Exchange Online

Made Easy

Mike O’Neill
Sr. PFE
 Cats

Cats

Microsoft Confidential 3
About you
- Name

- Company Affiliation

- Title/Function/Area of Responsibility

- Product Experience
Agenda
EXO made easy

01 | PowerShell
02 | O365/Exchange Online
03 | Provisioning/Deprovisioning
04 | Reporting
Powershell
What is PowerShell?

CLI - Command Line interface ISE – Integrated Scripting Environment

VSC –Visual Studio Code

What is PowerShell?

CLI - Command Line interface

• Interactive session
• Can be run with elevated permissions
• Useful for ad-hoc & short task
What is PowerShell?

PowerShell
tabs

Script pane
Console
pane

ISE – Integrated Scripting Environment

• Development Tool • Script Execution

• Graphical Editor • Debugging
What is PowerShell?

VSC –Visual Studio Code: open source code editor

• Developed by Microsoft for Windows, Linux, and Mac OS
• Cross-platform version of PowerShell & .NET Core
What is a Cmdlet?
Parameters to
control Cmdlet Native PowerShell
behaviour command

Command Name Command Parameters

Remove-Item -Path C:\Temp -Force

Parameter Parameter Switch

Verb Noun Value
Name Parameter

Verb-Noun Dashes Precede all Parameter Names Does not Launch in

Separate Process
Naming

11
Escape Character
• Assigns a special interpretation to characters that follow

• Backtick (gráve accent)

• ASCII 96

• Useful for long lines of code or in labs/slides when short on space

`
What is a variable?
All scripting languages use placeholders or variables to hold data.
• Variables
• Defined and accessed using a dollar sign prefix ($)
• Holds object or collection of objects
• Variable names can include spaces and special characters
• Not case-sensitive
• Not typed or cast by default
• Can be constant or read only if necessary
• Kinds of variables:
• Automatic (built-in) holding PowerShell state information
• User-defined
What is a pipeline?
Pipeline, the vertical bar ( | ) is the pipe symbol. This tells PowerShell that
you want to take the output of one command and pass it as the input
(or pipe it) to the next command.
• Pipeline
• Series of commands connected by the pipeline character
• Sends output from one command as input to another command (left
to right)
• Passes Objects, not text
• Allows Filtering, Formatting and Outputting
• Cmdlets are designed to be chained together into ‘pipelines
• Data is streamed down the pipeline as objects are being created
Mailbox information - Pipeline
Top 10 mailboxes by size
Get-Mailbox | Get-MailboxStatistics | Sort-Object TotalItemSize `
-Descending | select -First 10 | format-table DisplayName,TotalItemSize, `
ItemCount -AutoSize

Mailbox
Mailbox Sort Select first 10 Output to table
Statistics
Discovering PowerShell
Learn the commands below and you can discover everything about
PowerShell
• Get-Command
• Get-Help
• Get-Member
• Show-Command
Office 365/Exchange Online
Connect PowerShell to O365
Prerequisites:
• Membership in the Office 365 Global admin role

• 64-bit versions of Windows:

• Windows 7 SP1, 8.0, 8.1 or windows 10
• Windows Server 2008 R2, 2012, 2012 R2 or 2016

• .NET Framework 4.5 minimum

• Install modules for the workloads need to manage: (Script available)

• Microsoft Online Service Sign-in Assistant for IT Professionals RTW
• Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
• SharePoint Online Management Shell
• Skype for Business Online, Windows PowerShell Module

• Set PowerShell execution policy to remote signed (run as Administrator)

Set-ExecutionPolicy RemoteSigned
Connect PowerShell to O365 Cont.
Connect to O365: Create a PS script or function with the following commands
$credential = Get-Credential
Import-Module MsOnline
Connect-MsolService -Credential $credential

Import-Module Microsoft.Online.SharePoint.PowerShell –DisableNameChecking

Connect-SPOService -Url https://domainhost-admin.sharepoint.com -credential
$credential

Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $credential
Import-PSSession $sfboSession

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange `

-ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential
$credential -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession –DisableNameChecking

$ccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential
$credential -Authentication Basic -AllowRedirection
Import-PSSession $ccSession -Prefix cc
 Exchange Online Limits

https://technet.microsoft.com/en-us/library/exchange-
online-limits.aspx
Modify Mailboxes in bulk
• Exact Matching
Get-Mailbox –Filter {CustomAttribute1 –eq “Congrp1”} | Set-Mailbox `
–CustomAttribute2 “CommonValue”

• Wild Card Matching

Get-Mailbox –Filter {CustomAttribute1 –like “Congrp*”} | Set-Mailbox `
–CustomAttribute3 “WildcardValue”
Modify Mailboxes in bulk cont.
• Set mailbox quota for all users with filtering by ‘Title’
$Users = (Get-MSOLUser -Title "Engineer").userprincipalname

Set-Mailbox $Users -IssueWarningQuota 500MB -ProhibitSendQuota 600Mb `

-ProhibitSendReceiveQuota 700MB -UseDatabaseQuotaDefaults $false

• Compound conditions
Get-Recipient –Filter {Department –eq “Sales” –and RecipientTypeDetails `
–eq “UserMailbox”} | Set-Mailbox –CustomAttribute4 “SalesMbxs”

Get-Recipient –Filter {Office –eq “Seattle”} `

–RecipientTypeDetails UserMailbox | Set-Mailbox –CustomAttribute5 “SeattleMbx”
Mailbox Details
List of settings to view a mailbox
Calendar Notification Calendar Processing
Inbox Rules Mailbox Auto Reply configuration

Mailbox Calendar Configuration Mailbox Calendar Folder

Mailbox Junk Email Configuration Mailbox Messaging Configuration

Mailbox Regional Configuration Mailbox Spelling Configuration

Message Category Send Address
Text Messaging Account Hotmail Subscription
Imap Subscription Pop Subscription
General Subscriptions
Mailbox Access
List of cmdlets that can modify mailbox

Set-CalendarProcessing Set-InboxRule
Set-MailboxAutoReplyConfiguration Set-MailboxCalendarConfiguration

Set-MailboxCalendarFolder Set-MailboxJunkEmailConfiguration

Set-MailboxMessageConfiguration Set-MailboxRegionalConfiguration

Set-MailboxSpellingConfiguration Set-HotmailSubscription

Set-ImapSubscription Set-PopSubscription
Filtering data by selected attribute
Get mailboxes where ‘City’ is Seattle

Which option is correct for getting right result?

1) Get-Mailbox | Where {$_.City -eq ‘Seattle’}

Get-Mailbox –Filter {City -eq ‘Seattle‘}
(Get-MSOLUser –city 'Seattle‘).userprincipalname | Get-Mailbox

Hint: Which object type includes the property that is being used in the filter?

Secondary possible answer… Why use a variable here?

$mbx = (get-MSOLuser –city seattle).userprincipalname
$mbx | get-mailbox
Filtering data by selected attribute cont.
Specific properties for ‘Filter’ parameter for Get-User and Get-Mailbox

FirstName Alias

Primary
Custom
Manager LastName Smtp
Attribute1
Address

Get-User Get-Mailbox

Max
Forwarding
Title City Receive
Address
Size

Company IsShared

‘City’ is not allowed for filtering in Get-Mailbox

Archive Mailboxes
Archives can be accessed via OWA and Outlook, but not ActiveSync connected apps or
devices…yet

Enable a user for Archiving

Get-Maibox <username> | Enable-Mailbox –Archive

Set for group of users

Get-Recipient –Filter {Department –eq “Sales” `
–and RecipientTypeDetails –eq “UserMailbox”}| Enable-Mailbox `
–archive

Disabling archive mailbox

Get-Mailbox <username> | Disable-Mailbox –Archive
Mailbox Modifications cont.
User is having issue with OOF
Review settings
Get-MailboxAutoReplyConfiguration <username>
Provisioning/Deprovisioning
Provisioning users
• Assign licenses to users by group membership in Azure
Active Directory
• Sign in to the Azure portal, must be global administrator role or user account administrator
• Select More services, and then select Azure Active Directory
• On the Azure Active Directory blade, select Licenses
• Under All products, select desired licenses
Provisioning users
Provisioning users
• On the Assign license blade, click Users and group, Search for group and Select
Provisioning users
Provisioning users
• On the Assign license blade, click Assignment options (optional), and select options desired
Provisioning users
Provisioning users
• To complete the assignment, on the Assign license blade, click Assign at the bottom of the
blade.

• A notification is displayed in the upper-right corner that shows the status and outcome of the
process. If the assignment to the group couldn't be completed (for example, because of pre-
existing licenses in the group), click the notification to view details of the failure
Deprovision users
• Disabled Accounts and ActiveSync Devices Continuing to Sync

• A user who has left the organization or changed the password might continue to access mail through EAS
for up to 24 hours period (with old credentials)
• It is a known performance from on-premises Exchange product
Cause: Cached credentials tokens are held in the servers, that is supposed to expire in 15 minutes, but only
if left untouched within that time. But these caches are kept alive by the constant pinging by EAS (Direct
Push) clients, causing the session to stay connected. The life span of such tokens are 24 hours
• This happens only for existing profiles, new profiles will not have access
Deprovision users
• What actions to take?
• Trigger a remote wipe
• Block known EAS devices: Set-CASMailbox <user> -ActiveSyncBlockedDeviceIDs "<DeviceID_1>,
<2>..,“ (checked constantly)
• Disable ActiveSync: Set-CASMailbox -Identity <user> -ActiveSyncEnabled $false (cached for
approximately 20 minutes)
• Disable Webservices: Set-CASMailbox -OWAEnabled -EwsEnabled
• Prevent sending of any messages: Set-Mailbox -Identity <user> -RecipientLimits 0
-IssueWarningQuota 0 -ProhibitSendQuota 0
• Disable AD DS user object > DirSync > Set Sign-in status: Blocked (in cloud, for non-federated IDs)

• Office 365 Team is aware of this issue, and this might get fixed in
future
Deprovision users
‘Aggressive termination script’
Reporting
Mailbox Audit Logging
• Get the current setting for Admin audit log: Get-AdminAuditLogConfig
Using the Audit Log
• When was a mailbox changed:
Search-AdminAuditLog -Cmdlets set-mailbox -ObjectIds isaiahl

• Narrow down by a date range:

Search-AdminAuditLog -Cmdlets set-mailbox –StartDate 1/1/2017 –EndDate
5/1/2017 –ObjectIds isaiahl
• E-mail the log:
New-AdminAuditLogSearch -Cmdlets set-mailbox –StartDate 1/1/2017 –EndDate 5/1/2017
–ObjectIds isaiahl -StatusMailRecipients admin@MOD285287.onmicrosoft.com
Mailbox audit logging
• Mailbox audit logging for the owner not enabled by default
• Auditing settings by default:
• For Admin:
o Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, and
Create
• For Delegate:
o Update, SoftDelete, HardDelete, SendAs, Create

• Where are the settings?

Get-Mailbox UserName | fl *audit*
Message Trace
Get mail messages from user John with a date range
Get-MessageTrace -SenderAddress john@contoso.com `
-StartDate 06/13/2017 -EndDate 06/15/2017

Obtain more detailed information with pipeline

Get-MessageTrace -Id 2bbad36aa4674c7ba82f4b307fff549f `
-SenderAddress john@contoso.com -StartDate 06/13/2017 `
-EndDate 06/15/2017 | Get-MessageTraceDetail
Message Trace cont.
Trace messages with recipients like and not like a domain

All messages with recipients like a domain

Get-MessageTrace -Start (Get-date).AddDays(-30) -End (Get-Date) | `
Where-Object {$_.recipients -like "*@contoso.com"} | `
Select-Object Timestamp, SourceContext, Source, EventId, MessageSubject, `
Sender,{$_.Recipients} | Export-Csv `
\\someserver\someshare\ExchangeLogResults_ToUsersOfContoso$(get-date `
-f dd-MM-yyyy)services.csv

All messages with recipients not like a domain

Get-MessageTrace -Start (Get-date).AddDays(-30) -End (Get-Date) | `
Where-Object {$_.recipients -notlike "*@contoso.com"} | `
Select-Object Timestamp, SourceContext, Source,EventId, MessageSubject, `
Sender,{$_.Recipients} | Export-Csv `
C:\temp\ExchangeLogResults_ToUsersNotOfContoso.csv
Message Trace cont.
Trace messages with senders like and not like a domain

All messages with senders like a domain

Get-MessageTrace -Start (Get-date).AddDays(-30) -End (Get-Date) | `
Where-Object {$_.sender -like "*@Contoso.com"} | Select-Object `
Timestamp,SourceContext,Source,EventId,MessageSubject,Sender,`
{$_.Recipients} | Export-Csv C:\ExchangeLogResults_SentFromContoso.csv

All messages with senders not like a domain

Get-MessageTrace -Start (Get-date).AddDays(-30) -End (Get-Date) | `
Where-Object {$_.sender -notlike "*@contoso.com"} | Select-Object `
Timestamp,SourceContext,Source,EventId,MessageSubject,Sender,`
{$_.Recipients} | Export-Csv C:\ExchangeLogResults_NotSentFromContoso.csv
Q&A
Exchange Online
Made Easy

Thank you
PowerShell Data Types
Objects and Types
• Everything in PowerShell is represented as an OBJECT

• OBJECTS have data fields (PROPERTIES) and procedures (METHODS)

• PROPERTIES and METHODS are collectively known as MEMBERS

• An OBJECT is an INSTANCE of a TYPE

• A TYPE represents a construct that defines a template of MEMBERS

Microsoft Confidential
52
What object type is being used
• Get-Member
• Any object can be passed or piped into Get-Member to retrieve type information in addition to
Members list.
• Get-Type – All objects will have a “Get-Type” method which returns the type.
• The Return value is itself an object representing the type, it has a FullName property

Get Type Get-Member

PS C:\> (””).GetType().FullName PS C:\> ”” | Get-Member
System.String
TypeName: System.String

Name MemberType Definition

---- ---------- ----------
…

Microsoft Confidential 53
 Property Definition
Get-Member
PS C:\> Get-Item C:\Windows\System32\drivers\etc\hosts| Get-Member –Name
Definitions LastWriteTime

TypeName: System.IO.FileInfo

Name MemberType Definition

---- ---------- ----------
LastWriteTime Property datetime LastWriteTime {get;set;}

This Property is a [datetime] type. This Property can be get OR set.

PS C:\> $file = Get-Item C:\Windows\System32\drivers\etc\hosts

PS C:\> $file.LastWriteTime
PS C:\> Get-Item C:\Windows\System32\drivers\etc\hosts
Directory: C:\Windows\System32\Drivers\etc

Mode LastWriteTime Length Name

---- ------------- ------ ----

Microsoft Confidential
Get-Member
Definitions
Method Definition
PS C:\> Get-Item C:\Windows\notepad.exe | Get-Member –Name CopyTo

TypeName: System.IO.FileInfo

Name MemberType Definition

---- ---------- ----------
CopyTo Method System.IO.FileInfo CopyTo(string destFileName),
System.IO.FileInfo CopyTo(string destFileName, bool overwrite)

Two Parameter Sets

This Method RETURNS a This Parameter Set takes TWO
System.IO.File info, which is the arguments separated by a
newly copied file. comma.
55
PS C:\> $file = Get-Item C:\Windows\notepad.exe
PS C:\> $file.CopyTo(“C:\Temp\notepad.exe”, $True)

Mode LastWriteTime Length Name

Microsoft Confidential
What object type is being used (cont…)
PowerShell typically picks object type

Examples of PowerShell choosing appropriate Type

PS C:\> (1024).GetType().FullName
System.Int32

PS C:\> (1.6).GetType().FullName
System.Double

PS C:\> (1tb).GetType().FullName
System.Int64

Microsoft Confidential 56
Common Data Types
Alias Full Name Description
Object System.Object Every type in PowerShell is derived from object
Boolean System.Boolean $true and $false
Char System.Char Stores UTF-16-encoded 16-bit Unicode code point
Int System.Int32 -2147483648 to 2147483647
Long System.Int64 -9223372036854775808 to 9223372036854775807
Double System.Double Double-precision floating-point number
String System.String Defines a sequence of characters
Array System.Array One or more dimensions with 0 or more elements
DateTime System.DateTime Stores date and time values
Void System.Void Nothing
Hashtable System.Collections.Hashtable Another kind of collection we learn about later
Microsoft Confidential 57
Type Casting
• You can control object types
• [ Square Brackets ] in front of an object will force that type
• In the brackets use any valid object type name
• Some common types have simpler type alias’

Examples of Type Casting

PS C:\> [system.int32]1.6
2

PS C:\> $MyNumber = [int]"000123"

PS C:\> $MyNumber
123

PS C:\> $MyNumber.GetType().FullName
System.Int32

Microsoft Confidential 58
Variables can be Strongly Typed
• Variables are weakly typed by default
• Type cast the variable name during creation to strongly type
• Variable will only hold that type of object

Weakly Typed Variable Strongly Typed Variable

PS C:\> $var1 = 1.3 PS C:\> [int]$var1 = 1.3
PS C:\> $var1 PS C:\> $var1
1.3 1
PS C:\> $var1 = “Fred” PS C:\> $var1 = 1.2
PS C:\> $var1 PS C:\> $var1
Fred 1

Microsoft Confidential 59
Mailbox Permissions
05 | Permissions
Lesson 1: RBAC • Delegation
• Roles & Role Groups • Mailbox Audit Logging
• Role Entries

Lesson 2: Mailboxes
• Full Access
• Send As
• Send on Behalf Of

Microsoft Confidential 63
Administrator role groups
• List the Default Administrator Role groups
• To see a list of Role groups all you need to do is:
Get-RoleGroup
• If you want to see what a specific Role Group has assigned to it:
• In this example we take a look at the Help Desk role group
Get-RoleGroup "help desk" | fl *role*
Administrator role groups cont.
• Get role entries for assignments
Get-ManagementRole “reset password” | Format-List RoleEntries
Administrator role groups cont.
• Get roles that have a certain cmdlet
Get-ManagementRole | Where-Object {$_.RoleEntries -like "*set-mailbox*"}
Mailbox Permissions
• Get mailbox permissions
Get-MailboxPermission admin@MOD285287.onmicrosoft.com

• View users with FullAccess to this mailbox

Get-MailboxPermission admin@MOD285287.onmicrosoft.com | Where-Object `
{$_.AccessRights –like “*FullAccess*”}

• Leverage Out-GridView
Get-MailboxPermission admin@MOD285287.onmicrosoft.com | Where-Object `
{$_.AccessRights –like “*FullAccess*”} | Out-GridView
Mailbox Permissions cont.
• Grant “Send on Behalf of” Permissions
Set-Mailbox isaiahl@MOD285287.onmicrosoft.com `
-GrantSendOnBehalfTo admin@MOD285287.onmicrosoft.com

• Revoke “Send on Behalf of” Permissions

Set-Mailbox isaiahl@MOD285287.onmicrosoft.com `
-GrantSendOnBehalfTo @{remove="admin@MOD285287.onmicrosoft.com"}
Mailbox Permissions cont.
• Add mailbox permissions
Add-MailboxPermission -Identity admin@MOD285287.onmicrosoft.com -User TestUser2 `
-AccessRights fullaccess

• Remove mailbox permissions

Remove-MailboxPermission -Identity admin@MOD285287.onmicrosoft.com -User TestUser2 `
-AccessRights fullaccess

• Custom view SendAs permissions for a user

Get-Mailbox | Get-recipientPermission | where {($_.accessRights `
-like "*SendAS*") -and -not ($_.trustee -eq "NT Authority\Self")} | `
ft -AutoSize
Mailbox Permissions cont.
• View SendAs permissions for a user
Get-RecipientPermission isaiahl@MOD285287.onmicrosoft.com

• Add send as permissions for a user

Add-RecipientPermission isaiahl@MOD285287.onmicrosoft.com `
-Trustee admin@MOD285287.onmicrosoft.com -AccessRights SendAs

• Remove send as permissions from a user

Remove-RecipientPermission isaiahl@MOD285287.onmicrosoft.com `
-Trustee admin@MOD285287.onmicrosoft.com -AccessRights SendAs
Mailbox Permissions cont.
• Add mailbox folder permissions
Set-MailboxfolderPermission -Identity admin@MOD285287.onmicrosoft.com:\Projects -User
Ed@MOD285287.onmicrosoft.com -AccessRights Editor

• Remove mailbox permissions

Remove-MailboxfolderPermission -Identity admin@MOD285287.onmicrosoft.com:\Projects -User
Ed@MOD285287.onmicrosoft.com -AccessRights Author

• View folder level permissions on a mailbox

Get-MailboxfolderPermission -Identity admin@MOD285287.onmicrosoft.com:\Projects -User
Ed@MOD285287.onmicrosoft.com -AccessRights FolderOwner
Mailbox Permissions cont.
The following individual permissions are available:
•CreateItems   The user can create items in the specified folder.
•CreateSubfolders   The user can create subfolders in the specified folder.
•DeleteAllItems   The user can delete all items in the specified folder.
•DeleteOwnedItems   The user can only delete items that they created from the specified folder.
•EditAllItems   The user can edit all items in the specified folder.
•EditOwnedItems   The user can only edit items that they created in the specified folder.
•FolderContact   The user is the contact for the specified public folder.
•FolderOwner   The user is the owner of the specified folder. The user can view the folder, move the
move the folder, and create subfolders. The user can't read items, edit items, delete items, or create
items.
•FolderVisible   The user can view the specified folder, but can't read or edit items within the specified
public folder.
•ReadItems   The user can read items within the specified folder.
Mailbox Permissions cont.
The roles that are available, along with the permissions that they assign, are described in the
following list:
•Author   CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
•Contributor   CreateItems, FolderVisible
•Editor   CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible,
ReadItems
•None   FolderVisible
•NonEditingAuthor   CreateItems, FolderVisible, ReadItems
•Owner   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems,
EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
•PublishingEditor   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems,
EditOwnedItems, FolderVisible, ReadItems
•PublishingAuthor   CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible,
ReadItems
•Reviewer   FolderVisible, ReadItems
The following roles apply specifically to calendar folders:
•AvailabilityOnly   View only availability data
•LimitedDetails   View availability data with subject and location