Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You must be a tenant admin on your Office 365 tenant to run the cmdlets.

Anchor
powershell-connect-o365
powershell-connect-o365
Connecting to Office 365 using Powershell

We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:

  • Check the current script execution policy
Code Block
languagepowershell
PS C:\> Get-ExecutionPolicy
Restricted
  • If we are not allowed to execute remote signed scripts, we have to change the execution policy. It might be required for Powershell to be started as Administrator.
Code Block
languagepowershell
PS C:\> Set-ExecutionPolicy RemoteSigned
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

Now we are able to start a remote Powershell session to Office 365:

  • Connect to Office 365 using your tenant admin account and import the Powershell session:
Code Block
languagepowershell
PS C:\> $O365Cred = Get-Credential
PS C:\> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI:
"https://ps.outlook.com/PowerShell-LiveID?PSVersion=4.0 "
PS C:\> Import-PSSession $O365Session -AllowClobber
WARNING: The names of some imported commands from the module 'tmp_eiaj1j0m.dcw' include unapproved verbs that might
make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the
Verbose parameter. For a list of approved verbs, type Get-Verb.
ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0        tmp_eiaj1j0m.dcw                    {Add-AvailabilityAddressSpace, Add-DistributionGroupMember...

Global steps

  1. Create one or multiple service accounts, depending on the number of users using the integration.
  2. Create a mail-enabled universal security group containing the created service account(s).
  3. Delegate calendar permissions to the security group for all users using the integration.

...

  • Click Next.
  • Click Next.
  • Click New.

Using Powershell

  • Open the Exchange Management Shell.
  • Create a new mailbox using the New-Mailbox cmdlet. Replace the parameters to match your situation and preferences:

...

  • Make sure Membership Approval is set to "Closed" for both options:

  • Hide Optionally, hide the distribution group from the Exchange address lists:

Using Powershell

  • Open the Exchange Management Shell.
  • Create a new mail-enabled universal security group using the New-DistributionGroup cmdlet. Replace the parameters to match your situation and preferences:

...

  • Optionally, open the newly created security group properties and check "Hide this group from address lists".

Using Powershell

  • Connect Powershell to Office 365.
  • Create a new mail-enabled universal security group using the New-DistributionGroup cmdlet. Replace the parameters to match your situation and preferences:

...

Finally, we need to give the security group containing the service account(s) delegated calendar permissions on the mailboxes of the users. We assume that all users that are allowed to use the calendar integration are member of a an existing security group.

XXXXXX

Office 365

We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:

...

Exchange on-premises

  • Open the Exchange Management Shell.
  • Import the ActiveDirectory module, when necessary.
  • Select all mailboxes to set the delegation permissions on. We assume that these accounts are grouped in a security group. In the following example, all users are in the security group "staff". 
Code Block
languagepowershell
PS C:\> Get-ExecutionPolicy
Restricted
  • If we are not allowed to execute remote signed scripts, we have to change the execution policy. It might be required for Powershell to be started as Administrator.
Code Block
languagepowershell
titleGet mailboxes by OU
PS C:\> Set-ExecutionPolicy$mailboxes RemoteSigned= Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

Now we are able to start a remote Powershell session to Office 365:

...

Get-ADGroupMember -Identity staff | Get-ADUser | ForEach-Object {Get-Mailbox -Identity $_.UserPrincipalName -errorAction silentlyContinue}
  • Finally, allow Author rights for the service account security group to all selected mailboxes. On line 1, we set the security group created in a previous step. Then we loop through all mailboxes we have retrieved in the previous step. For each mailbox, we get the path to the calendar folder (line 4). We have to explicitly retrieve this name, since the calendar folder name is localised. We then check if permissions have already been set (line 5). If not, we add Author permissions (line 8). If already set, we update the permissions (line 12).
Code Block
languagepowershell
linenumberstrue
PS C:\>> $secgroup $O365Cred = Get-Credential
PS C:\> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI:
"https://ps.outlook.com/PowerShell-LiveID?PSVersion=4.0 "
PS C:\> Import-PSSession $O365Session -AllowClobber
WARNING: The names of some imported commands from the module 'tmp_eiaj1j0m.dcw' include unapproved verbs that might
make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the
Verbose parameter. For a list of approved verbs, type Get-Verb.
ModuleType Version    Name          "sa-mytt-exch-secgroup@dev.eveoh.local"
foreach ($m in $mailboxes)
{
    $path = ($m | Select-Object -ExpandProperty PrimarySmtpAddress).ToString() + ":\" + (Get-MailboxFolderStatistics $m.UserPrincipalName | Where-Object { $_.Foldertype -eq "Calendar" } | Select-Object -First 1).Name
    $permissions = @(Get-MailboxFolderPermission -Identity $path -User $secgroup -ErrorAction SilentlyContinue).count
    if ($permissions -eq 0) {
        # not in ACL, add permission
                     ExportedCommands
---------- -------    ---- Add-MailboxFolderPermission -Identity $path -User $secgroup -AccessRights Author
    }
    else {
        # user is already in ACL, change permission
   ---------------- Script     1.0        tmp_eiaj1j0m.dcw                    {Add-AvailabilityAddressSpace, Add-DistributionGroupMember...

...

Set-MailboxFolderPermission -Identity $path -User $secgroup -AccessRights Author
    }
}

Office 365

  • Connect Powershell to Office 365.
  • Select all accounts to set the delegation permissions on. We assume that these accounts are grouped in a security group. In the following example, all users are in the security group "Staff". First, get the security group ObjectId 
Code Block
languagepowershell
titleGet all mailboxes
PS C:\> Get-MsolGroup | Where-Object {$_.DisplayName -eq "Staff"}
ObjectId                               DisplayName                GroupType                  Description
--------                               -----------                ---------                  -----------
64731c32-f1df-4b92-8dbe-1809c23ff85b   Staff                      Security
  • Then select Get all members mailboxes of the selected security group and get their mailboxes:
Code Block
languagepowershell
titleGet mailboxes by OU
PS C:\> $mailboxes = Get-MsolGroupMember -GroupObjectId 64731c32-f1df-4b92-8dbe-1809c23ff85b | Get-MsolUser | ForEach-Object {Get-Mailbox -Identity $_.UserPrincipalName -errorAction silentlyContinue}
  • Finally, allow Editor rights Author rights for the service account security group to all selected mailboxes:. On line 1, we set the security group created in a previous step. Then we loop through all mailboxes we have retrieved in the previous step. For each mailbox, we get the path to the calendar folder (line 4). We have to explicitly retrieve this name, since the calendar folder name is localised. We then check if permissions have already been set (line 5). If not, we add Author permissions (line 8). If already set, we update the permissions (line 12).
Code Block
languagepowershell
linenumberstrue
 

 

 

 

Exchange on-premises

TODO

PS C:\> $secgroup = "sa-mytt-exch-secgroup@eveoh.onmicrosoft.com"
foreach ($m in $mailboxes)
{
    $path = $m.PrimarySmtpAddress + ":\" + (Get-MailboxFolderStatistics $m.PrimarySmtpAddress | Where-Object { $_.Foldertype -eq "Calendar" } | Select-Object -First 1).Name
    $permissions = @(Get-MailboxFolderPermission -Identity $path -User $secgroup -ErrorAction SilentlyContinue).count
    if ($permissions -eq 0) {
        # not in ACL, add permission
        Add-MailboxFolderPermission -Identity $path -User $secgroup -AccessRights Author
    }
    else {
        # user is already in ACL, change permission
        Set-MailboxFolderPermission -Identity $path -User $secgroup -AccessRights Author
    }
}