Exchange Online
Exchange Online is one of the most commonly used services in Microsoft 365. You can use PowerShell cmdlets to efficiently manage bulk operations and perform tasks that aren't possible through the web-based administrative interface. You can be a better administrator if you're adept at managing Exchange Online with PowerShell.
Connection
Exchange Online PowerShell is the module that you can use to manage mail-related objects in Exchange Online, such as mailboxes, contacts, and distribution. Some of the information that you can review and manage by using Exchange Online PowerShell, such as email addresses, you can also review in the properties of user objects with AzureAD cmdlets. However, you can only manage mail-related properties by using Exchange Online PowerShell.
The EXO v2 module includes all of the original cmdlets for managing Exchange Online, and several additional cmdlets that include EXO in the cmdlet name. These EXO cmdlets, such as Get-EXOMailbox, are more efficient than the original cmdlets.
Installing the EXO v2 module
The EXO v2 module is supported in Windows PowerShell 5.1 and PowerShell 7. Because it's supported in PowerShell 7, it's considered multiplatform. You can use the EXO v2 module in Windows, macOS, and Linux.
To install the EXO v2 module, run the following command:
Install-Module -Name ExchangeOnlineManagement
Preparing to connect
To use the EXO v2 module, you need to allow scripts. You can set the execution policy to RemoteSigned or Unrestricted. If you don't allow scripts, you'll notice the error Files cannot be loaded because running scripts is disabled on this system.
You also need to allow basic authentication for the WinRM client. This is enabled by default in Windows 10, but some organizations have disabled basic authentication for WinRM as part of security hardening. If Basic authentication isn't enabled, you'll notice the error The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration.
To review the authentication configuration for the Windows Remote Management (WinRM) client, run the following command:
winrm get winrm/config/client/auth
# To enable basic authentication for the WinRM client
winrm set winrm/config/client/auth '@{Basic="true"}'
If you run this command from a command prompt instead of a PowerShell prompt, don't include the single quotes around @{Basic="true"}.
Even though you need to enable Basic authentication in the WinRM client, the EXO v2 module authenticates to Exchange Online by using Modern authentication. In some rare cases, Modern authentication might not be enabled for Exchange Online and you'll need to enable it.
All Exchange Online deployments should be using Modern authentication. This is because it has significant security enhancements over Basic authentication.
Connecting to Exchange Online
You can connect to Exchange Online by using the Connect-ExchangeOnline cmdlet with no additional parameters. When you connect to Exchange Online, you're prompted for a username and password to sign in. You need to sign in with a user account that has sufficient privileges to complete the actions you want to perform. You might also be prompted for multifactor authentication.
If you're behind a proxy server, you might need to provide proxy options as part of connecting. To do this, provide a PSSessionOption object the proxy configuration information. The following example depicts how to create a new PSSessionOption object and then use it when connecting to Exchange Online:
$ProxyOptions = New-PSSessionOption -ProxyAccessType IEConfig
Connect-ExchangeOnline -PsSessionOption $ProxyOptions
Manage mailboxes
Mailboxes are created automatically for users who are assigned a license that includes an Exchange Online service plan. As such, there's no need to manually create mailboxes for users. Mailboxes are also deleted automatically when the license is removed or the Exchange Online service plan is disabled.
You can also create specialized mailboxes such as:
- Room mailboxes. These are scheduled when you book meetings.
- Equipment mailboxes. These are scheduled to help ensure that users have access to equipment such as cars or portable display units.
- Shared mailboxes. These are used for generic email addresses, such as info@adatum.com, where multiple users need access to the mailbox and respond to the messages.
Creating mailboxes
When you use the New-Mailbox cmdlet to create a mailbox, it creates a user account at the same time. For resource mailboxes and shared mailboxes, the user account is disabled and doesn't require a license.
When you create one of these mailboxes, you only need to indicate which type of mailbox you're creating and the name of the mailbox. The following example creates a room mailbox:
New-Mailbox -Room -Name BoardRoom
After creating a resource or shared mailbox, you still need configured permissions. By default, no one has access to those mailboxes. Configuring permissions is covered later in this unit. Configuring calendar booking for resources is covered in the next unit, Managing resources in Exchange Online.
Modifying mailboxes
To modify a mailbox's configuration, you use the Set-Mailbox cmdlet. There are some mailbox properties that you can configure using Set-Mailbox, which you can't configure using the web-based administrative tool. When you review the help information for Set-Mailbox, pay careful attention to the parameter descriptions. Some parameters aren't available for managing mailboxes in Exchange Online.
| Parameter | Description |
|---|---|
| -AuditDelegate | Specifies actions on a mailbox that are audited when a delegate performs them, such as SendOnBehalf or UpdateInboxRules. |
| -AuditEnabled | Turns on auditing for a mailbox. This is disabled by default. |
| -AuditOwner | Specifies actions on a mailbox that are audited when the user performs them, such as SendOnBehalf or UpdateInboxRules. |
| -DeliverToMailboxAndForward | When a forwarding SMTP address is configured and this parameter is $true, this parameter configures the mailbox to both retain and forward a copy of the messages. |
| -EmailAddresses | Configures email addresses for a mailbox. The email addresses are stored as an array and typically start with smtp:. The primary email address will have the prefix capitalized as SMTP:. |
| -ForwardingSmtpAddress | Specifies an SMTP address for forwarding. To stop forwarding messages, set this value to $null. |
| -GroupMailbox | Required to modify the mailbox associated with a Microsoft 365 group. |
| -HiddenFromAddressListsEnabled | Specifies whether the mailbox is available in address lists. |
| -MailboxRegion | Specifies the geographic region in which the mailbox should be stored. Used by organizations with a worldwide presence. |
| -Type | Changes the type of mailbox. Specifies whether a mailbox is regular or used for a special purpose. Special-purpose mailboxes include both shared and resource mailboxes. |
The following syntax configures forwarding on a mailbox:
Set-Mailbox AbbieP@adatum.com -ForwardingSmtpAddress DoraM@adatum.com -DeliverToMailboxAndForward $true
Querying mailboxes in Exchange Online
To query a list of mailboxes, you can use the Get-Mailbox or Get-EXOMailbox cmdlets. The primary difference between them is how the data is returned. The Get-Mailbox cmdlet returns all properties for the mailboxes. The Get-EXOMailbox cmdlet returns only a small set of properties, although you can specify additional properties. This makes Get-EXOMailbox much more efficient when working with large data sets.
To obtain additional properties when using the Get-EXOMailbox cmdlet, you can use either the -Properties parameter or the -PropertySets parameter. When using the -Properties parameter, you provide a list of properties to return. When you use the -PropertySets parameter, you provide a list of predefined property groups that pertain to a specific category. Some property sets that you can specify are:
All Minimum (default value) Audit Delivery Moderation Resource Both cmdlets support using the -Filter parameter to select mailboxes matching specific criteria. There are also additional specific parameters that you can use. The following table list some parameters that are available for both cmdlets.
| Parameter | Description |
|---|---|
| -Archive | Returns mailboxes with an archive enabled. |
| -GroupMailbox | Returns only mailboxes associated with Microsoft 365 groups. |
| -Identity | Identifies a specific mailbox to return properties for. |
| -RecipientTypeDetails | Returns mailboxes of a specific type such as UserMailbox, TeamMailbox, or RoomMailbox. |
| -SoftDeletedMailbox | Returns soft-deleted mailboxes that are still available for recovery. |
The following syntax queries all of the room mailboxes and returns resource-related properties:
Get-EXOMailbox -RecipientTypeDetails RoomMailbox -PropertySets Resource
Managing mailbox permissions
You can configure permissions to provide users with access to other mailboxes or individual folders within a mailbox. For example, you might want to give users full mailbox permission to a shared mailbox. Or you might want to change the default permissions assigned to the Calendar folder of a specific user mailbox. The following table lists cmdlets that you can use to manage mailbox and mailbox folder permissions.
| Cmdlet | Description |
|---|---|
| Add-MailboxPermission | Adds permissions for a user to a mailbox. |
| Get-MailboxPermission | Lists user permissions that are assigned to a mailbox. |
| Remove-MailboxPermission | Removes a user's permissions assignment from a mailbox. |
| Get-EXOMailboxPermission | Lists user permissions that are assigned to a mailbox. |
| Add-MailboxFolderPermission | Adds permissions for a user to a folder in a mailbox. |
| Get-MailboxFolderPermission | Lists user permissions that are assigned to a folder in a mailbox. |
| Remove-MailboxFolderPermission | Removes a user's permissions assignment from a folder in a mailbox. |
| Set-MailboxFolderPermission | Sets permissions on a folder in a mailbox and overwrites all exiting permissions. |
| Get-EXOMailboxFolderPermission | Lists user permissions that are assigned to folder in a mailbox. |
The following example assigns full mailbox permissions for a user to the Info shared mailbox:
Add-MailboxPermission -Identity Info -User AbbieP@adatum.com -AccessRights FullAccess -InheritanceType All
Resource Mailboxes
Room and equipment mailboxes are known as resource mailboxes. The primary purpose of resource mailboxes is to allow bookings and ensure that the resource isn't scheduled for multiple events or users simultaneously. You configure the scheduling process for resource mailboxes by using the Set-CalendarProcessing cmdlet. You can use the Get-CalendarProcessing cmdlet to review the current configuration.
Delegates
One of the options for managing resource scheduling is delegates. Delegates are users that can accept or reject booking attempts for the resource. For example, if a room resource is included in a meeting request, the delegate receives a message asking to allow or deny the request. The following example depicts a user being configured as a delegate for a room mailbox:
Set-CalendarProcessing -Identity BoardRoom -ResourceDelegates AbbieP@adatum.com
Automated booking Most organizations want to automate the resource booking process so that delegates only need to mediate conflicts. The -AutomateProcessing parameter set to AutoAccept is used to indicate that booking should be automated. However, there are other parameters that you can use to define when automated booking is allowed. The following table lists parameters that you can use to control automated resource booking.
| Parameter | Description |
|---|---|
| -AllBookInPolicy | When set to $true, requests that meet booking rules are automatically accepted. |
| -AllowConflicts | When a resource is booked for a recurring meeting request, you can define whether the entire recurring series is declined whenever there are conflicts. You use this parameter with the -ConflictPercentageAllowed or -MaximumConflictInstances parameters. |
| -AllRequestInPolicy | When set to $true, all users are allowed to submit requests that meet the rules. The default configuration is $false. |
| -AllRequestOutOfPolicy | When set to $true, all users are allowed to submit requests that don't meet the rules. The default configuration is $false. |
| -AutomateProcessing | The default value of AutoAccept allows requests to be accepted automatically. A value of AutoUpdate marks requests as tentative and require a delegate to approve them. A value of None means no action is taken until a delegate approves or denies the request. |
| -BookInPolicy | Specifies users or groups for which bookings that meet the rules are automatically accepted. |
| -EnforceCapacity | When enabled, the capacity configured for the room is enforced. |
| -MaximumDurationInMinutes | Specifies the maximum allowed duration for meetings. |
| -RequestInPolicy | Specifies users or group that can submit requests that meet the booking rules. |
| -RequestOutOfPolicy | Specifies users or group that can submit requests that don't meet the booking rules. |
| -ScheduleOnlyDuringWorkHours | When enabled, requests outside of work hours don't meet the booking rules. |
Admin Roles
Just as there are varying roles that you can use to control management permissions for Microsoft 365, there are roles in Exchange Online as well. In Exchange Online, the preconfigured management roles are referred to a role group, because a group has been assigned the permissions. The following table lists some of the default role groups.
Table 1: Role groups in Exchange Online
| Role group | Description |
|---|---|
| Organization Management | Performs all Exchange Online management tasks. |
| Recipient Management | Manages recipients such as mailboxes and distribution groups. |
| View-only Management | Reviews the configuration of all Exchange Online components but doesn't modify them. |
| Records Management | Manages retention, journaling, and transport rules. |
| Discovery Management | Manages legal holds and mailbox searches. |
You can review information about role groups by using the Get-RoleGroup cmdlet. You can modify membership in role groups by using the Add-RoleGroupMember and Remove-RoleGroupMember cmdlets. The following example depicts how to add a user to the Recipient Management role group:
Add-RoleGroupMember -Identity "Recipient Management" -Member AbbieP@adatum.com
The default roles groups are sufficient for many organizations. However, you can create customized role groups that allow you to define granular permissions, down to specific cmdlets that users are allowed to run. You can also define scopes that control which users or groups that administrators are allowed to manage.
Takeaways
- Some of the information that you can review and manage by using Exchange Online PowerShell, such as email addresses, you can also review in the properties of user objects with AzureAD cmdlets. However, you can manage mail-related properties only by using Exchange Online PowerShell.
- Mailboxes are created automatically for users who are assigned a license that includes an Exchange Online service plan. One can also create specialized mailboxes such as room mailboxes, equipment mailboxes, and shared mailboxes.
- Room and equipment mailboxes are known as resource mailboxes. There are cmdlets that you can run to configure the scheduling process for resource mailboxes and review the current configuration.
- In Exchange Online, the preconfigured management roles are referred to as a role group, because a group has been assigned the permissions. There are default role groups that are sufficient for many organizations. However, you can create customized role groups that allow you to define granular permissions, down to specific cmdlets that users are allowed to run.