Powershell: Managing groups between on-premises and M365

Question

For all our shared mailbox in Exchange we create security groups to manage the sendas, send on behalf and full access permissions.

Users go via the web interface and select the mailboxes and relevant permissions through tick boxes which we are defining as parameters.

I have a script to add users to the specific security groups which mostly are on-premises but some of the groups now exist in M365 as we are moving the management to there.

I have added the M365 tenant as a managed domain. Does the get-admgroup powershell command allow you to get the groups from the cloud managed domain as this would mean my scripts do not require updating.

Here is an example of my script

$mailbox ="%param-Mailbox%" -replace "(CN=)(.*?),.*",'$2'
if ("%param-Sendas%" -eq "Yes")
{        
    $mailboxrights = $mailbox + "_SendAs"
     $mailboxGroup = Get-AdmGroup $mailboxrights

    Add-AdmGroupMember $mailboxGroup "%distinguishedName%" -AdaxesService localhost -ErrorAction SilentlyContinue

    $mailboxrights2 = $mailbox + "_FullAccess"
    $mailboxGroup2 = Get-AdmGroup $mailboxrights2

    Add-AdmGroupMember $mailboxGroup2 "%distinguishedName%" -AdaxesService localhost -ErrorAction SilentlyContinue
}

If the command no longer works which one should I now use?

Unless there is a better approach I am open to ideas.

Answer 1

Hello Mike,

The cmdlet works just fine with both on-premises AD and Entra ID (former Azure AD) groups. The only mandatory requirement in the latter case is to specify the -AdaxesService parameter.

Comments

Hello,

The behavior is expected as group name cannot be used as a value of the Identity parameter. Make sure to check parameter description and allowed values in our documentation. Here is the link to the corresponding article again: https://www.adaxes.com/sdk/Get-AdmGroup/#Identity.

---

Great thank you!

Does the Add-ADMGroupMember be used to add users to Entra groups only also?

So therefore I would just need to amend my scripts to check if the group exists in Entra only or AD and add to the relevent group based on where they reside.

---

Hello Mike,

Yes, that is correct and is true for all Adaxes cmdlets.

---

This is the script which adds the user to the relevant group now and it runs successfully but never actually adds the user. Can you see what I am doing wrong?

$mailbox = "%param-Mailbox%" -replace "(CN=)(.*?),.*",'$2'
$mailboxRights = $mailbox + "_FullAccess"

# Try searching in the local AD
$mailboxGroup = Get-AdmGroup -Filter {Name -eq $mailboxRights} -AdaxesService localhost

# If the local search returns nothing, try searching in Azure AD
if (-not $mailboxGroup) {
    $mailboxGroupAAD = Get-AdmGroup -Filter {Name -eq $mailboxRights} -AdaxesService localhost -Server domain.onmicrosoft.com
}

if ($mailboxGroup){
  try     {
    # Attempt to add member to the group in the local Adaxes service
    Add-AdmGroupMember -identity $mailboxGroup -members "%distinguishedName%" -AdaxesService localhost
    $Context.LogMessage("Member added successfully to the group: $mailboxGroup", "Info")
    } 
catch     {
    $errorAD = $_.Exception.Message
    $Context.LogMessage("Failed to add user: $errorAD", "Error")
        }
ElseIf ($mailboxgroupAAD)
  try     {
    # Attempt to add member to the group in the local Adaxes service
    Add-AdmGroupMember -identity $mailboxGroupAAD -members "%distinguishedName%" -AdaxesService localhost -Server domain.onmicrosoft.com
    $Context.LogMessage("Member added successfully to the group: $mailboxGroup", "Info")
    } 
catch     {
    $errorAAD = $_.Exception.Message
    $Context.LogMessage("Failed to add user: $errorAAD", "Error")
        }
    }

---

Hello Mike,

What do you see in Adaxes logs after executing the script? Please, post screenshots here or send to us at support@adaxes.com. Also, please, provide a screenshot of the run script operation execution log. For details on how to view it, see https://www.adaxes.com/help/ViewOperationsPerformedViaAdaxes.