Exchange

What’s that? Just another script for listing users and their group memberships. You feed it a text file with UPNs, it queries Microsoft Graph, and spits out a flat CSV like: UserPrincipalName PrimarySmtpAddress GroupName GroupEmail GroupType [email protected] [email protected] Some DL [email protected] DistributionList [email protected] [email protected] Security Group ABC [email protected] MailSecurityGroup [email protected] [email protected] Some DL [email protected] DistributionList Where’s it? On GitHub Requirements PowerShell 5.1+ or PowerShell 7+ Microsoft Graph PowerShell SDK Permissions: User.Read.All, GroupMember.Read.All, Group.Read.All

Domain Removal Issues If you want to remove a domain from an M365 tenant, you need to deprovision all associated objects first - easy to say, harder to do. If the domain is not federated, M365 can handle it for you - it simply removes aliases and updates the Primary SMTP address and/or UPN to the default domain (domain.onmicrosoft.com). However, this does not work for federated domains. You have to remove everything manually, which is manageable for one domain. In my case, I had to remove 150. ...

Get-GroupMemberReport PowerShell script to audit Distribution Lists and Microsoft 365 Groups membership using Microsoft Graph API. Returns transitive (recursive) member counts - including all nested group members. Why? Get-DistributionGroupMember only returns direct members, not nested Exchange Online cmdlets have pagination timeouts on large tenants Graph API’s Get-MgGroupTransitiveMemberCount solves both problems Requirements PowerShell 5.1+ or PowerShell 7+ Microsoft Graph PowerShell SDK Permissions: Group.Read.All, Directory.Read.All Usage 1 2 3 4 5 6 7 8 9 10 11 # Distribution Lists only .\Get-GroupMemberReport.ps1 -DL # Microsoft 365 Groups only .\Get-GroupMemberReport.ps1 -M365 # Both types .\Get-GroupMemberReport.ps1 -All # Test mode - first ~100 DLs or M365 .\Get-GroupMemberReport.ps1 -DL/M365 -TestLimit 100 Output CSV file with columns: ...

The Problem Classic Exchange Online scenario - trying to remove an orphaned (maybe used to be synced) object. Getting slapped in the face with error The Solution Two words: Graph API. Step 1: Get the Mail Contact ID First, we need to identify the exact object we’re dealing with: 1 Get-MailContact [email protected] | Format-List Id This will give the unique identifier for the mail contact. Step 2: Verify the Object in Graph API Better safe than sorry- let’s do a double check. Replace <ID> with the ID from Step 1: ...

Just a simple one-liner When you have many room mailboxes, granting someone access to each room calendar one-by-one is painful. This one-liner reads a list of room SMTP addresses from a text file and applies the same permission to each mailbox calendar. 1 2 3 4 5 Get-Content .\rooms.txt | % { Write-Host "Working on $_" -ForegroundColor Cyan Add-MailboxFolderPermission -Identity "$($_.Trim()):\Calendar" -User "[email protected]" -AccessRights Reviewer } Notes Text file we import via Get-Content contains a room email address per line .Trim is being used to remove blank spaces in TXT file - (’ [email protected]’ -> ‘[email protected]’) - it’s just a safety feature I like to use In some tenants, the calendar folder name might be localized (for example “Kalendarz” in Poland, “Kalender” in Germany and “Calendier” for France) If permissions are already granted for an user, you need to either remove these and re-add or use Set-MailboxFolderPermissions

The easy part Creating distribution lists in bulk is quite simple. Just a CSV file: 1 2 3 4 name,mail Fancy Group,[email protected] Another Fancy Group,[email protected] Not That Fancy Group,[email protected] And for-each loop 1 2 3 4 5 6 7 Import-Csv .\groups.csv | ForEach-Object { New-DistributionGroup -Name $_.name -PrimarySmtpAddress $_.mail -OrganizationalUnit 'OU=Groups,DC=wrong,DC=went,DC=something,DC=dev' -Type Security } Result: Name DisplayName GroupType PrimarySmtpAddress Fancy Group Fancy Group Universal, SecurityEnabled [email protected] Another Fancy Group Another Fancy Group Universal, SecurityEnabled [email protected] Not That Fancy Group Not That Fancy Group Universal, SecurityEnabled [email protected] But updating msExchExtensionAttribute is different A below won’t work as there is no such command under Set-DistributionGroup. ...