0 votes

From my understanding I need to use a script to add send as and delegated mailbox permissions for 365 mailboxes.

Does anyone have a sample script I could use for reference?

Please and thank you!

by (270 points)
0

Hello John,

From my understanding I need to use a script to add send as and delegated mailbox permissions for 365 mailboxes.

This can be done using the Modify Exchange properties action. For details, have a look at Example 10 of the following tutorial: https://www.adaxes.com/tutorials_Automa ... collapse12.

Does anyone have a sample script I could use for reference?

If using the Modify Exchange properties action does not meet your needs, have a look at the following script from our repository: https://www.adaxes.com/script-repositor ... r-s502.htm. Should you have issues modifying the script, provide us with all the possible details and we will help you.

0

I can't use the modify exchange properties section becasue I do not have an on-prem exchange server. When I try to assign the permissions for Send AS it doesnt show the mailboxes in 365 just local AD objects.

I will take a look at the script. Thank you.

0

The script you mentioned appears to be for an on-premise exchange server.

Do you have something like that for Office 365 / Exchange online?

0

Hello John,

Do you need to always grant both Send As and Full Access permissions or you need to grant them separately?

0

I DON'T have an on premise Exchange server either, but use the Exchange Properties tab within Adaxes without an issue.

We have an On Prem A.D. that we sync to O365, and have extended A.D. schema with Exchange attributes.

0

I dont think you understand my situation. We have some mailboxes that are NOT connected/synced from our local AD to 365/Exchange Online. Some users still need delegate and send as permissions to those mailboxes.

If I edit exchange properties it doesnt give me the option to modify "in cloud" only mailboxes in 365/exchange online...

0

Oh, okay, got it, I did miss that.

0

There are times I need to do both but often I just need to do one or the other.

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello John,

Thank you for clarifying. Use the below scripts to grant the permissions. In the scripts, the $mailboxIdentity specifies the name of the mailbox for which a user will be granted the permissions. To run the scripts you need to create Custom Commands configured for User object type. To grant a user the required permissions you will need to execute the corresponding command for them. To have a possibility to grant both permissions at the same time, you can create another Custom Command that will execute both commands for a user.

Script granting Send As permissions

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Get the object ID in Office 365
    $objectId = ([Guid]$Context.TargetObject.Get("adm-O365ObjectId")).ToString()
}
catch
{
    return # The user doesn't have an Office 365 account
}

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-RecipientPermission"

    # Grant permissions
    try
    {
        Add-RecipientPermission -Trustee $objectId -AccessRight "SendAs" -Confirm:$False -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}

Script granting Full Access permissions

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Get the object ID in Office 365
    $objectId = ([Guid]$Context.TargetObject.Get("adm-O365ObjectId")).ToString()
}
catch
{
    return # The user doesn't have an Office 365 account
}

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-MailboxPermission"

    # Grant permissions
    try
    {
        Add-MailboxPermission -Deny:$False -User $objectId -AccessRights "FullAccess" -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}
0

can I also use these scripts to grand send-as permissions for a distribution group?

0

Hello John,

To grant Send As permissions to a group, use the below script in a Custom Command configured for Group Object type.

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-RecipientPermission"

    # Grant permissions
    try
    {
        Add-RecipientPermission -Trustee "%name%" -AccessRight "SendAs" -Confirm:$False -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}
0

I added the script as a custom command to my business rule but it didnt apply the send as permissions because the newly created user wasnt detected in office 365 yet....

I think its because the 365 mailbox isnt 100% created yet that quickly... is there a way to delay the send as permissions script to wait like 10 minutes until the mailbox is completely set up?

0

Hello John,

There is no such possibility as long as it can take up to several hours to create a mailbox. To work around the issue, you need to use the Custom Command in a Scheduled Task. The task will execute the command only if the user has a mailbox. To make sure that the task is executed for new users only once, you can use an Adaxes custom Boolean (e.g. CustomAttributeBoolean1) attribute to mark the accounts. In your Business Rule triggering After Creating a User, the attribute will be set to True and in the Scheduled Task it will be cleared.

i. Updating the Business Rule

  1. Launch Adaxes Administration Console.

  2. In the Console Tree, expand your service node.

  3. Navigate to Configuration\Business Rules and select the rule you need.

  4. Double-click the Run PowerShell script action.

  5. Select Update the User and click Add.

  6. In the Property to modify drop-down, select CustomAttributeBoolean1.

  7. In the New value field, select True.

  8. Click OK twice and save the changes.

ii. Creating the Scheduled Task

  1. Launch Adaxes Administration Console.

  2. In the Console Tree, right-click your service.

  3. In the context menu, navigate to New and click Scheduled Task.

  4. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.

  5. Click Add an action.

  6. Select Run a program or PowerShell script.

  7. Paste the script into the Script field.

  8. Enter a short description and click OK.

  9. Right-click the action you created and click Add New Action in the context menu.

  10. Select Update the User and click Add.

  11. In the Property to modify drop-down, select CustomAttributeBoolean1.

  12. Select Remove property and click OK twice.

  13. Double-click Always.

  14. Select If <property><relation><value>.

  15. Select If CustomAttributeBoolean1equals True and click OK.

  16. Right-click the condition you created and click Add New Condition in the context menu.

  17. Select If has an Exchange mailbox and click OK.

  18. Click Next and finish creating the Scheduled Task.

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (700 points)
0 votes
1 answer

Good afternoon, Is there a script for adding a user to an already existing Office 365 Shared Mailbox? I want to add this script onto the onboarding rules I have added already.

asked May 7 by ocanizales (60 points)
0 votes
1 answer

By default when you upload a user photo to Adaxes, it converts it to less than 100kb for Active Directory, that photo is synced to Azure AD, and once and only ... older script that could grab the photo before the compression to 100kb, ideally after cropping?

asked Jun 16, 2020 by ethanthekiwi (30 points)
0 votes
1 answer

how can i create a report which gives me the details from an exchange mailbox as described in the subject? I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights thank you

asked Feb 22, 2021 by m_st (200 points)
0 votes
1 answer

I have followed the instructions but still cannot seem to connect to Azure AD. If I install the latest Azure AD powershell module I can connect via powershell. As soon as I ... version described in the HOW-TO I get that it threw an exception. Please advise.

asked Apr 3, 2017 by cyspry (480 points)
3,588 questions
3,277 answers
8,303 comments
548,100 users