Controlling resource delegates for User mailboxes

I can swear I’ve blogged about this already, but I cannot seem to find it, so here we go again.

Configuring resource delegates via PowerShell is no longer possible for User mailboxes in Exchange Online. The –ResourceDelegates parameter of the Set-CalendarProcessing cmdlet designates recipients to which calendar requests will be forwarded, in scenarios where you have chosen to delegate calendar access. In Outlook, you can do this by accessing the Delegate Access dialog, adding a user and select the “Delegate receives copies of meeting-related messages sent to me” checkbox.

Previously, it was possible to control these settings via PowerShell as well, but if you try to use the Set-CalendarProcessing cmdlet now to add/remove resource delegates, you will run into the following error:

Set-CalendarProcessing vasil -ResourceDelegates pesho
ResourceDelegates can only be enabled on resource mailboxes.
+ CategoryInfo          : InvalidData: (vasil:ADObjectId) [Set-CalendarProcessing], ResourceOnlyException
+ FullyQualifiedErrorId : [Server=AM5PR03MB3027,RequestId=68f34b77-37b3-4783-830e-e78186874768,TimeStamp=5/18/2017 3:30:02 PM] [FailureCategory=Cmdlet-ResourceOnlyException] 5491BFF2,Microsoft.Exchange.Management.StoreTasks.SetCalendarProcessing
+ PSComputerName        : outlook.office365.com

If you need to control these settings, you will have to use Outlook or EWS-based script.

As to when this change occurred, I’m pretty sure it was around the time I blogged about a similar change with the –AddNewRequestsTentatively parameter.

Posted in Exchange Online, Office 365, PowerShell | Leave a comment

Accessing Supervisory mailboxes in Outlook

The new, improved Supervision feature in Office 365 was made available a week ago. If differs from the old version is several key areas, but the idea is the same – it gives you the ability to monitor some percentage (or all) of employee communication. Details on how to setup the feature can be found for example here: https://support.office.com/en-us/article/Configure-supervision-policies-for-your-organization-d14ae7c3-fcb0-4a03-967b-cbed861bb086

As you might know already from the documentation, the new version relies on SupervisoryReview mailboxes to store the messages for review. The actual recipient type is SupervisoryReviewPolicyMailbox, however knowing this will not help you a lot, as the mailboxes are well hidden in both the UI and PowerShell. The only method you can use to get the name of the mailbox is via the Get-SupervisoryReviewPolicyV2, for example:

Get-CSupervisoryReviewPolicyV2 | select Name,ReviewMailbox

Name ReviewMailbox
---- -------------
Supervision SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com

Now, when it comes to actually accessing the mailbox, things should be taken care of thanks to the Supervisory Review add-in that is automatically installed for users designated as Reviewers.

The add-in will make sure that the Supervisory Review mailbox is added as additional mailbox in OWA and exposes the relevant actions as well. When it comes to accessing the Supervisory mailbox in Outlook though, things are a bit trickier. Microsoft has published an article detailing how you can add the mailbox in Outlook, however if you follow the steps there you will find out that the process does not actually work.

The thing is, the steps in the article details the process of adding a mailbox as additional account in Outlook. In order to do this, you must have Full Access permissions on said mailbox, which is not the case here. Permissions on the Supervisory mailbox are granted on the Folder level, namely each Reviewer will get the “reviewer” level of permissions on the Root folder and the “Supervision” folder tree. In other words, this is what you will see via PowerShell:

Get-MailboxPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil

Get-MailboxFolderPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil

FolderName User AccessRights
---------- ---- ------------
Top of Informatio... Vasil Michev {Reviewer}

Get-MailboxFolderPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com:\Supervision" -User vasil

FolderName User AccessRights
---------- ---- ------------
Supervision Vasil Michev {Reviewer}

Yes, while the Get-Mailbox or Get-Recipient cmdlets does not recognize Supervisory Mailboxes, some other cmdlets will work just fine. This includes the Add-MailboxPermission cmdlet, which you can use to grant Full Access permissions to the mailbox (with Automapping enabled) and the Set-Mailbox cmdlet which you can use to un-hide it from the GAL:

Add-MailboxPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil -AccessRights FullAccess

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
SupervisoryReview... EURPR03A001\vasil... {FullAccess} False False

Set-Mailbox "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -HiddenFromAddressListsEnabled $false

After doing this, it’s just a matter of waiting for autodiscover refresh and you will get the mailbox added to your Outlook profile:

Now, Microsoft has acknowledged the issue and is working on providing a solution, in the meantime you can use the steps here as a workaround.

Posted in Exchange Online, Office 365, PowerShell | Leave a comment

Highlight and Quote actions in OWA in Office 365

I don’t usually spend much time in OWA, so perhaps these two new features have been available for a while, but this is the first time I’ve seen them pop up. Since I wasn’t able to find any documentation on them, it’s time for another quick blog post.

To see the new features in action, all you have to do is select some text in the message body. A small overlay will pop up, exposing the Highlight and Quote buttons as shown on the screenshot below:

As the name suggests, Highlight marks the text. The light-blue color used however makes the highlight barely distinguishable from “regular” text, and I haven’t been able to find any option to control the color. To remove the highlight effect from a text, simply click on it and select the Remove option.

Selecting the Quote option on the other hand opens the Compose window with the selected text formatted in a separate paragraph and the cursor placed below it. The original message is also preserved, but there doesn’t seem to be a way to add additional quotes.

Still, the feature looks useful 🙂

Posted in Exchange Online, Office 365, OWA | Leave a comment

Controlling access to SCC functionalities via PowerShell

The Security and Compliance Center is the one-stop destination for all your compliance-related needs in Office 365, and as such controlling access to the functionalities exposed in it is very, very important. While we do get the familiar RBAC model, some limitations apply and we cannot get as granular as we can with the Exchange Online model.

On the other hand, thanks to the new Search permissions filtering feature, we can get very granular when it comes to controlling the scope and actions available for eDiscovery operations. Remember, the SCC works across all Office 365 workloads, not just Exchange, and thanks to this functionality we can limit the eDiscovery officer to just the designated mailboxes or sites. What’s even more impressive, we can limit results to only specific content, regardless of the keywords the eDiscovery officer included in the search query!

To get more details and examples of using this functionality, read the full article on ENow’s blog: http://blog.enowsoftware.com/solutions-engine/restricting-access-to-security-and-compliance-center-functionalities

Posted in Office 365, PowerShell | Leave a comment

Office 365 Permissions Inventory scripts

As the “quickly list permissions” articles are still the most popular ones on my blog, and there’s still a lot of interest in running a “permission inventory” types of reports, I decided to run a blog series focused on the subject. Each article will tackle a particular type of permissions and will present my take on what a proper PowerShell based script would look like.

I’ve tried to use the simplest approach possible for each case, while also making sure that speed-related improvements are not overlooked. This includes the use of server-side filtering where applicable and the use of Invoke-Command to get only the minimum required object data. Of course, every organization has different needs, so I don’t expect my approach to help in all cases. After all there are many other similar scripts available on the internet, and they’re all plain text – take one and adapt it to your needs.

Anyway, without further ado, here are the articles and the corresponding scripts, in chronological order:

Next, we will look into building a Forwarding inventory, so that you have a quick way on reporting which users in the organization are forwarding messages.

Posted in Exchange Online, Office 365, PowerShell | Leave a comment