReplyState enabled -ExternalAudience all -InternalMessage $message -ExternalMessage $message

Verify results

Get-MailboxAutoReplyConfiguration -Identity $EmployeeDetails.Mail

–p–

permissions - assign mailbox permissions/delegation of one user to another user

The command below will give the user (perhaps a sysadmin) access to all mailboxes. The “Automapping $false” means that, even though the user will have permissions/be a delegate, the other peoples' mailboxes will not automatically show up in his Outlook

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false -User someuser@yourdomain.com

To give just one delegated user access to one source user (and also make sure that the other person's mailbox will automatically show up in his Outlook):

Get-Mailbox "sourceUser@yourDomain.com" | Add-MailboxPermission -AccessRights FullAccess -Automapping $true -User "targetUser@yourDomain.com"

Unlike the full access delegation above, you can’t do this with UserPrincipalName. Instead, you have to do it using Identity.

$DepartingUserIdentity = "sourceUser";
$DelegatedUserIdentity = "delegatedUser";
Add-RecipientPermission $DepartingUserIdentity -AccessRights SendAs -Trustee $DelegatedUserIdentity -Confirm:$False

proxyAddresses, add or delete

$OldToDelete = "SMTP:" + $identity + "@" + $TenantDomain
$NewToAdd = "smtp:" + $identity + "@" + $TenantDomain
Set-Mailbox -Identity $identity -EmailAddresses @{Add = $NewToAdd; remove = $OldToDelete}

proxyAddresses, find match

Get-MsolUser -all | where-Object {$_.ProxyAddresses -match "someaddress" } | fl

proxyAddresses for contacts - although local AD contacts have "proxyAddresses", on Office 365 this property translates to "emailAddresses" - see contacts, display proxyAddresses and targetAddress

public folders, list

Get-PublicFolder -resultsize unlimited -recurse

–Q–

–R–

–S–

SendOnBehalfTo, add this permission for a user on a shared mailbox

Set-Mailbox 'someMailbox' -GrantSendOnBehalfTo @{add="someUser@yourDomain.com"}

SendOnBehalfTo, find all mailboxes to which a user has been delegated - see delegated mailboxes that a user has SendOnBehalfTo

shared mailbox, convert individual mailbox to shared mailbox

Set-Mailbox "someUser@yourDomain.com" -Type shared

shared mailbox, filter out from list of mailboxes- see mailbox types, filter out types

shared mailbox, list all shared mailboxes upon which a user has permissions

full access

Get-Mailbox | Get-MailboxPermission -user "someUser@yourDomain.com"

SendOnBehalfOf

Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match "someUser@yourDomain.com"}

shared mailbox, list delegates

Get-Mailbox -Identity someuser | Get-MailboxPermission | where {($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF")} | ft identity,user,accessrights

shared mailboxes, list who's delegated to each for a domain

First, stash the mailboxes into a variable. If you only want to list the shared mailboxes and don't care about delegates, you can dispense using the variable as an intermediate step and can stop here. But in the next step we'll list the delegates using the contents of this variable.

$mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | `
    where {$_.PrimarySmtpAddress -match "yourdomain.com"} | `
    Select Identity,Alias,DisplayName,user,AccessRights | sort displayname

Now list the delegates for each of these shared mailboxes.

$mailboxes | sort displayname | foreach {Get-MailboxPermission -Identity $_.alias | `
    where {($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } | `
    ft identity,user,accessrights} > somefile.txt

shared mailbox, remove automapping for several users - see automap a shared mailbox, remove for several users

size of mailbox - see Get-MailboxStatistics

–T–

targetAddress for contacts - although local AD contacts have "targetAddress", on Office 365 this property translates to "externalEmailAddress" - see contacts, display proxyAddresses and targetAddress

time of last mailbox login - see Get-MailboxStatistics

–U–

unified group, bulk change email addresses

"unified groups" include

Let's say we want to find all the groups belonging to the "yourdomain" domain and purge all emailAddresses for that same domain. Find all the groups that fit this profile and put it in a variable:

$UnifiedGroup = Get-UnifiedGroup | where-Object {$_.emailAddresses -like "*yourdomain.com" }

Optional: inspect first before proceding to the command that actually applying our changes:

$UnifiedGroup | ft name, emailAddresses

Now proceed to actually do what we set out to do: remove all "emailAddresses" corresponding to our domain:

$UnifiedGroup | % {Set-UnifiedGroup -identity $_.identity -emailAddresses @{remove = "smtp:" + $_.PrimarySmtpAddress.split("@")[0] +"@yourdomain.com"}}

Note that, unlike many other objects, unified groups use "emailAddresses" much the same way as other objects (such as users) use "proxyAddresses". Also note that we could have done all this in one command without the intermediate variable. But it's nice to actually see the group we intend to change things before we actually apply changes (using the Set-UnfiedGroup command) just to make sure.

unified group, bulk change primary SmtpAddress

$UnifiedGp = Get-UnifiedGroup | ? {$_.isdirsynced -eq 0 -and ($_.PrimarySmtpAddress.split("@")[1] -match "yourdomain.com")}

Optional: inspect first before proceding to the command that actually applying our changes:

$UnifiedGp | ft name, emailAddresses

Now proceed to actually do what we set out to do: set "PrimarySmtpAddress" for all users which had corresponding "PrimarySmtpAddress" correpsonding to our domain:

$UnifiedGp | % {Set-UnifiedGroup -identity $_.identity -primarysmtpaddress ($_.PrimarySmtpAddress.split("@")[0] +"@yourTenant.onmicrosoft.com")}

Note that we could have done all this in one command without the intermediate variable. But it's nice to actually see the group we intend to change things before we actually apply changes (using the Set-UnfiedGroup command) just to make sure.

–W–

–X–

–Y–

–Z–