Professional Documents
Culture Documents
Made Easy
Mike O’Neill
Sr. PFE
Cats
Cats
Microsoft Confidential 3
About you
- Name
- Company Affiliation
- Title/Function/Area of Responsibility
- Product Experience
Agenda
EXO made easy
01 | PowerShell
02 | O365/Exchange Online
03 | Provisioning/Deprovisioning
04 | Reporting
Powershell
What is PowerShell?
PowerShell
tabs
Script pane
Console
pane
11
Escape Character
• Assigns a special interpretation to characters that follow
• ASCII 96
`
What is a variable?
All scripting languages use placeholders or variables to hold data.
• Variables
• Defined and accessed using a dollar sign prefix ($)
• Holds object or collection of objects
• Variable names can include spaces and special characters
• Not case-sensitive
• Not typed or cast by default
• Can be constant or read only if necessary
• Kinds of variables:
• Automatic (built-in) holding PowerShell state information
• User-defined
What is a pipeline?
Pipeline, the vertical bar ( | ) is the pipe symbol. This tells PowerShell that
you want to take the output of one command and pass it as the input
(or pipe it) to the next command.
• Pipeline
• Series of commands connected by the pipeline character
• Sends output from one command as input to another command (left
to right)
• Passes Objects, not text
• Allows Filtering, Formatting and Outputting
• Cmdlets are designed to be chained together into ‘pipelines
• Data is streamed down the pipeline as objects are being created
Mailbox information - Pipeline
Top 10 mailboxes by size
Get-Mailbox | Get-MailboxStatistics | Sort-Object TotalItemSize `
-Descending | select -First 10 | format-table DisplayName,TotalItemSize, `
ItemCount -AutoSize
Mailbox
Mailbox Sort Select first 10 Output to table
Statistics
Discovering PowerShell
Learn the commands below and you can discover everything about
PowerShell
• Get-Command
• Get-Help
• Get-Member
• Show-Command
Office 365/Exchange Online
Connect PowerShell to O365
Prerequisites:
• Membership in the Office 365 Global admin role
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $credential
Import-PSSession $sfboSession
https://technet.microsoft.com/en-us/library/exchange-
online-limits.aspx
Modify Mailboxes in bulk
• Exact Matching
Get-Mailbox –Filter {CustomAttribute1 –eq “Congrp1”} | Set-Mailbox `
–CustomAttribute2 “CommonValue”
• Compound conditions
Get-Recipient –Filter {Department –eq “Sales” –and RecipientTypeDetails `
–eq “UserMailbox”} | Set-Mailbox –CustomAttribute4 “SalesMbxs”
Set-CalendarProcessing Set-InboxRule
Set-MailboxAutoReplyConfiguration Set-MailboxCalendarConfiguration
Set-MailboxCalendarFolder Set-MailboxJunkEmailConfiguration
Set-MailboxMessageConfiguration Set-MailboxRegionalConfiguration
Set-MailboxSpellingConfiguration Set-HotmailSubscription
Set-ImapSubscription Set-PopSubscription
Filtering data by selected attribute
Get mailboxes where ‘City’ is Seattle
Hint: Which object type includes the property that is being used in the filter?
FirstName Alias
Primary
Custom
Manager LastName Smtp
Attribute1
Address
Get-User Get-Mailbox
Max
Forwarding
Title City Receive
Address
Size
Company IsShared
• A notification is displayed in the upper-right corner that shows the status and outcome of the
process. If the assignment to the group couldn't be completed (for example, because of pre-
existing licenses in the group), click the notification to view details of the failure
Deprovision users
• Disabled Accounts and ActiveSync Devices Continuing to Sync
• A user who has left the organization or changed the password might continue to access mail through EAS
for up to 24 hours period (with old credentials)
• It is a known performance from on-premises Exchange product
Cause: Cached credentials tokens are held in the servers, that is supposed to expire in 15 minutes, but only
if left untouched within that time. But these caches are kept alive by the constant pinging by EAS (Direct
Push) clients, causing the session to stay connected. The life span of such tokens are 24 hours
• This happens only for existing profiles, new profiles will not have access
Deprovision users
• What actions to take?
• Trigger a remote wipe
• Block known EAS devices: Set-CASMailbox <user> -ActiveSyncBlockedDeviceIDs "<DeviceID_1>,
<2>..,“ (checked constantly)
• Disable ActiveSync: Set-CASMailbox -Identity <user> -ActiveSyncEnabled $false (cached for
approximately 20 minutes)
• Disable Webservices: Set-CASMailbox -OWAEnabled -EwsEnabled
• Prevent sending of any messages: Set-Mailbox -Identity <user> -RecipientLimits 0
-IssueWarningQuota 0 -ProhibitSendQuota 0
• Disable AD DS user object > DirSync > Set Sign-in status: Blocked (in cloud, for non-federated IDs)
• Office 365 Team is aware of this issue, and this might get fixed in
future
Deprovision users
‘Aggressive termination script’
Reporting
Mailbox Audit Logging
• Get the current setting for Admin audit log: Get-AdminAuditLogConfig
Using the Audit Log
• When was a mailbox changed:
Search-AdminAuditLog -Cmdlets set-mailbox -ObjectIds isaiahl
Thank you
PowerShell Data Types
Objects and Types
• Everything in PowerShell is represented as an OBJECT
Microsoft Confidential
52
What object type is being used
• Get-Member
• Any object can be passed or piped into Get-Member to retrieve type information in addition to
Members list.
• Get-Type – All objects will have a “Get-Type” method which returns the type.
• The Return value is itself an object representing the type, it has a FullName property
Microsoft Confidential 53
Property Definition
Get-Member
PS C:\> Get-Item C:\Windows\System32\drivers\etc\hosts| Get-Member –Name
Definitions LastWriteTime
TypeName: System.IO.FileInfo
TypeName: System.IO.FileInfo
Microsoft Confidential
What object type is being used (cont…)
PowerShell typically picks object type
PS C:\> (1.6).GetType().FullName
System.Double
PS C:\> (1tb).GetType().FullName
System.Int64
Microsoft Confidential 56
Common Data Types
Alias Full Name Description
Object System.Object Every type in PowerShell is derived from object
Boolean System.Boolean $true and $false
Char System.Char Stores UTF-16-encoded 16-bit Unicode code point
Int System.Int32 -2147483648 to 2147483647
Long System.Int64 -9223372036854775808 to 9223372036854775807
Double System.Double Double-precision floating-point number
String System.String Defines a sequence of characters
Array System.Array One or more dimensions with 0 or more elements
DateTime System.DateTime Stores date and time values
Void System.Void Nothing
Hashtable System.Collections.Hashtable Another kind of collection we learn about later
Microsoft Confidential 57
Type Casting
• You can control object types
• [ Square Brackets ] in front of an object will force that type
• In the brackets use any valid object type name
• Some common types have simpler type alias’
PS C:\> $MyNumber.GetType().FullName
System.Int32
Microsoft Confidential 58
Variables can be Strongly Typed
• Variables are weakly typed by default
• Type cast the variable name during creation to strongly type
• Variable will only hold that type of object
Microsoft Confidential 59
Mailbox Permissions
05 | Permissions
Lesson 1: RBAC • Delegation
• Roles & Role Groups • Mailbox Audit Logging
• Role Entries
Lesson 2: Mailboxes
• Full Access
• Send As
• Send on Behalf Of
Microsoft Confidential 63
Administrator role groups
• List the Default Administrator Role groups
• To see a list of Role groups all you need to do is:
Get-RoleGroup
• If you want to see what a specific Role Group has assigned to it:
• In this example we take a look at the Help Desk role group
Get-RoleGroup "help desk" | fl *role*
Administrator role groups cont.
• Get role entries for assignments
Get-ManagementRole “reset password” | Format-List RoleEntries
Administrator role groups cont.
• Get roles that have a certain cmdlet
Get-ManagementRole | Where-Object {$_.RoleEntries -like "*set-mailbox*"}
Mailbox Permissions
• Get mailbox permissions
Get-MailboxPermission admin@MOD285287.onmicrosoft.com
• Leverage Out-GridView
Get-MailboxPermission admin@MOD285287.onmicrosoft.com | Where-Object `
{$_.AccessRights –like “*FullAccess*”} | Out-GridView
Mailbox Permissions cont.
• Grant “Send on Behalf of” Permissions
Set-Mailbox isaiahl@MOD285287.onmicrosoft.com `
-GrantSendOnBehalfTo admin@MOD285287.onmicrosoft.com