Forum Discussion
EXO's "User" and "Trustee" properties returned from Get-Mailbox/RecipientPermission
The_Exchange_Team I have a situation where FullAccess and Send-As permission holder users have their PrimarySmtpAddress/UserPrincipalName value stored within various properties on multiple different ...
The duplicate thing, check your side with Get-RecipientPermission -Identity <MbxId> (with/without -Trustee <TrusteeId>) -ReadFromDomainController. You'll see what I mean. It outputs a recipient object for <MbxId>, as many times as there are Trustees to return from the ACE. It's not output the <TrusteeId> (or the list of Trustees' recipient objects).
I'm adding a wishlist item here for a new command in EXO PowerShell. Something like my Get-MailboxTrustee.ps1 script which can get FullAccess/Send-As/Send-on-Behalf/Folder Permissions. This wishful command would have parameters allowing us to choose which permission types to return. All of the various ACEs that are outputted would be one consistent object type where the User or Trustee property is a guaranteed unique [GUID] property (e.g., Guid, ExternalDirectoryObjectId, etc. (object/string, either fine)). I would delighted to see a new/official Get-MailboxTrustee command that works like this. Where it could excel beyond Get-MailboxTrustee.ps1 / Get-ExoMailboxTrustee.ps1, is that it could offer the option to do a full mailbox folder permission dump. Maybe someday...
I'm adding a wishlist item here for a new command in EXO PowerShell. Something like my Get-MailboxTrustee.ps1 script which can get FullAccess/Send-As/Send-on-Behalf/Folder Permissions. This wishful command would have parameters allowing us to choose which permission types to return. All of the various ACEs that are outputted would be one consistent object type where the User or Trustee property is a guaranteed unique [GUID] property (e.g., Guid, ExternalDirectoryObjectId, etc. (object/string, either fine)). I would delighted to see a new/official Get-MailboxTrustee command that works like this. Where it could excel beyond Get-MailboxTrustee.ps1 / Get-ExoMailboxTrustee.ps1, is that it could offer the option to do a full mailbox folder permission dump. Maybe someday...
Sorry, I wasn't clear. The duplicate entries when using ReadFromDomainController are unfortunate, luckily you get the correct object when combining it with the -User switch.
But for your original question, I'm curious whether one of the duplicate UPNs/PrimarySMTPaddress entries you're seeing corresponds to a GuestMailUser object.
But for your original question, I'm curious whether one of the duplicate UPNs/PrimarySMTPaddress entries you're seeing corresponds to a GuestMailUser object.
- In my current scenario, there are 2 separate Exchange orgs with Hybrid Configs into the same tenant. There are some users from org1 who have moved over to org 2. They only require 1 mailbox, but require a user account in both orgs, and need to be visible in both orgs' Address Books. This was accomplished by converting the original mailbox to mailuser and the externalEmailAddress is the new mailbox in org2.
Everything is happy with this arrangement, such as AAD Connect and AAD (no conflicts etc). The only issue is this mailbox permissions non-repudiation.
It's funny because I remember way back in 2004, my teacher Jim, who was teaching me courses for MCSA 2003, ways very vocal about the importance of non-repudiation in IT security and compliance. Here it is 20 years later and customers do not have guaranteed non-repudiation within their mailbox ACL's.- Well to end off my week with a little more grace, I am here to dial back some of my harsh word choices earlier. In the end, I do appreciate the -ReadFromDomainController secret move, however I will prefer to do Get-Recipient -Filter for UPN instead. Which leaves confirmation of what the other value is (Name, something else) when it's not the UPN format, for GrantSendOnBehalf property.