Remove orphaned delegation permissions of a deleted user in Exchange Online mailbox

You might think that a user’s delegate permissions for other mailboxes will be removed up on deleting the account in the Azure Active Directory, apparently it wasn’t in my case.

access20delegation-01_thumb

Scenario:

Location – Calendar folder of ‘manoj@mantoso.live:\Calendar’

Delegated editor permissions to – ‘Marie Jonas’ (Abandoned identity after AD account deletion)

Even though this particular account was permanently deleted from Azure AD after 30 days of marking deletion, the delegation access (editor) to other users’ Exchange mailboxes remained intact which caused the following strange behaviors that I had to get rid of.

  • Others can still spot this user’s name in the calendar invites
  • Possibly in other various occasions too based on the permissions the user had before deleted

Here’s the PowerShell command to fetch the permissions of a specific location. This will list down all the delegated permissions of ‘Manoj’s’ Exchange calendar. In my case, the abandoned user also popped up in the results.

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" 

e.g0.1

Now, to dig further down to be more specific to this mysterious user, let’s run this command

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" | where {$_.user.tostring() -like "Marie Jonas*"}

e.g0

This means the permission thumbprint is intact even after the account was permanently deleted which is a mystery. Now to get rid of this, we can use this command below. I tried several other approaches from various Microsoft articles and forum posts but none of them worked but the following.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

After running that with no errors/warnings. I ran Get command again to verify if it really was a success. And Yes ! Nothing returned, which means the permissions are now cleared for this abandoned identity of ‘Marie Jonas’.

2

Allowed it a couple of hours, her name disappeared from the calendar invites as well.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

Determine On-Premise and Cloud Mailbox Users

During an Exchange online management activity for one of our enterprise clients, I had to determine which mailboxes are on cloud and which ones still resides on-premise. After going through several PS commands, I had to come up with a customized basic script to get this done neatly. This script will run against Office 365 and check for the following.

Get licensed users, fetch Display Name, UPN and IsLicensed properties and format the output then export the result to an CSV file.

Connect to Exchange online PowerShell using Connect-ExchangeOnline and then run the following  after customizing the output path to suit your environment.

Get-MsolUser -MaxResults 50000 |
Where-Object isLicensed -eq $true |
Select-Object -Property DisplayName, UserPrincipalName, isLicensed,
                        @{label='MailboxLocation';expression={
                            switch ($_.MSExchRecipientTypeDetails) {
                                      1 {'Onprem'; break}
                                      2147483648 {'Office365'; break}
                                      default {'Unknown'}
                                  }
                        }} | Export-Csv c:\Official\Tools\mailusers.csv

You can run it directly from PowerShell which would result as below if everything went well.

clip_image001

Or use PowerShell ISE

clip_image002

Result would look something similar to this.

image

Get-MsolUser -MaxResults 50000 |
Where-Object isLicensed -eq $true |
Select-Object -Property DisplayName, UserPrincipalName, isLicensed,
                        @{label='MailboxLocation';expression={
                            switch ($_.MSExchRecipientTypeDetails) {
                                      1 {'Onprem'; break}
                                      2147483648 {'Office365'; break}
                                      default {'Unknown'}
                                  }
                        }} | Export-Csv c:\Official\Tools\mailusers.csv

Allow all users to see everyone’s calendar in an Office 365 environment

Yes you are right!. Setting this access right organization-wide is surely raises a major privacy concern specially when it comes to personal details (such as HR and Operation related events) in employee’s calendars.

Information-sharing

However, there can be exceptional scenarios where business decides what they need, such as the pandemic situation the whole world face right now (COVID-19) as every organization prepares to work from home and allow people to interact online in more efficient and effective ways. In my case, one of our top level client badly needed to enable everyone’s calendar visible to everyone in the company to allow people to efficiently get in touch.

This is possible and exchange online has the capability to do it, but, make sure you do it for an absolute purpose. In Exchange online, you can set the default internal sharing policy for Office 365 user’s calendars using PowerShell. You may decide to set the default for all current users to Limited Details, then add exceptions for users whose calendar is to be kept to Availability (Free/Busy) only. There are various roles to define as per your need.

The AccessRights parameter in the PS command below specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.

You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

I am emphasizing again, DO NOT DO THIS Unless there is an absolute necessity.

For None-MFA environment (even though MFA is a fundamental and very common security requirement, there can be exceptional cases) – Amend the AccessRights parameter accordingly

$credentials = Get-Credential -Credential elliot@gcits.com.au

Write-Output “Getting the Exchange Online cmdlets”

$Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `

-ConfigurationName Microsoft.Exchange -Credential $credentials `

-Authentication Basic -AllowRedirection

Import-PSSession $Session

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

For MFA environments

Preparation:

Run this to get the current state of all user mailboxes as exported to a CSV file. This will help on the verification later in case if you need to reverse this (Pre)

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Applying Access Rights:

Now let’s change the access right for all user mailboxes. Amend the AccessRights parameter according to your requirement (applied to all user mailboxes)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

If you wish to avoid an selected user mailbox (May be CEO’s ?), you can use the following (with the “userprincipalname” “–ne” parameters to add an exception)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox | where userprincipalname -ne “mark@mantoso.onmicrosoft.com”) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Verification:

To verify the result against a single user mailbox, you can run this line

Get-MailboxFolderPermission neil@mantoso.onmicrosoft.com:\calendar

Or run the following to get the result of all user mailboxes exported as a CSV file so it can be compared with the CSV you got before applying the change (Post)

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

clip_image001Testing:

Now let’s see how this works after changing the permissions. Details wise, this is how it shown now (looking at Chnau’s Calendar from Manoj’s Mailbox)

Private Events in Chanu’s Calendar (Only the date/time and Subject)

clip_image002

None Private Events in the Chanu’s Calendar (Shown Items in detail)

  1. Subject
  2. Location
  3. Organizer
  4. Attachments
  5. Attendees and response status
  6. Date/Time 
clip_image004

Item opened in full window

clip_image006

Here’s the full list of roles available to set. You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

Individual permissions:

  • CreateItems: The user can create items in the specified folder.
  • CreateSubfolders: The user can create subfolders in the specified folder.
  • DeleteAllItems: The user can delete all items in the specified folder.
  • DeleteOwnedItems: The user can only delete items that they created from the specified folder.
  • EditAllItems: The user can edit all items in the specified folder.
  • EditOwnedItems: The user can only edit items that they created in the specified folder.
  • FolderContact: The user is the contact for the specified public folder.
  • FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can’t read items, edit items, delete items, or create items.
  • FolderVisible: The user can view the specified folder, but can’t read or edit items within the specified public folder.
  • ReadItems: The user can read items within the specified folder.

The roles that are available, along with the permissions that they assign, are described in the following list:

  • Author:CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Contributor:CreateItems, FolderVisible
  • Editor:CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • None:FolderVisible
  • NonEditingAuthor:CreateItems, FolderVisible, ReadItems
  • Owner:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
  • PublishingEditor:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • PublishingAuthor:CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Reviewer:FolderVisible, ReadItems

The following roles apply specifically to calendar folders:

  • AvailabilityOnly: View only availability data
  • LimitedDetails: View availability data with subject and location

Reference – Set Mailbox Folder Permissions (Microsoft Docs)

Error when trying to open a OneDrive uploaded file from Outlook client application: The page that you are trying to access cannot be loaded

From the first look this error definitely sounds like “Office 365 ATP Safe links or Safe attachments” policy components blocking the files behind the scenes, but it’s not !. Well, it could be the same error in such scenarios but in my case, Safe Link or Safe Attachment policies were not the issue.

clip_image001

Scenario: Users trying to share content within the organization by uploading them to a OneDrive/SharePoint location chosen from the dropdown as attached to the Outlook email on the go.

Attach a file to email and upload it to OneDrive/SharePoint

clip_image002

Attach a file from SharePoint/OneDrive

clip_image003

Once added the cloud based file to the mail, this is how it looks. Then send it out

clip_image004

Emails are smoothly delivered to the recipients however, when they try to open them (by simply clicking on the URL), recipients get the above error (The page that you are trying to access cannot be loaded)

This happens only when:

  • Users use desktop application of Outlook (not happening in OWA, files are accessed in OWA without an issue)
  • Or, Attached the file in to OneDrive or SharePoint as shown below (not happening when file URL is pasted to Outlook email)

The environment had Office 365 ATP safe link and Safe attachment policies implemented properly. And the exceptions are added to trusted partners across the globe for this company (as a multi-national)

clip_image005

clip_image006

clip_image007

clip_image008

Resolution: Due to the criticality of this organization-wide behavior, I worked with Microsoft Support team towards a fix and here’s what we did.

We ran a fiddler session while opening the file from both OWA and Client App and reviewed the recording – OWA is working fine while outlook not able to access the wrapped URL. It looked like outlook API used for calling ATP is not functioning well.

Microsoft further analyzed by collecting below information and then engaged the Product Group:

  • Collect fiddler trace for both OWA and Outlook to make comparison
  • Copy the Wrapped URL from OWA and Outlook
  • Collect the corresponding message sample

As of now, Microsoft Product Group for ATP have not identified if it is a misconfiguration or product related bug, however, I receive constant responses stating that they are actively working towards a resolution. I will update this space as soon as I hear anything applicable towards a resolution/ETA.

Workaround: The only workaround for this is to request users to make use of Outlook Web whenever a file needs to be opened that is received via an email.

Legitimate emails (Including Internal Emails) get constantly quarantined in Office 365 Exchange

Sometimes emails hit the Quarantine state because the message is spam-ish or potentially malicious to be delivered to the end user (Admin quarantined). Usually when end users notify you regarding the legitimate email being quarantined, review section in Office 365 (https://protection.office.com/threatreview ) protection blade will help you to retrieve, review and release those legitimate messages to intended users. However, I faced an abnormal situation of “Internally shared emails were frequently quarantined for no valid reason”. And, they had no suspicious behavior/trend.

clip_image001

Whenever there is a legitimate email being quarantined, we can fetch it from the review section. Simply by typing the sender address or subject line will sort the message and allow us to review it and then take the necessary action.

clip_image002

These messages below are obvious Malwares and Phish. So this is not my concern at all ! O365 security is doing a great job here catching hundreds of malicious items daily !!

clip_image003

But how about these two cases?

  • Legitimate/genuine mails are admin quarantined – from a trusted partners or external vendors/customers being regularly admin quarantined even without reaching to end user spam folder?
  • Even internal emails shared within the organization being admin quarantined?

Workarounds?

Whitelisting won’t fix this – Filling up your whitelist is not a good idea as “Whitelisting” and address or domain means, it will completely bypass the spam filter which is an obvious risk.

On the 1st case, the external domain is a very valid domain with a valid SPF and email content didn’t seem to match any suspicious trend policy. I can simply go ahead and release these messages if this happens occasionally but that’s not the best practice in this modern era. Adding these internal addresses is not recommended either (you should not add your own domain/emails to whitelist in Exchange online) .

Resolution?:

Bottom-line is, those emails are marked as Phishing meaning that there’s a link somewhere in that email that’s broken and doesn’t go where it states it should. However, as I submitted these emails to Microsoft and raised a support ticket, I was informed that this is an issue Microsoft Spam team/product group is currently working diligently to fix this issue soon. Hence at this point of time, it is a waiting game and just a matter of baring with them during the process.

ETA: None as of now

I will update this post as soon as I receive a progress update from Microsoft support.

Blocking spam senders and domains in Office 365

Security is a one of the most significantly improved areas of Microsoft Office 365. If you are using Exchange Online mailboxes under your Office 365 tenant or a consumer of standalone exchange online protection (EOP), your emails are protected either way.

How_to_Block_Spam_Emails

Exchange online protection (a.k.a EOP) Is part of the Microsoft’s email safety roadmap which constantly evolves in a unmatched cross-product approach. As email usage has rapidly grown, so has the email security concerns. The idea behind EOP is to provide a range of comprehensive abilities in order to protect millions of users from Junk, phishing (fraudulent mail threats) and malware attacks which are some of the well-known types of email related abuses.

Exchange Online however, has the built in ability to protect you from many threats. Nevertheless, there could be some scenarios that you need to manually handle as an Exchange/Office 365 Administrator. The following article will show you on how to prevent receiving spamming emails from a specific address, domain because, there can be rare cases that one or few emails able to get through EOP and hit the user mailbox (again, very rarely).

In my case, it was the following email which arrived in few user mailboxes (looked obviously spam and the user immediately reported to me). At this point, we can make use of “Blocked Sender List” in Exchange to prevent this happening again. And, as EOP spam filtering learns from known spam and phishing threats and user feedback, it’s a great idea to submit these kind of messages to Microsoft so that they will use it to train the AI based component behind the EOP.


From: Sonia Luton <staffprojectz@post.cz>

Subject: Project

[EXTERNAL EMAIL]

Hi Melina,

There is something i need you to do for me. Let me know if you are available. I am going into a meeting with a limited access to phone calls, just reply my email and i will get back to you.

Thanks,

Sonia


So the address is staffprojectz@post.cz and the domain is post.cz. From Office 365 Exchange Admin Centre, navigate to Exchange admin center and “Protection” –> “Spam Filter” . Click on the “default policy”

clip_image001

The following flyout will be opened. Navigate to “Blocked lists”

clip_image002

Click on the + icon to add a new blocked sender and insert the desired address.

clip_image003

Then let’s add the domain too for blocking.

clip_image004

Once added, the domain will be in the blocked list and Office 365 will entirely block any emails from this domain.

clip_image005

Save it and monitor your email traffic time to time to identify if it’s being blocked.

clip_image006

Change Exchange Room Meeting Title Settings

If you are reading this post, probably you needed to change that title appears in your O365 meeting room . Meeting rooms in Office 365 offer some basic settings in the GUI but the advance settings like this one has to be dealt via PowerShell. The following commands will help you to adjust the title for O365 meeting room. You can either do this individually or set for all existing room mailboxes.

meeting room2

Refer to this Microsoft reference for detailed list of available commands for creating and managing mailboxes in Office 365

Run this to get the list of room mailboxes which has the default setting (shows Organizer in every meeting subject)

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq 'RoomMailbox'" | Get-CalendarProcessing | Format-List Identity,AddOrganizerToSubject 

clip_image001

Now, that shows what are the room with default setting and the ones have changed to display the Organizer name in the title. To change the behavior, below command can be used

Change for individual room mailboxes (Affect to the targeted specific room mailbox)

Get-Mailbox -Identity <Replace With MeetingRoomName> | Set-CalendarProcessing -AddOrganizerToSubject $True

clip_image002

Change for all existing room mailboxes (Affect to all current room mailboxes)

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq 'RoomMailbox'" | Set-CalendarProcessing -AddOrganizerToSubject $True 

Fixed: In Exchange Online, messages sent from a shared mailbox aren’t saved to the Sent Items folder of the shared mailbox

In Microsoft Exchange, shared mailboxes doesn’t require a product license and cannot be added to Outlook as an independent account/mailbox. Basically, You can’t sign in to a shared mailbox. What you normally do it, you sign in to your own account/mailbox, and open the shared mailbox from there.

As the title suggest when you send or reply to a new message from the shared mailbox, Outlook automatically sends or replies from your account (sender’s). Therefore, messages are stored in the Sent Items folder of your (sender’s) mailbox. In this case, a shared mailbox won’t store the outgoing mails in the common shared mailbox which can cause visibility issue specially in a collaboration environment. Nevertheless, we still have an option to manage this hassle.

The following steps will help you to enable the Save a copy feature in Exchange Online Environment.

To do this for a one specific shared mailbox (or very few), you can simply enable it from the Admin UI. Login to Office 365 tenant –> and direct to Admin Center –> Exchange Admin Center –> Groups –> Shared Mailboxes –> Select the Mailbox –> Use tap the option below

clip_image001[6]

Edit the ‘Copied to Mailbox’ options

clip_image002[6]

Enable first option here, or peraps both depends on your needs.

clip_image003[6]

To do it as a bulk for all shared mailboxes, Launch Exchange Online PowerShell Module and Connect to the tenant by signing in as shown below

Connect-EXOPSSession

clip_image001

clip_image002

Once authenticated, you should see an outcome like this

clip_image003

Now let’s get the the current state of the Shared Mailboxes by running this command. It will return the list of Shared Mailboxes that are enabled for sent item copies currently. This means you can revert back this change if required but only to these ones, not for all.

Get-Mailbox -RecipientTypeDetails shared | Where-Object{$_.messagecopyforsentasenabled -eq ""}

clip_image004

Let’s also get the Mailboxes that are already enabled this feature. In case if we revert this back to its original state, we will have to leave these mailboxes as they were so this would be useful In such situation.

clip_image005

And, we can now run the following all existing Shared Mailboxes to enable it.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'SharedMailbox')} | set-mailbox -MessageCopyForSentAsEnabled $True | Where-Object{$_.messagecopyforsentasenabled -eq ""}

clip_image006

Finally , we need to verify if it went well. This command results all sharedmailboxes that are enabled this feature. If it lists down all – you have done it right ! In my case, I only have 4 altogether so it has run perfectly there.

Get-Mailbox -RecipientTypeDetails shared | Where-Object{$_.messagecopyforsentasenabled -eq "True"}

clip_image007

Reversing this change: In case if you’re in a situation to reverse this change. You can do so in two ways.

To reverse it to original state for a specific one shared mailbox. use this command or Admin UI as explain in the beginning of this article.

set-mailbox testshare2bymanoj -MessageCopyForSentAsEnabled $False

image

To reverse it to original state for all shared mailboxes. use this command

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'SharedMailbox')} | set-mailbox -MessageCopyForSentAsEnabled $False | Where-Object{$_.messagecopyforsentasenabled -eq "True"}

image

Make sure you disconnect the remote PowerShell session when finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you’ll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

Remove-PSSession $Session