Category Archives: Exchange Online

M365Permissions v1.0.4

  • [Feature] Add mailbox folder level permission scanning
  • [Feature] Added support for concurrent runs
  • [Feature] Allow running only for Onedrive (-excludeOtherSites)
  • [Bugfix] Do not double select sub-channels when running for a specific Team
  • [Bugfix] Fix unable to connect for certain types of subsites
  • [Bugfix] Only check PIM when licensed for Entra P2
  • [Bugfix] Fix progress bars from displaying progress incorrectly
  • [Bugfix] Exclude auditor even if it doesn’t have a mailbox

For more info, check the M365Permissions module page, Github or PSGallery

M365Permissions v1.0.3

This version, a tab was added that lists all groups with their members and owners to make it easier to cross-reference / pivot any of the result tabs with data from other M365 resources and e.g. identify potential identities that could escalate their permissions through their group associations.

For more info, check the M365Permissions module page, Github or PSGallery

M365Permissions v1.0.2 – Exchange Online

This version I’ve added Exchange Online to the supported resources!

All updates / changes since v1.0.1:

  1. Exchange Online Admin Roles
  2. Exchange Online Send As rights (groups, mailboxes etc etc)
  3. Exchange Online Send On Behalf (mailboxes)
  4. Exchange other Mailbox Permissions (full control etc)
  5. enhanced token handling (1 prompt instead of per API)
  6. auto setup and instructions at module load
  7. Ignore Current User support for the EntraID resource

For more info, check the M365Permissions module page, Github or PSGallery

Dynamic membership rule for Teams Room accounts

Teams Room accounts are usually excluded from conditional access. To do so, they have to be in a security group, which of course we don’t want to do manually.

Most companies choose to use a naming standard and simply use that as a rule to create an exclusion group. This is easy to circumvent, I can create a guest user / get invited with the right name et voila zero CA policies!

A better way is to identify the accounts based on their assigned licenses, e.g. Teams Rooms Basic (6af4b3d6-14bb-4a2a-960c-6c902aad34f3). This, however, is not supported as an Azure AD group membership rule as this is stored in the AssignedLicenses property which will throw an “Unsupported Property” error.

The assignedPlans property however does contain the GUID we need.

The following Azure AD Group dynamic membership rule only matches users that have a Teams Room Basic, Teams Room Standard or Teams Room Pro license:

(
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "8081ca9c-188c-4b49-a8e5-c23b5e9463a8"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	) -or 
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "ec17f317-f4bc-451e-b2da-0167e5c260f9"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	) -or 
	(
		user.assignedPlans -any (
			assignedPlan.servicePlanId -eq "92c6b761-01de-457a-9dd9-793a975238f7"
			-and 
			assignedPlan.capabilityStatus -eq "Enabled"
		)
	)
) -and not (
	user.assignedPlans -all (assignedPlan.servicePlanId -eq "")
)

if you want to do something similar for other licenses, here are the options/combinations:

https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/users/licensing-service-plan-reference.md

Ghost Mailusers

We had an odd case today that Msft support hasn’t fixed yet, but in case someone googles the error and finds this, I did find a workaround.

We had a MailUser object that was inactive (soft deleted), but couldn’t be permanently deleted using

Remove-MailUser -PermanentlyDelete -Identity $mailuser.ExternalDirectoryObjectId

The resulting error was:

This mail enabled user cannot be permanently deleted since there is a user associated with this mail enabled user in Azure Active Directory. You will first need to delete the user in Azure Active
Directory. Please refer to documentation for more details.

However, nothing was found in AzureAD (or deleted users/recycle bin), and nothing was present in our on-prem AD.

This user was deleted a long time ago, and now being rehired….but account creation was being blocked because the mail user was still claiming the email address of this user.

After some messing around, and not patiently waiting for Msft 1st line support to delete this corrupted MailUser, I discovered the RecalculateInactiveMailUser switch in the set-MailUser command.

Normally, you can’t modify the primary smtp / aliases of a soft deleted mailuser or mailbox….BUT, for some reason, if you supply RecalculateInactiveMailUser you can. So:

Set-MailUser -Identity $mailuser.ExternalDirectoryObjectId -EmailAddresses $newProxies -RecalculateInactiveMailUser

Worked fine! While

Set-MailUser -Identity $mailuser.ExternalDirectoryObjectId -EmailAddresses $newProxies

Failed with

The operation couldn’t be performed because object ‘270fc89f-0424-42d2-8f54-25796f74457b’ couldn’t be found on ‘DB8PR02A05DC001.EURPR02A005.PROD.OUTLOOK.COM’.