0 votes

For all our shared mailbox in Exchange we create security groups to manage the sendas, send on behalf and full access permissions.

Users go via the web interface and select the mailboxes and relevant permissions through tick boxes which we are defining as parameters.

image.png

I have a script to add users to the specific security groups which mostly are on-premises but some of the groups now exist in M365 as we are moving the management to there.

I have added the M365 tenant as a managed domain. Does the get-admgroup powershell command allow you to get the groups from the cloud managed domain as this would mean my scripts do not require updating.

Here is an example of my script

$mailbox ="%param-Mailbox%" -replace "(CN=)(.*?),.*",'$2'
if ("%param-Sendas%" -eq "Yes")
{        
    $mailboxrights = $mailbox + "_SendAs"
     $mailboxGroup = Get-AdmGroup $mailboxrights

    Add-AdmGroupMember $mailboxGroup "%distinguishedName%" -AdaxesService localhost -ErrorAction SilentlyContinue

    $mailboxrights2 = $mailbox + "_FullAccess"
    $mailboxGroup2 = Get-AdmGroup $mailboxrights2

    Add-AdmGroupMember $mailboxGroup2 "%distinguishedName%" -AdaxesService localhost -ErrorAction SilentlyContinue
}

If the command no longer works which one should I now use?

Unless there is a better approach I am open to ideas.

by (110 points)

1 Answer

0 votes
by (289k points)

Hello Mike,

The cmdlet works just fine with both on-premises AD and Entra ID (former Azure AD) groups. The only mandatory requirement in the latter case is to specify the -AdaxesService parameter.

0

Hi,

Happy New Year!

If the group is a cloud only one how does Adaxes know? Do we have to connect to AzureAD in the script?

Also in the scripts the -AdaxesService parameter is defined as localhost so assume that is the same?

When I try to get a cloud only group I get the error: get-admgroup : Can't find an object with identity

0

Hello,

If the group is a cloud only one how does Adaxes know? Do we have to connect to AzureAD in the script? When I try to get a cloud only group I get the error: get-admgroup : Can't find an object with identity

If you specify the -AdaxesService parameter for an Adaxes cmdlet, it will only work if the corresponding object is available in one of the managed domains. The condition is the same for both on-premises AD and Entra ID (former Azure AD). As such the error seems to occur because you did not register your Entra domain in Adaxes.

Also in the scripts the -AdaxesService parameter is defined as localhost so assume that is the same?

It will work fine if the script is executed on the computer where Adaxes service runs.

0

I have registered the managed Entra domain in Adaxes and I can confirm that the cloud only group is visible but I have the same issue when trying to retrieve groups via powershell.

When I use -AdaxesService (on the server) I get

get-admgroup : Failed to obtain information about the service

if I specif the server name instead of local service I get the same error as before where the group cannot be found.

0

Hello Mike,

Try using both the -AdaxesService and -Server parameters are the same time. For details on the parameter values, see https://www.adaxes.com/sdk/Get-AdmGroup.

0

Hello,

Sorry I am not sure what I am doing wrong here, this is what I am doing:

get-admgroup -Identity "Name of group" -AdaxesService "Entra managed domain" -server "FQDN of Adaxes server"

Is that correct?

I get the error get-admgroup : Failed to obtain information about the service

0

Hello Mike,

No, that is not correct. The -AdaxesService parameter has nothing to do with domains. If you execute the cmdlet in Windows PowerShell on the computer where Adaxes service runs, it can be set to localhost. In other case, it must be set to the FQDN of the computer where Adaxes service is installed. At the same time, the -Server parameter should be set to the domain you need which is an Entra domain in this case.

0

Thanks, I can now find the group but only by specifying the objectGUID and not using the name of the group. Is this expected behaviour?

0

Hello,

The behavior is expected as group name cannot be used as a value of the Identity parameter. Make sure to check parameter description and allowed values in our documentation. Here is the link to the corresponding article again: https://www.adaxes.com/sdk/Get-AdmGroup/#Identity.

0

Great thank you!

Does the Add-ADMGroupMember be used to add users to Entra groups only also?

So therefore I would just need to amend my scripts to check if the group exists in Entra only or AD and add to the relevent group based on where they reside.

0

Hello Mike,

Yes, that is correct and is true for all Adaxes cmdlets.

0

This is the script which adds the user to the relevant group now and it runs successfully but never actually adds the user. Can you see what I am doing wrong?

$mailbox = "%param-Mailbox%" -replace "(CN=)(.*?),.*",'$2'
$mailboxRights = $mailbox + "_FullAccess"

# Try searching in the local AD
$mailboxGroup = Get-AdmGroup -Filter {Name -eq $mailboxRights} -AdaxesService localhost

# If the local search returns nothing, try searching in Azure AD
if (-not $mailboxGroup) {
    $mailboxGroupAAD = Get-AdmGroup -Filter {Name -eq $mailboxRights} -AdaxesService localhost -Server domain.onmicrosoft.com
}

if ($mailboxGroup){
  try     {
    # Attempt to add member to the group in the local Adaxes service
    Add-AdmGroupMember -identity $mailboxGroup -members "%distinguishedName%" -AdaxesService localhost
    $Context.LogMessage("Member added successfully to the group: $mailboxGroup", "Info")
    } 
catch     {
    $errorAD = $_.Exception.Message
    $Context.LogMessage("Failed to add user: $errorAD", "Error")
        }
ElseIf ($mailboxgroupAAD)
  try     {
    # Attempt to add member to the group in the local Adaxes service
    Add-AdmGroupMember -identity $mailboxGroupAAD -members "%distinguishedName%" -AdaxesService localhost -Server domain.onmicrosoft.com
    $Context.LogMessage("Member added successfully to the group: $mailboxGroup", "Info")
    } 
catch     {
    $errorAAD = $_.Exception.Message
    $Context.LogMessage("Failed to add user: $errorAAD", "Error")
        }
    }
0

Hello Mike,

What do you see in Adaxes logs after executing the script? Please, post screenshots here or send to us at support@adaxes.com. Also, please, provide a screenshot of the run script operation execution log. For details on how to view it, see https://www.adaxes.com/help/ViewOperationsPerformedViaAdaxes.

Related questions

0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer

This note is found in the documentation on how to configure allowed domains in Adaxes 2023. Allowed domain names can only be selected from the alternative UPN suffixes for on- ... required to pick up the change, or is there another way to trigger the update?

asked Jan 31, 2023 by dtb147 (290 points)
0 votes
1 answer

Hi all, I got a script that works, but is kinda finicky: $memberListProperty = "adm-CustomAttributeTextMultiValue1" try { $records = $Context.TargetObject.GetEx($memberListProperty) } ... = "fraisalan.ch" } Thank you for your help! Best regards Benjamin

asked Oct 17 by basshunter98 (20 points)
0 votes
1 answer

Hello All, is is possible via Adaxes deprovisioning to remove all his Azure and M365 roles besides custom Powershell script? Regards Ivaylo

asked Mar 31, 2023 by ivaylo.valkov (100 points)
0 votes
1 answer

We are planning to use Adaxes in our environment and before proceeding, we need to understand the firewall port requirements for Adaxes service to work. What are the firewall ports needed between Adaxes and AD domain controller?

asked Jan 24 by Renugopal (120 points)
3,548 questions
3,239 answers
8,232 comments
547,814 users