Auditing and management improvements for Office 365 Groups

It took Microsoft few years and several back-and-forth iterations, but we can finally manage Office 365 Group mailboxes via the *-Mailbox cmdlets. Well, I suppose the correct way to formulate this is “we can finally manage the mailbox settings of an Office 365 Group via the Exchange Online mailbox cmdlets”, but you get the point.

Back when Office 365 Groups were first introduced, they were actually exposed via the Get-Mailbox cmdlet, and you could see the relevant GroupMailbox object’s properties. In other words, the following example worked just fine:

Get-Mailbox firstgroup@michev.onmicrosoft.com | fl *archive*

ArchiveDatabase : EURPR03DG039-db130
ArchiveGuid : 577a3146-10b5-485e-9068-2db4bdf6ffa5
ArchiveName : {In-Place Archive - First group}
ArchiveQuota : 100 GB (107,374,182,400 bytes)
ArchiveWarningQuota : 90 GB (96,636,764,160 bytes)
ArchiveStatus : Active
ArchiveState : Local

None of the other mailbox cmdlets worked however, so you couldn’t use the Set-Mailbox cmdlet to change the name or address of the Office 365 Group. Even my favorite Get-Recipient cmdlet didn’t work against Office 365 Group objects. Fast forward few months, and Microsoft introduced the set of *-UnifiedGroup cmdlets, which allowed us to manage some aspects of the group mailbox, but it was clear that they want it treated more like a group. They also started including Office 365 Groups in the output of Get-Recipient, however you needed to explicitly specify the GroupMailbox recipient details type for that, and it was only in 2018 when the cmdlet started returning group objects by default.

Office 365 Groups can now be managed via the *-Mailbox cmdlets

Now, another set of improvements has been released, without any announcement or blog post. First of those improvements is the -GroupMailbox parameter for the Get-Mailbox cmdlet, which when used will return information about the underlying group mailbox. You always have to include the parameter if you want to return the corresponding GroupMailbox object though, as illustrated by the following example:

Similarly to how Get-Recipient worked with Group mailboxes back in the day (and what annoys me most) is that if you want to get a list of all Mailbox objects, including the GroupMailbox ones, you have to run the Get-Mailbox cmdlet twice, as illustrated below:

 

 

And even more annoying, if you want to include GroupMailbox objects, you must always specify the -GroupMailbox switch. Even when you explicitly ask for the GroupMailbox recipient type. If you don’t use the switch, you get zero results:

While having to include the switch is a drag and bring back memories of the disjoint experience we had with the Get-Recipient cmdlet, the good news is that we can finally (or should I say again) treat the Group mailbox as any other mailbox type. For example, I can get the full set of properties:

The above screenshot illustrates that we can now treat the Group mailbox object just like any other mailbox type. Granted, some properties might be empty, such as the UserPrincipalName, or not populated, such as the CustomAttribute4. But, the total number of properties returned is exactly the same as for my personal mailbox ‚Äď a whopping 240! In contrast, only 124 properties are returned by Get-UnifiedGroup, most of which don’t relate to the mailbox anyway.

And, what’s even more important, we can actually set properties now, directly via the Set-Mailbox cmdlet! The only thing you need to remember is to always specify the –GroupMailbox switch:

Set-Mailbox default -CustomAttribute4 PowerShell -GroupMailbox
Get-Mailbox default -GroupMailbox | select CustomAttribute4
CustomAttribute4
----------------
PowerShell

Get-UnifiedGroup default | select CustomAttribute4
CustomAttribute4
----------------
PowerShell

How about something fancier you say? Let’s try putting the mailbox on hold:

Set-Mailbox default -GroupMailbox -LitigationHoldEnabled $true
WARNING: The hold setting may take up to 60 minutes to take effect.

Get-Mailbox default -GroupMailbox | fl LitigationHoldEnabled
LitigationHoldEnabled : True

Success! Whether this is actually a supported scenario is another question ūüôā

Among other interesting properties we can modify, we can list the mailbox quota ones, MailTip, forwarding, RetainDeletedItemsFor, CalendarRepairDisabled, ElcProcessingDisabled, and more. Changing most of these actually works, not only by setting the corresponding properties to the new value, but with the actual functionality such as displaying mail tips or forwarding messages addressed to the Office 365 Group being redirected to the new address!

Of course, one shouldn’t forget that we can still use the *-UnifiedGroup cmdlets as well, and they in fact remain the primary method of managing Office 365 Groups. But at least for some tasks, you can now treat Group mailboxes in the same manner as “regular” ones and use the same cmdlets to manage both types, provided you don’t forget to add another run of the Get-/Set-Mailbox cmdlet with the -GroupMailbox parameter included. And of course there is a parity between the number of objects returned, and the *-Mailbox and *-UnifiedGroup cmdlets can be used interchangeably, as long as the parameter you are working with is covered by both:

Auditing is now available for Office 365 Groups

Another very important functionality that is now available for Office 365 Groups is Auditing. You might have noticed the example above which showed the AuditEnabled parameter set to True. Those of you that are keeping current on the Exchange Online changes are probably aware that this parameter does not necessarily represent the actual state of Auditing, which is now on by default for the entire organization and exceptions are governed by the Set-MailboxAuditBypassAssociation cmdlet. The “auditing on by default” feature bring auditing to Office 365 Groups as well, as detailed in the documentation.

All the auditing settings are preconfigured for Office 365 Groups, and while you can play with the Set-Mailbox cmdlet to change them, the article goes to warn you to not trust the values returned, and instead rely on the default values listed in the documentation. Being the curious type, I of course tried to modify some values, which seems to work. I haven’t actually bothered to verify whether the corresponding changes take effect, as I decided to trust the documentation in this case. The important things of course is that the auditing functionality is finally available for Office 365 Group mailboxes, and it seems to be working as shown below:

Get-MailboxFolderStatistics default -FolderScope Recover | ft Name,Folder*size,Items*
Name                       FolderSize                 FolderAndSubfolderSize     ItemsInFolder ItemsInFolderAndSubfolders
----                       ----------                 ----------------------     ------------- --------------------------
Recoverable Items          0 B (0 bytes)              2.42 MB (2,537,174 bytes)              0                        155
Audits                     17.41 KB (17,827 bytes)    17.41 KB (17,827 bytes)                4                          4
Calendar Logging           55.95 KB (57,288 bytes)    55.95 KB (57,288 bytes)                5                          5
Deletions                  0 B (0 bytes)              0 B (0 bytes)                          0                          0
DiscoveryHolds             2.312 MB (2,424,592 bytes) 2.312 MB (2,424,592 bytes)           143                        143
SearchDiscoveryHoldsFolder 0 B (0 bytes)              0 B (0 bytes)                          0                          0
MigratedMessages           0 B (0 bytes)              0 B (0 bytes)                          0                          0
Purges                     19.13 KB (19,589 bytes)    19.13 KB (19,589 bytes)                1                          1
SubstrateHolds             0 B (0 bytes)              0 B (0 bytes)                          0                          0
Versions                   17.46 KB (17,878 bytes)    17.46 KB (17,878 bytes)                2                          2

I’ve had zero success actually accessing the audit logs so far though, as the synchronous process via Search-MailboxAuditLog fails with an error about non-existent mailbox, and the asynchronous one via the New-MailboxAuditLogSearch cmdlet never returned any results over email. In addition, the UI tools in the Exchange Online Admin Center haven’t been updated to allow for selection of Group mailboxes, and the Unified audit log in the SCC doesn’t seem to have any events flowing from Group mailbox audit entries either.

UPDATE 29.09.2019: Apparently there is some bug with the auditing cmdlets, which don’t seem to recognize Office 365 Groups associated with custom domains. Audit log searches performed against groups using the default onmicrosoft.com domain do work though, as illustrated below:

Some other remarks

Speaking of changes that don’t take effect, few other Set-Mailbox parameters cannot be used against Office 365 Group mailboxes. Those include the moderation controls, the DeliverToMailboxAndForward parameter, the auditing parameters as listed above. In addition, only the Get-Mailbox and Set-Mailbox cmdlets support the -GroupMailbox parameter. You cannot use it with the New-Mailbox, Remove-Mailbox or Enable-Mailbox cmdlets, so you cannot create or remove Office 365 Group mailboxes with those cmdlets, neither can you enable an Archive mailbox.

And since I like to be thorough (sometimes), here’s a list of all cmdlets that have the -GroupMailbox parameter.

Add-MailboxFolderPermission
Add-MailboxPermission
Get-Mailbox
Get-MailboxFolderPermission
Get-MailboxPermission
Get-UserPhoto
New-MailboxAuditLogSearch
New-SyncRequest
Remove-MailboxFolderPermission
Remove-MailboxPermission
Remove-UserPhoto
Search-MailboxAuditLog
Set-Mailbox
Set-UserPhoto

Do note that not all of these will actually work, for example we still cannot delegate mailbox-level permission to Group mailboxes, despite the two cmdlets having the corresponding switch:

In addition to the above cmdlets, you can of course use any of the *-UnifiedGroup cmdlets to manage different aspects of Office 365 Groups, *-UnifiedGroupLinks to manage their membership, Get-Recipient to list various properties, Get-MailboxStatistics to get some useful data about the group usage, Get-MailboxFolderStatistics to get folder-level statistics. Those cmdlets do actually work, mostly ūüôā

Overall, 5 years after the release of Office 365 Groups, we’re finally at a point where we can manage them akin to regular mailboxes. Almost.

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.