Updating Distribution Group and the error – You don’t have sufficient permissions

Each Distribution Group has at least one “owner.”

Technically speaking, only the Distribution Group owner is “allowed” to perform management tasks such as updated to the Distribution Group.

In case that Exchange Online Administrator tries to update properties of Distribution Group, which he is not the owner of this Distribution Group, in some scenarios, the following error message appears:

Notice that although the user performing an update of the Distribution Group properties has Global Administrator credentials, the fact that he is not the Distribution Group owner could “stop” him from complete the required management task.

The good news is that the PowerShell cmdlets that we use for managing Distribution Group include a parameter named – BypassSecurityGroupManagerCheck.
In case that you try to perform a management task, and the “permission error” appears, you can add the BypassSecurityGroupManagerCheck parameter to the “original PowerShell command.”

For example

Set-DistributionGroup -Identity "<Distribution Group Name>" –ManagedBy <Identity> -BypassSecurityGroupManagerCheck

Creating New Distribution Group

New-DistributionGroup -Name "<Distribution Group Name>"

New-DistributionGroup -Name “Sales USA”

New-DistributionGroup -Name <Distribution Group name> -DisplayName <DL display name> 
-Alias <Alias>-PrimarySmtpAddress <Email Address> -ManagedBy <identity>

New-DistributionGroup -Name “Sales USA” -DisplayName “Sales USA mail list” -Alias “SalesUSA”
-PrimarySmtpAddress SalesUSA@o365info.com -ManagedBy Brad

New-DistributionGroup -Name <Distribution Group Name> -Type Security

New-DistributionGroup -Name “Sales Italy” -Type Security

Import-CSV <Path> | ForEach {New-DistributionGroup -Name $_.name -Type $_.Type}

Import-CSV C:\Temp\DL-Group.csv | ForEach {New-DistributionGroup -Name $_.name -Type $_.Type}

2. Manage existing Distribution Group settings

Set-DistributionGroup "<Distribution Group Name>" -RequireSenderAuthenticationEnabled $False

Set-DistributionGroup  “Sales USA” -RequireSenderAuthenticationEnabled $False

Get-DistributionGroup | Set-DistributionGroup  -RequireSenderAuthenticationEnabled $False

Set-DistributionGroup -Identity "<Distribution Group Name>" –ManagedBy <Identity>

Set-DistributionGroup -Identity "Sales USA" -ManagedBy Brad -BypassSecurityGroupManagerCheck

Set-DistributionGroup “<Distribution Group name>” -ManagedBy  
@{Add='<Identity 1>','<Identity 2>'}

Set-DistributionGroup “Sales USA” -ManagedBy  @{Add='bob','brad'}

Set-DistributionGroup “<Distribution Group name>” -ManagedBy  @{Add='<Identity 1>','<Identity 2>'; Remove='<Identity 1>' }

Set-DistributionGroup “Sales USA” -ManagedBy  @{Add='bob','bradp' ; Remove='Angelina' }

$GroupList = Import-CSV C:\temp\Distribution-Groups-information.csv
ForEach ($group in $GroupList)
{
ForEach ($user in $GroupList)
{
}
Set-DistributionGroup -BypassSecurityGroupManagerCheck -Identity $group.GroupName -managedby $user.ManagedBy
}

Get-DistributionGroup |Set-DistributionGroup -ManagedBy <Identity> 
–BypassSecurityGroupManagerCheck

Get-DistributionGroup | Set-DistributionGroup -ManagedBy Brad –BypassSecurityGroupManagerCheck

$AllNewDistributionGroups  = Get-DistributionGroup | Where {$_.WhenCreated –ge ((Get-Date).Adddays(-14))}
ForEach ($Group in $AllNewDistributionGroups)
{
Set-DistributionGroup -Identity $Group.name –ManagedBy Bob
}

Set-DistributionGroup "<Distribution Group name>" -PrimarySmtpAddress <primary E-mail address>

Set-DistributionGroup "Sales UK" -PrimarySmtpAddress SalesUK@o365info.com

Set-DistributionGroup "<Distribution Group name>" SMTP:<primary E-mail address>

Set-DistributionGroup "Sales UK" -emailaddresses SMTP:SalesUK@o365info.com

$GroupList = Import-CSV C:\temp\Distribution-Groups-information.csv
ForEach ($group in $GroupList)
{
ForEach ($email in $GroupList)
{
}
Set-DistributionGroup -BypassSecurityGroupManagerCheck -Identity $group.GroupName -PrimarySmtpAddress $email.email
}

Set-DistributionGroup “Sales UK” -emailaddresses @{Add='
SalesUK02@o365info.com','SalesUK02@o365info.com','SalesUK02@o365info.com'}

Set-DistributionGroup “Sales UK” -emailaddresses 'SalesUK02@o365info.com', 'SalesUK03@o365info.com'

Set-DistributionGroup "<Distribution Group Name>" -EmailAddresses SMTP:<Primary Email>,<Alias Email>

Set-DistributionGroup "Sales UK" –EmailAddresses SMTP:DL-USA@o365info.com,dev@o365info.com

Set-DistributionGroup “<Distribution Group name>” -EmailAddresses @{Remove='<Identity 1>', '<Identity 2>' }

Set-DistributionGroup "Sales UK" -EmailAddresses @{Remove=' Sales01@o365info.com', ' Sales02@o365info.com' }

Set-DistributionGroup "<Distribution Group Name>" -HiddenFromAddressListsEnabled $True

Set-DistributionGroup "Sales UK" -HiddenFromAddressListsEnabled $True

Set-DistributionGroup "<Distribution Group Name>" –AcceptMessagesOnlyFrom <Allowed E-mail address 1>, < Allowed E-mail address 2>

Set-DistributionGroup "Sales UK" –AcceptMessagesOnlyFrom Bradp@o365info.com,Angelina@o365info.com

Set-DistributionGroup "<Distribution Group Name>" –ModeratedBy <E-mail address>, <E-mail address>

Set-DistributionGroup "Sales UK" –ModeratedBy Bradp@o365info.com,Angelina@o365info.com

Set-DistributionGroup "<Distribution Group Name>" –SendOofMessageToOriginatorEnabled $True 

Set-DistributionGroup "Sales UK" –SendOofMessageToOriginatorEnabled $True 

Add-RecipientPermission "<Distribution Group Name>" -Trustee <Identity> -AccessRights SendAs -Confirm:$False

Add-RecipientPermission "Sales UK" -Trustee Brad -AccessRights SendAs -Confirm:$False

Manage Distribution Group using PowerShell in Office 365 | Article series index

Adding members to Distribution Group – prefix

In the next sections, we review two main scenarios, in which we need to add a “NEW member” to existing Distribution Group.

• Scenario 1#2 – in this scenario, we want to add a “bulk” of users to a specific Distribution Group (many to one relationship).
• Scenario 2#2 – in this scenario we want to add a specific user to “bulk” of Distribution Groups (one to many relationship).

The management task of adding new members to Distribution Group, is implemented by using the PowerShell cmdlet – Add-DistributionGroupMember.

Working with Distribution Group lists and Distribution Group member lists.

In the next section, we work with a concept which can be described as – “Group,” “list” or if we want to use the more technical term – “Array.”

This term defines a logical container, that “store objects (members)

In the specific scenario, we will use an “Array,” that contain user objects or Distribution Group objects.

In our example, we create an “array” by using one of the following methods:

• Option 1 – “array” that is created from the output from of a varies PowerShell commands.
  For example, the list of existing Distribution Group that we get from the
  PowerShell command – Get-DistributionGroup
• Option 2 – using a file as a “source” for the “array”.
  In this case, we use a file (most of the time CSV file) that includes a list of Distribution Groups, a list of users and so on.
• Option 3 – creating “array” by manually providing the “list” of the required Distribution Group or a list of Users. In this case, we manually provide the name of each Distribution Group or each user, separated by a comma.

Scenario 1 – Add a user (recipient) to a Distribution Group

This is a simple scenario, in which we wish to add a specific user to a Distribution Group.

In this example, we “write down” the name of the Distribution Group and the name of the “member” which will be added to the Distribution Group.

Add-DistributionGroupMember "<Distribution Group Name>" -Member <Identity>

Add-DistributionGroupMember -Identity "Sales UK" -Member Bradp

Add a list of users to a specific Distribution Group

In the following section, we review examples of different scenarios, which their common denominator is that we need to add a “list of user” (array) to a specific Distribution Group.

This scenario can be described as – a relationship of – many to one.

Scenario 1 – Add a “list of users” (multiple users) to Distribution Group | Import the “members list” from a CSV File

In this case, we want to add members to an existing Distribution Group, by importing the list of member’s from a CSV (Comma Separated Value) file.

In the current scenario, we export information about Office 365 users to a CSV file, by using the following PowerShell command:

Get-mailbox | Select DisplayName,Alias,PrimarySmtpAddress |  Export-CSV c:\temp\Distribution-Groups-Members.csv –NoTypeInformation -Encoding utf8

The CSV file structure and “logic”
The CSV file structure is based upon the concept of – “column” and “rows.”

In our example, the CSV file includes a list of users. Notice that each user (each row) can have a couple of “identities.”

For example, each user has the following identities: Display name, Alias and Primary E-mail address.

In our example, we “relate” to the user identity, by “fetching” the user identity stored in the
column named PrimaryE-mailaddress.

Technically speaking, we can choose another user’s identity such as “DisplayName” or “Alias.”

The PowerShell command structure.
The PowerShell script that we use is based on the following syntax:

$<Variable> = Import-CSV <path>

ForEach ($<Variable> in $<Variable>)
{
Add-DistributionGroupMember -Identity "<DL NAME>" -Member $<Variable>.<Identity>
}

• Part 1#3 – In the first part of the PowerShell command, we import the information (the list of users) from the CSV file. In our example, we “declare” about a
  variable named – $UsersList that will serve as a logical container for the content of the CSV file.
• Part 2#3 – In the second part of the PowerShell command, we use the “ForEach” PowerShell statement, for executing a “loop process.”
  The PowerShell “loop process” use an additional variable named – $User.
• The $User variable, serve as “temporary” container that will store a specific user identity for each “cycle” in the loop process.
• Part 3#3 – this is the “actual PowerShell command” that we use (Add-DistributionGroupMember) for adding each of the users that appear in the CSV file to a specific Distribution Group.

In our example, the Distribution Group name is – “Marketing USA”

Notice that we relate to the Distribution Group member by using a combination of the $User variable that is “attached” to the specific column in the CSV file named – PrimarySmtpAddress, by using the following convention $User.PrimarySmtpAddress.

In other words, we instruct the PowerShell loop process to use the PrimarySmtpAddress as the user identity.

$Userslist = Import-CSV C:\Temp\Distribution-Groups-Members.csv
ForEach ($User in $Userslist)
{
Add-DistributionGroupMember -Identity "Sales France" -Member $User.PrimarySmtpAddress
}

Scenario 2 – Add a “list of users” to Distribution Group | Users whom their department is equal to X.

In this scenario, our mission is to find all the users that their department is Sales, and these users to a Distribution Group named – “Sales worldwide”

In our example, the organization has a couple of sales departments, such as – Sales USA, Sales UK and so on.

To fulfill this requirement, we create the required list of users, by “executing” a PowerShell command that performs “filtered search.”

The PowerShell filtered search will look for all users, which their department is starting with the string “Sales*.”

We use the variable $SalesUsers for storing this information about the user’s list.

In the next step, we run a PowerShell loop process, which will use the information stored in the
variable – $SalesUsers and add each of the members stored in the $SalesUsers variable to the Distribution Group – Sales worldwide.

$SalesUsers = Get-User | Where {$_.Department -like “Sales*”}
foreach ($User in $SalesUsers)
{
Add-DistributionGroupMember -Identity "Sales worldwide " -Member $User.name
}

Add a user (recipient) to Multiple Distribution Groups (bulk mode)

In the following section, we review examples of different scenarios, which their common denominator is – the need for adding a specific user to “many” or “multiple” (array) Distribution Group at the same time.

This scenario can be described as – a relationship of – one to many.

Scenario 1 | Add user (recipient) to multiple distribution groups | Manually providing the name of each Distribution Group.

In this section, I would like to review the scenario in which we want to add a specific user as a member to a list (array) of Distribution Groups

The information about the “destination Distribution Group” will be written as a part of the PowerShell command, and stored in a variable.

• The user whom we want to add as a member to the various Distribution Group is – Brad.

The PowerShell command that we use, includes two parts:

• Part 1#2 – in the first part of the PowerShell command, we define the PowerShell variable
  named – $GroupList, which serve as a “logical container” for the “array” of the Distribution Groups.
  In other words, define the list of the Distribution Group to which the user is going to be added.
• Part 2#2 – In the second part of the PowerShell command, we use the “ForEach” PowerShell statement, for executing a “loop process.” The PowerShell “loop process” instructs PowerShell to:
  • “Get” the information stored in $GroupList
  • “Fetch” the name of the first Distribution Group in the list.
  • Add the user name as a member of the Distribution Group.

After the PowerShell loop, the process completes the task that relates to the “first Distribution Group” in the “list,” the PowerShell loop process starts the process all over with the “second Distribution Group” in the list until the “end” or the last name in the list.

$Variable = "<Distribution Group name>","<Distribution Group name>","<Distribution Group name>"
ForEach ($item in $Variable)
{Add-DistributionGroupMember -Identity $item –Member <Identity>}

$DistributionGroupsList = "Sales UK","Sales USA","Sales Italy"
ForEach ($item in $DistributionGroupsList)
{
Add-DistributionGroupMember -Identity $item –Member Bradp 
–BypassSecurityGroupManagerCheck
}

Scenario 2 | Add user (recipient) to multiple distribution groups | Using the PowerShell command for getting a list of all existing Distribution Groups.

In this scenario, we want to add a specific user to all the existing Distribution Groups.

To be able to fulfill this requirement, we need to define an “array,” that include all the available Distribution Groups.

The array of Distribution Group will be defined in the following way:

We will use a variable named – $ALLDistributionGroups ,that will store the output from the PowerShell command – Get-Distribution group -resultsize unlimited.
In the second part of the PowerShell command, we use the “ForEach” PowerShell statement, for executing a “loop process” on the results (the array the include the list of existing Distribution Groups).

An example of the PowerShell syntax that we use is:

$ALLDistributionGroups = Get-Distributiongroup -resultsize unlimited
ForEach ($item in $ALLDistributionGroups)
{
Add-DistributionGroupMember -Identity $item –Member Bradp
}

Scenario 3 | Add user (recipient) to multiple distribution groups | read the information about the Distribution Group list from a CSV file.

In this example, the information about the “list of Distribution Groups,” is stored in a CSV file. Technically speaking, the CSV file can include many additional “information columns,” beside of the specific column that includes the Distribution Groups names.

In our specific example, the column that includes the Distribution Group names named – “GroupName.”

It’s important to mention that the column header name is not a “predefined name” or a mandatory name.

Instead, the column name is just an arbitrary name, that we choose. The only “restriction” is that the name of the header will not contain any spaces.

• In the first part of the PowerShell command, we define a variable named – $DistributionGroupsList, that stores the content of the CSV file (the CSV file that contains the list of the Distribution Groups).
• The second part of the PowerShell command will “access” the information stored in the
  column – GroupName.

$DistributionGroupsList = Import-CSV C:\Temp\Distribution-Group-list.csv
ForEach ($Group in $DistributionGroupsList)
{
Add-DistributionGroupMember -Identity $Group.GroupName -Member Brad
}

Scenario 4 | Add user (recipient) to multiple distribution groups | get a list of Distribution Group that was created in the last X hours.

In the following example, we want to add the user Brad as a member of all the Distribution Groups, that was created in the last 48 hours.

• Part 1#2 – in the first part of the PowerShell command, we define the PowerShell variable
  named – $AllNewDistributionGroups.
  The $AllNewDistributionGroups variable will store the output from a PowerShell query that “fetch” all the Distribution Group that their “creation time” is less or equal to the last 40 hours.
• Part 2#2 – In the second part of the PowerShell command, we use the “ForEach” PowerShell statement, for executing a “loop process” on the results.
  The PowerShell command will relate to each of the Distribution Group by using the $Group variable that will use the “name” property of the Distribution Group object.

$AllNewDistributionGroups  = Get-DistributionGroup | Where {$_.WhenCreated –ge ((Get-Date).AddHours(-48))}
ForEach ($Group in $AllNewDistributionGroups)
{
Add-DistributionGroupMember -Identity $Group.name –Member Bradp
}

Scenario 5 – Add user to Distribution Group only if the user is not already a member of the Distribution Group

In the following scenario, we wish to verify if a specific user is a member of a Distribution Group, if the user is not a member of the Distribution Group, we want to add the user as a member of the Distribution Group.

Scenario description

• The user whom we want to check is – Bob.
• The Distribution Group name is – Sales France.

To be able to fulfill this requirement, we can use the following PowerShell command

$Recipient = Get-Recipient -Identity bob
$Group = get-DistributionGroup -Identity 'Sales France'
$GetMember = Get-DistributionGroupMember $Group.name
if ($Group.name -notcontains $Recipient.Name)
{Add-DistributionGroupMember -Identity $Group.Name -Member $Recipient.Name}

Manage Distribution Group using PowerShell in Office 365 | Article series index

View information about Distribution Groups

Get-DistributionGroup

Get-DistributionGroupMember "<Distribution Group Name>"

Get-DistributionGroupMember "Sales France"

Get-DistributionGroupMember IT | Sort -Property DisplayName | Select DisplayName, Alias, Department

(Get-DistributionGroupMember "IT").Count

Get-DistributionGroup | Where {$_.emailaddresses –like <"*Domain Name*">} | FT -Property Name,Alias,EmailAddresses -Autosize

Get-DistributionGroup | Where {$_.emailaddresses –like "*o365info.com*"} | FT -Property Name,Alias,EmailAddresses -Autosize

Get-DistributionGroup | Where {$_.WhenCreated –ge ((Get-Date).Adddays(-14))} | FT DisplayName,WhenCreated

Get-DistributionGroup | Where {$_.WhenCreated –le ((Get-Date). Adddays (-14))} | FT DisplayName,WhenCreated

Get-DistributionGroup | Where {$_.ManagedBy  -like “*adele*”} | FT DisplayName,ManagedBy

Get-DistributionGroup | FT DisplayName,ModeratedBy

Get-DistributionGroup | Where {$_.ModeratedBy -notlike “$null”} | FT DisplayName,ManagedBy

Get-DistributionGroup | Where {$_.IsDirSynced  -eq $true} | FT DisplayName, IsDirSynced

Get-DistributionGroup | Where {$_.RequireSenderAuthenticationEnabled -eq $True} | FT DisplayName,RequireSenderAuthenticationEnabled

Get-DistributionGroup | Where {$_.RequireSenderAuthenticationEnabled -eq $False } | FT DisplayName,RequireSenderAuthenticationEnabled

$User = read-host “User Name"
$UserDName = (Get-Mailbox $User).name
"The User " + $User + " is a member of the following Distribution Groups:"
ForEach ($DistributionGroup in Get-Distributiongroup -resultsize unlimited)
{
if ((Get-Distributiongroupmember $DistributionGroup.identity | select -expand name) -contains $UserDName)
{$DistributionGroup.name}
}

Export information about Distribution Groups

Get-DistributionGroup | Out-File c:\temp\DistributionGroups.TXT

Get-DistributionGroup | Export-CSV c:\temp\DistributionGroups.CSV –NoTypeInformation -Encoding UTF8

Get-DistributionGroup | ConvertTo-Html c:\temp\DistributionGroups.HTML

$Groups = Get-DistributionGroup -ResultSize Unlimited 
Foreach ($Group in $Groups) 
{     
	$Members = Get-DistributionGroupMember -Identity $($Group.PrimarySmtpAddress) 
	Foreach ($Member in $Members) 
	{ 
		Out-File -FilePath c:\temp\DistributionGroupMember.csv -InputObject "$($Group.DisplayName),$($Member.DisplayName),$($Member.PrimarySMTPAddress)" -Encoding UTF8 -append 
	} 
}

Manage Distribution Group using PowerShell in Office 365 | Article series index

The article includes two main sections:

1. Distribution Group management tasks that relate to deletion of Distribution Group or deletion of members from a Distribution Group.
2. Additional Distribution Group posable management task which I describe as – “Playing with Distribution Group.” In this section, we review two “tricks” that enable us to bypass inherent limitations of a Distribution Group.
   • Converting Office 365 distribution Group to Security Group and vice versa.
   • Assign “Full Access” permissions to Distribution Group + use AutoMapping option.

1. Delete Distribution Group + Remove members from Distribution Group

Remove-DistributionGroup "<Distribution Group Name>"

Remove-DistributionGroup "Sales USA "

Remove-DistributionGroupMember -Identity "<Distribution Group name>" -Member "<Member name>"

Remove-DistributionGroupMember -Identity "Sales USA" -Member "Bob"

$DistributionGroups = Get-Distributiongroup -resultsize unlimited
$UserDName = read-host “Enter User Name"
$UserDName = (Get-Mailbox $User).name
"Searching which groups " + $User + " is a member of and removing membership..."
ForEach ($Group in $DistributionGroups)
{
if ((Get-Distributiongroupmember $Group.Name | select -expand name) -contains $UserDName)
{
write-host "Removing user from group '$Group'"
Remove-DistributionGroupMember -Identity "$Group" -Member "$UserDName" -Confirm:$false
}
}

$DistributionGroupMember = Get-DistributionGroupMember "IT"
ForEach ($member in $DistributionGroupMember)
{
Remove-DistributionGroupMember -Identity IT –Member $member.name -Confirm:$false
}

How to convert Distribution Group into a security group | Tips and tricks

Let’s start with the simple fact that at the current time, Office 365 and Exchange Online environment doesn’t provide an option for converting existing Distribution Group to a security group (the most accurate term is a mail-enabled security group).

I use the term “convert” for describing a process that can partially simulate the process of converting group from type X to type Y.

The solution that I offer is based on the following steps:

1. Create a NEW security Distribution Group.
2. Copy all the members from the existing Distribution Group to the “destination” security Distribution Group.
3. Delete \ Remove the Distribution Group

It’s important to me to mention that, the “trick” in which we copy the numbers from one type of group (the Distribution Group) to the “other group” (security group) is not providing a “full solution” because, the group properties such as mail permissions or other Distribution Group properties are not “migrated” to the new group.

In the following section, I provide two “flavor” of the PowerShell script that will implement the “group conversation process.”

The first example implements a very basic process that copies the Distribution Group member to the NEW group.

$Members = Get-DistributionGroupMember -id "<Name of the source group>"
ForEach ($Member in $Members)
{
Add-DistributionGroupMember -Identity "<Name of the destination security group>" -Member $Member.name
}

The second example, provides more “sophisticated operation” and performs the following tasks:

• Creating the NEW “destination security group”
• Define a group name that is based on the following naming convention – the name of the Distribution Group + the string “NEW”.
• Copy the remember from the Distribution Group to a temporary variable.
• Copy the Distribution Group members to the “NEW security group.”

Variation 2

$DistributionGroupName = Read-Host -prompt "Type the Distribution Group name"

$Members = Get-DistributionGroupMember -id $DistributionGroupName
New-DistributionGroup -Name $DistributionGroupName-NEW -Type Security
ForEach ($Member in $Members)
{
Write-host “NEW security group named - $DistributionGroupName-NEW created!”
Write-host “The security group - $DistributionGroupName-NEW contain all the members of the Distribution Group named - $DistributionGroupName”
Add-DistributionGroupMember -Identity "$DistributionGroupName-NEW" -Member $Member.name
}

Assign “Full Access” permissions to Distribution Group + use AutoMapping option | Tips and tricks

In the following section, we use a trick, that will enable us to provide Full Access permissions to each of the members who include in a specific Distribution Group.

We will not get into a very detailed explanation of the possible permission’s matrix in Exchange and Exchange Online base environment, but shortly explain that technically, we cannot provide permissions to Distribution Group on “other objects” such as Exchange Online mailbox because Distribution Group is not a “security-enabled object.”

In other words, technically, we cannot fulfill the requirement of providing Full access permissions to a Distribution Group on the other Exchange mailbox.

The trick that we use, bypass this limitation in the following way:

• We get a list of each member in a specific Distribution Group
• We store this information temporarily in a variable
• We take the information stored in the variable (the Distribution Group members) and assign Full access permission for each of the members on the “destination mailbox.”
• In case that we assign the Full access permission “directly” to a specific Exchange user account, the feature of “AutoMap” will be activated and after the Full Access permissions are assigned, the “destination mailbox” will automatically appear in the user Outlook mail profile.

$DistributionGroupName = Get-DistributionGroupMember "<Distribution Group name>"
ForEach ($Member in $DistributionGroupName)
{
Add-MailboxPermission -Identity "<mailbox identity>“ -User $Member.name -AccessRights ‘FullAccess’ -InheritanceType all
}

• In our example, the Distribution Group name is – Sales France
• The destination mailbox meaning the mailbox which we want to provide the Full access permissions is the mailbox of a user named – Brad

$DistributionGroupName = Get-DistributionGroupMember "Sales France"
ForEach ($Member in $DistributionGroupName)
{
Add-MailboxPermission -Identity "Bradp"  -User $Member.name -AccessRights ‘FullAccess’ -InheritanceType all
}

Manage Distribution Group using PowerShell in Office 365 | Article series index

The other half of the Full Access permission’s process is related, to the way that the user who has the permissions view the “destination Mailbox.”

In the second part of the article, we will review how Outlook and OWA mail client view a mailbox which the user has Full permissions on it.

Our scenario description

In our example, we would like to assign a user named – Chris, Full Access permissions on Frank mailbox.

After we provide the required permissions, we will need to verify the Chris can view Frank mailbox when he uses Outlook + OWA mail clients.

Assigned Full Access permissions to the Exchange Online mailbox

How to access your mailbox you have Full access permissions - Outlook

How to access your mailbox you have Full access permissions – OWA

In case that a user has Full Access permissions to another user mailbox and he uses OWA mail client, he needs to implement a short procedure to add the “additional mailbox” to his OWA mail profile.

• Login to your OWA mail profile
• Click on the More menu

• Right click on the “recipient name.” In our example, Chris

• Select the menu – Add share folder…

• In the search box, Active Directory the name of the recipient whom you want to add his mailbox.

• Click Add

In the following screenshot, we can see the when Chris open his Outlook mail profile, the additional mailbox was added to his Outlook mail profile.

The combination of – Arrays and the Loop process (which implemented by using the PowerShell “ForEach statement”), is a very powerful tool, that enables us to perform a bulk administrative task on multiple objects in “one click”.

The “problem” (or the challenge if we want to use a more politically correct word) is that most of the Exchange or Office 365 administrators are a little scary from the “PowerShell monster”, and especially more “complex scenario” in which we need to use a PowerShell command that includes more then one line.

The good news is that If you’re ready to invest a little time by reading the following two articles, you will find that the terms “Array”, Loop process and “ForEach statement” are not so scary.

After you will learn how to “enroll” this tools, you will get a very useful tool that could improve and optimize your day to day administrative tasks!

Generally speaking, to the concept of the “Array” are relevant to any programming or script Language but as mentioned, in the current article, the examples are related to Office 365 environment.

What should I learn about “arrays”?

In PowerShell environment, we use the concept of “Arrays” many times, whether we know it or not. In case that we want to understand better many of the PowerShell command syntax examples, and to effectively utilize “PowerShell,” we should have a basic understating of the “arrays” concept.

What is the meaning of Array?

Let’s start with a formal definition of the term “Array” as it appears in Wikipedia:

In simple words, the term “Array” define a group or a list of “objects” that we can “address” or relate to when using a PowerShell command.

The Array considers as a collection of objects or other term -collections of members.

Theoretically, the Array can be empty or, contain zero members, but most of the time, we use the “Array” for grouping or “binding” one or more “objects.”

The next question that can appear is – what are these “objects” or who are these “members”?

The terms “objects” or “member” is a very general term that we use for describing different types of “entities” that we want to address.

In PowerShell based environment, there is a multiple of examples to the term “objects.”

For example, an object can be considered as Exchange mailbox, Office 365 users, operating system process or even a “row” in a file.

An Array can contain 100% of a specific type of object or, a “subset” of specific objects with a specific character or a specific property.

For example,

The PowerShell command – Get-Mailbox, will get a list of all Exchange mailboxes.
In other words, we can say that the PowerShell command – Get-Mailbox, creates an Array that contains all the objects that considered as “mailbox object”.

The PowerShell command –

will get a list of all Exchange Online mailboxes that considered as “user mailboxes.”

In other words, in this case, the Array that created contain only a specific subset or a “group” of Exchange mailboxes, that have a specific property (RecipientTypeDetails), and considered as – “User mailbox.”

How does Array is created?

Another interesting question that we can ask is – what are the methods that we can use for creating an “Array”?

There are various ways for “creating” an Array.

1. Using basic PowerShell command – for example, each PowerShell cmdlets that start with the prefix “Get,” create an Array.
2. Information that stored in a file in a specific format such as CSV file, can also be considered as an “Array”. When we need to access information that stored in a CSV file, each “row” in the CSV file, considered as “array members,” and each column in the CSV file will be considered as a “member property”.
3. Using Group – although we don’t use to relate to a “Group” as an “Array,” Group is actually an array. A “group” serve as a logical container that contains Group members, and this is the exact definition of Array.
4. Writing manually each member – an additional method for creating “Array” is simply implemented by manually writing each of the Array members. For example, when we assign permission to the specific user mailbox, we can assign the permissions for multiple users (Array). The creation of the “Array” is implemented by writing down, each of the users (members) separated by the comma character.

PowerShell command as a tool for creating arrays

In this section, I would like to relate to the PowerShell command prefix “Get” as one of our main methods for creating an “Array.”

Each time we run a PowerShell command with the prefix “Get,” we are actually asking from PowerShell to create for as an “Array”.

By default, the “Array content” will be displayed by the PowerShell command on the PowerShell console, but it’s important to emphasize that the first “action” that is implemented by PowerShell command is – storing the “Array data” in the computer RAM, and only then, copy the information to the PowerShell console.

Beside of viewing the “Array data” in the PowerShell console, we can use the Array information that is stored in the RAM and choose what we want to “do” with the data.

For example, we can export the array information to a file, “pipe” to information to another PowerShell command and so on.

An example, creating an array by using the PowerShell Get-Mailbox command.

Exchange infrastructure includes dozens, even hundreds of different objects type such as Exchange recipients, groups, connectors, mailboxes and so on.

When we use a PowerShell cmdlets such as – Get-Mailbox, we are asking from Exchange Online to provide us information about a very specific object type – “Exchange mailboxes.”

When we write, the PowerShell Get-Mailbox, and “hit” the Enter key, PowerShell is automatically creating an “array space”, and “fill in” the array store with an information about all the existing Exchange mailboxes.

An additional example of creating an array by using PowerShell

Another example of an Array that we create by using a PowerShell command, can be an example in which we use the following PowerShell command that create a filtered search such as:

In this case, we “ask” from Exchange to provide us a list of all Exchange users (an array of Exchange Online users), but add additional Filter, that includes the condition – “fetch information” only if the user title is – Administrator.

Using a PowerShell variable

If we want to simplify the explanation of the term “variable,” we can relate to the variable component” as a “logical container that holds “data.”

Most of the time, the “data” stored in the variable, can be considered as an “Array data”.

The “variable,” can be considered as an “essential component,” that is used quite often, when using a PowerShell “ForEach statement” and arrays.

Using variable – The Flow of events

When using a PowerShell variable, the following phases or steps are implemented:

• Step 1#3 – in the first phase, we declare the variable, and the “variable store” is empty.
• Step 2#3 – In the second phase, we store information in the “variable store,” by “redirecting” the output of PowerShell “Get” commands.
• Step 3#3 – Later, we use an additional PowerShell command\s, that “access” the information stored in the variable, and “do something” with this information.

The variable syntax in PowerShell environment.

The variable “syntax” is written in the following way:

• Part 1#3 – We use the “$” sign for “declaring” a variable.
• Part 2#3 – Then, we define the variable name. The variable name is an arbitrary name, whom we choose. The best practice is to choose a “meaningful” variable name. Variable names are not case-sensitive. Variable names can include spaces and special characters, but these are difficult to use and should be avoided.
• Part 3#3 – Write the specific “PowerShell Get” command, that we use for “fetching data” about specific objects. The output from the PowerShell command, will be stored in the variable.

An example of variable syntax could be – $ExchangeMailboxes = Get-Mailbox

In this scenario, we defined a variable named- $ExchangeMailboxes ,that will use for storing the information that we get from the PowerShell command –
Get-Mailbox.

Using a PowerShell “ForEach” statement + Array

One of the most distinct advantages of implementing management tasks by using PowerShell, is the ability to perform a “Bulk operation” meaning, a process that will be executed on a “group” (Array) of objects.

The ability to run a specific task on array members is implemented many times by using a combination of the “ForEach” PowerShell statement + a variable that store the Array data (Array member’s).

We use the ForEach PowerShell statement for implementing the following flow:

1. “Scanning” the Array content.
2. Locate the first member in the array.
3. Run a specific PowerShell command on the Array member (“do something”).
4. Start the process all over again, by access the Array store, fetching the second member in the Array, run the requested PowerShell command and so on.

This loop process will stop after the “ForEach PowerShell statement’” locates the “last member” in the Array.

In the following diagram, we can see an example of a PowerShell command
that includes the “ForEach PowerShell statement” + PowerShell variables.

• Part 1#3 – in this part, we declare the name of the variable, and “charge” the “variable store” with the result of a “Get” PowerShell command.
• Part 2#3 – in this part, we start the “ForEach PowerShell stamen” + declare the name of additional variable, that is used for representing a specific member in the Array.
• Part 3#3 – in this part (that start with the curly brackets), we define the specific PowerShell command, that is “executed” separately for each member in the Array. This is the “Do Something” part. When using a Loop statement, the specific PowerShell command is written between curly brackets.

How to address a member in the Array?

As we know, an Array is a collection of members.
When we use a PowerShell command that uses “ForEach PowerShell statement,” we wish to address or reference each of the members in the array, and “apply” a specific PowerShell command to each of the specific members.

Technically speaking, there are a couple of methods that we can use to relate to the “Array member object.”

In the current article, I would like to review the method, in which we use an additional variable, that represents the “member object.”

The ForEach PowerShell statement, “knows” how access the “Array space” (represented by the “Array variable”), and loop through the Array.

In each Loop, the ForEach PowerShell statement “pull” a specific member from the Array (represented by the “Member variable”), run the required PowerShell command, and continue to the “next Array member.”

The name of the variable that represents the array member, is just an arbitrary name, whom we choose.

The best practice is to choose a meaningful variable name, which helps us to easily distinguish between the “member” and the “Array.”

In the following diagram, we can see the structure of the “ForEach PowerShell statement” command, in which we define the Array and the member in the Array, by using two different variables.

In our example, the variable $Mailbox represent each member in the array and the variable $ExchangeMailboxes represent the Array himself.

To be able to demonstrate the concept of Variable and Array, let’s use the following two examples:

Example 1 – view a specific array member

In the next example, we use a Variable named $ExchangeMailboxes, for storing the array that is created via the use of the PowerShell command- Get-mailbox.

The “complete PowerShell sentence” is-

In this phase, we have a Variable that contains one or more member (Exchange Online mailboxes). Theoretically, we cannot “know” what is stored in the “Variable space.”

To be able to view the first Array member stored in the Variable $ExchangeMailboxes, we can use the following PowerShell command:

$ExchangeMailboxes[0]

To view the second Array member, stored in the Variable $ExchangeMailboxes

$ExchangeMailboxes[1]

And so on.

PowerShell console output example

PS C:\script> $ExchangeMailboxes = Get-Mailbox

PS C:\script> $ExchangeMailboxes[0]

Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------

Adele Adele amxpr05mb0646 49.5 GB (53,150,220,288 bytes)

PS C:\script> $ExchangeMailboxes[1]

Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------

admin_3a5bb52c62 Bob he1pr05mb1369 49.5 GB (53,150,220,288 bytes)

Example 2 – Writing a PowerShell loop statement the display each array member

The following, example has no “real purpose” besides of the purpose of demonstrating how to Loop statement is executed for each of the Array members.

In this example, we “ask” from PowerShell to fetch each of the Array members that are stored in the Variable $ExchangeMailboxes and write on the PowerShell console screen a notification that uses the following syntax:
This is one of the array members – “(Exchange mailbox)” + <Array member name>

PowerShell command example

$ExchangeMailboxes = Get-Mailbox
ForEach ($Mailbox in $ExchangeMailboxes)
{
Write-host This is one of the array members - "(Exchange mailbox)" - $Mailbox
}

PowerShell console output example

This is one of the array members - Exchange mailbox - Adele

This is one of the array members - Exchange mailbox - Alice Good

This is one of the array members - Exchange mailbox - Alicia Keys

This is one of the array members - Exchange mailbox - Angelina Jolie

This is one of the array members - Exchange mailbox - Aretha Franklin

This is one of the array members - Exchange mailbox - Beatles the

This is one of the array members - Exchange mailbox - Beyonce

This is one of the array members - Exchange mailbox - Billy

This is one of the array members - Exchange mailbox - Bob Marley

How to specify the identity of a specific Array member?

In this section, I would like to relate to the subject of – How to specify the identity of a specific Array member?

As mentioned, we want that a specific PowerShell command will run over each member of the Array.

To enable PowerShell to perform this task, we need to use a method which will help PowerShell to “relate” to each of the members separately. In other words, we need to “tell” PowerShell, what is the “identity” of each member in the Array.,

To specify the identity of a member in an Array in PowerShell environment, we use the following syntax:

The variable name that represents the “member object” + the “dot character” + one of the object properties that represent object identity.

Sound confusing and difficult to understand?

The only solution that I know of is – reading the provided information and the examples over and over until you are able to see the “complete picture.”

In the following diagram, we can see an example of the syntax that we use for relating to a specific member in the Array.

In our example, the variable that we use for representing Array member is – $Mailbox and the “object identity property” that we use is – “DisplayName.”

Object identity” and “identity property”

This brings us to the next question – what is the meaning of “object identity,” and what is the meaning of “identity property”?

The answer is that each “PowerShell object,” has an “identity” in a similar way that each of us has an identity.

To make the issue even more complicated, each PowerShell object can have multiple identities like each of us can have multiple identities such as – private name, Nickname, Social security number and so on.

In the following diagram, we can see an example of all the available identities of Exchange mailbox in the Exchange Online based environment.

In case that you get a “headache” from the variety of the multiple identities, it’s OK!

In reality, we don’t use all the types of these “identities” but instead, only a specific set of identities that are commonly used.

Array members and the two common types of relationships

In this section, I would like to relate to the subject which I describe as “Array members and the two common types of relationships.”

Technically speaking, we can define four types of relationships between objects:

1. One to one
2. One to many
3. Many to one
4. Many to many

To be able to define “one to one” relationship, we don’t need to use an Array and “ForEach” PowerShell statement.”

Regarding the relationships which I describe as -“Many to Many,” I prefer not to relate to this type of relationship in the current article because it could become a little complicated.

In many scenarios, the most common relationships that we deal with are, the relationships which can be described as – one to many or many to one.

One to many relationships – example

The relationship which defined as “One to many,” relate to a scenario, in which we want to enable a specific object (one) to “impact” multiple objects (Array).

In other words, enable a specific object to “do something” for each member in the Array of objects.

To be able to demonstrate such relationship, let’s use the administrative task of assigning permissions.

For example, John is the Exchange Online administrator. We wish to assign John, Full Access permission on each of the existing Exchange Online mailboxes.

• In our example, that “Array” include all the Exchange Online mailboxes
• Each Exchange Online mailbox considers as a Member in the Array.
• John represents the “One” in the current relationship.
• Exchange Online mailboxes represent the “Many” in the current relationship.

Many to one relationship – example

The relationship which defined as “Many to one,” relate to a scenario, in which we want to enable multiple objects (Many) to “impact” a specific or an individual object (one).

In other words, enable a Group of objects (multiple objects) to “do something” on a specific object.

To be able to demonstrate such relationship, let’s use the administrative task of assigning permissions.

For example, we would like to assign Full Access permissions to all the users who “belong” to the IT group, on the “Help Desk mailbox” (one) that serves as a mailbox for Helpdesk tickets.

• In our example, the “Array” include all the IT members.
• Each IT user considers as a Member in the Array.
• The IT members represent the “Many” in the current relationship.
• The “Help Desk mailbox” represents the “One” in the current relationship.

Using PowerShell Loop statement + variables + define the two-common type of relationships

In this section, I would like to “rap” couple of subjects that we have reviewed, up until now, so we will be able to understand better the “whole picture.”

Using a PowerShell ForEach statement example – One to Many relationship’s examples

In the current section, we demonstrate a relationship which described as “One to Many.”

Scenario description

In our scenario, John is the Exchange Administrator.
We want to assign John Full access permissions on all the existing Exchange Online mailboxes.

To be able to fulfill this requirement, we create a PowerShell Loop command, that includes the following parts:

Part 1#3 – In this part, we define a variable named – $ExchangeMailboxes, that will “hold” the output from the PowerShell command – Get-Mailbox.

The specified PowerShell command will get the “list” of all existing Exchange Online mailboxes.

$ExchangeMailboxes = Get-Mailbox

Part 2#3 – In this part, we define an additional variable named- $Mailbox, that is used for representing each of the members in the “Exchange mailbox Array” (the information stored in the variable – $ExchangeMailboxes).

ForEach ($Mailbox in $ExchangeMailboxes)

Part 3#3 – In this part, we define the PowerShell command that will assign the user “John” a Full Access permission for each of the Exchange Online mailboxes.

Referencing each array member identity

Notice the syntax that we use for referencing each of the Array members (each of the Exchange Online mailbox) identity.

The syntax that we use is – $Mailbox.DisplayName

The identity of each member is “written,” by using the variable name that temporary hold each of the members in the array ($Mailbox) + a specific “identity” property.

In our example, we use the “DisplayName” as the identity property.

The “combination” of these two parts, enable us to “identify” each of the Array members individually in the Loop process that is executed by the “ForEach PowerShell statement.”

sing the PowerShell ForEach statement example – Many to One relationship example

In the current section, we demonstrate a relationship which described as “Many to One.”

Scenario description

The IT uses a shared mailbox named – HelpDesk, that serves for storing help desk tickets that the organization user open.

We would like to enable each of the IT members, to have a Full Access permission to the shared mailbox named – HelpDesk.

Part 1#3 – In this part, we define a variable named – $ITMembers, that will “hold” the output from the PowerShell command – Get-User | Where {$_.Title -eq “Administrator”}

The specified PowerShell command will get the “list” of all existing users, which their title contains the value – “Administrator”.

Part 2#3 – In this part, we define an additional variable named- $User, that is used for representing each of the members in the “IT array” (the information stored in the variable – $ITMembers).

Part 3#3 – In this part, we define the PowerShell command that will assign each of the IT Members, Full Access permission on the “Helpdesk mailbox”.

Referencing each array member identity

Notice the syntax that we use for referencing each of the Array members (each of the IT members) identity.

The syntax that we use is – $User.Alias

The identity of each member in the Array, is “written,” by using the variable name that temporary hold each of the members in the array ($User) + a specific “identity property”.

In our example, we use the “Alias” as the identity property.

The “combination” of these two parts, enable us to “identify” each of the Array members individually.

By default, when such a scenario occurs, the mail items that were sent by the recipient who has the Send As permissions (or the Send on Behalf permissions) are saved in the “Sent Item Folder” of the user who sent the E-mail message.

By default, a copy of the sent mail items will not be saved, in the “Sent Item Folder” of the recipient whom the E-mail was sent by his name (by using his identity – E-mail address).

For example, in our scenario user named Bob have send as permissions on Adele’s mailbox.

When Bob sends E-mail to another recipient by using the “identity” of Adele, the sent mail items are saved on Bob’s mailbox “Sent Item Folder.”

Adele is “not aware” to the fact that Bob sends E-mail messages using her name (her E-mail address) because she will not see any copy of the specific E-mail message on her “Sent Item Folder.”

The good news is that in case that we want to change this default behavior by using the PowerShell command – Set-Mailbox with a specific parameter.

Be define a specific mailbox parameter, we can change the default mailbox setting that relates to the scenario of saving (or not saving) a copy of the mail items that was sent in the “Sent Item Folder” of the recipient whom the E-mail message was sent by using his identity.

The PowerShell commands that we use is “Set-Mailbox” and the specific parameters that we use are:

1. MessageCopyForSentAsEnabled – this is the PowerShell parameter that we use for defining the “Sent item folder policy,” of the “destination mailbox, in a scenario in which a recipient (the delegate) has, the Send As permissions.
2. MessageCopyForSendOnBehalfEnabled – this is the PowerShell parameter that we use for defining the “Sent item folder policy,” of the “destination mailbox, in a scenario in which a recipient (the delegate) has, the Send On behalf permissions.

By default, this PowerShell parameter – MessageCopyForSentAsEnabled and MessageCopyForSendOnBehalfEnabled define as “False.”

When we set one of this parameter to “True,” each time that the Mailbox delegate sent mail using the “destination mailbox identity” (using the E-mail address of the mailbox), the sent mail item will be saved in:

• The “Sent items folder” of the Mailbox Delegate recipient.
• The “Sent items folder” of the Mailbox.

For example, in our scenario user named Bob have send as permissions on Adele’s mailbox.

When Bon sends E-mail to another recipient by using the “identity” of Adele, the sent mail items are saved on Bob’s mailbox “Sent Item Folder.”

After we set the setting of Adele’s mailbox by setting the PowerShell parameter – MessageCopyForSentAsEnabled as “True,” each time that Bob sends E-mail using Adele’s identity (Adele E-mail address), a copy of the sent mail will also save on Adele’s mailbox in her “Sent Item Folder.”

Standard Exchange mailbox versus Shared mailbox.

The information that was provided in the former section is relevant to any type of Exchange mailbox.

From my experience, the need to change the default setting of “Send mail items” when using the Send As permissions, is most relevant to a scenario in which we use Shared mailbox.

For this reason, all the PowerShell command examples that will be provided will use a “shared mailbox” as the “destination mailbox” but it’s important to emphasize that, you can use the specified PowerShell command to any type of Exchange mailbox.

Set the destination mailbox setting, to save a copy of sent mail items.

Set-Mailbox -Identity <identity> -MessageCopyForSentAsEnabled $True

Set-Mailbox Bob -MessageCopyForSentAsEnabled $True

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Foreach-Object {Set-Mailbox -identity $_.Alias -MessageCopyForSentAsEnabled $True }

Set-Mailbox -Identity <identity> -MessageCopyForSendOnBehalfEnabled $True

Set-Mailbox Bob -MessageCopyForSendOnBehalfEnabled $True

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Foreach-Object {Set-Mailbox -identity $_.Alias -MessageCopyForSendOnBehalfEnabled $True }

View mailbox setting that relate to saving a copy of mail items in the sent items folder

Get-Mailbox -Identity <identity> | FT Alias,MessageCopy*

Get-Mailbox Bob | FT Alias,MessageCopy*

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | FT Alias,MessageCopy*

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox” -and $_.MessageCopyForSentAsEnabled -eq $False} | FT Alias,MessageCopy*

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox” -and
$_.MessageCopyForSendOnBehalfEnabled -eq $False} | FT Alias,MessageCopy*

Disable the option of - Save a copy of sent mail items in the Shared mailbox sent items folder

Set-Mailbox -Identity <identity> -MessageCopyForSentAsEnabled $False

Set-Mailbox Bob -MessageCopyForSentAsEnabled $False

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Foreach-Object {Set-Mailbox -identity $_.Alias -MessageCopyForSentAsEnabled $False }

Set-Mailbox -Identity <identity> -MessageCopyForSendOnBehalfEnabled $False

Set-Mailbox Bob -MessageCopyForSentAsEnabled $False

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Foreach-Object {Set-Mailbox -identity $_.Alias - MessageCopyForSendOnBehalfEnabled $False }

Export information about mailbox setting | View information about saving a copy of sent items settings

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | FT | Out-File C:\TEMP\"Shared mailbox settings.txt" -Encoding UTF8

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Export-CSV C:\TEMP \"Shared mailbox settings.CSV" –NoTypeInformation -Encoding utf8

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Select Alias,MessageCopy* | ConvertTo-Html -Body "<H1>Shared mailbox settings </H1>" | Out-File C:\TEMP\"Shared mailbox settings.html"

In the first article, we provide a basic introduction to the Get-MessageTrace PowerShell command, and to her “sister” the Get-HistoricalSearch PowerShell command.
Another important concept that we review is the concept of “Date range” that considers as an essential component when using the Get-MessageTrace PowerShell
cmdlet.
In the next article, we provide various types of example to the user of Get-MessageTrace with different parameters and filters such – sender, recipient, subject, IP address and so on.

How to get information stored in Exchange Online log files?

In Exchange Online (Office 365) based environment, every incoming and outgoing mail transaction is “registered” in the Exchange Online log file.

The ways that are available for us, looking at the content of the Exchange Online log file is via the web base interface of Exchange Online admin center or by using PowerShell commands.

When using PowerShell in Exchange Online (Office 365) based environment for query and export information that’s stored in Exchange Online log files, there are two major PowerShell commands that we can use Get-MessageTrace and Get-HistoricalSearch.

Get-MessageTrace Advantages and Disadvantages

Advantages

• We can use the Get-MessageTrace PowerShell command for view + export information to file “in real time” (in the next section, I will explain the way I use the term “real time”).

Disadvantages

• The maximum time frame that is available for us when using the Get-MessageTrace PowerShell command is 30 days. In other words, we cannot use the Get-MessageTrace PowerShell command for “fetching” information that is stored in the Exchange Online server log that is age is over 30 days, even though Exchange Online saves mail transaction log information for a period of 90 days.
• The information that we can display on the PowerShell console or export to a file can be considered as very basic information that doesn’t include a detailed information about the specific mail transaction. Note – we can add the PowerShell command
  Get-MessageTraceDetail for getting additional information, but the information that we can get is still basic versus the information that we get from the PowerShell command – Get-HistoricalSearch

Get-HistoricalSearch Advantages and Disadvantages

Advantages

• Using the Get-HistoricalSearch, we can get a very detailed information about each mail transaction that was registered in Exchange Online server log files.
• When using the Get-HistoricalSearch PowerShell command, Exchange Online provides us an extended time frame of 90 days. In other words, we can look for mail transaction information for a period of 90 days (versus the 30-day limitation when using the PowerShell command
  Get-MessageTrace).

Disadvantages

• When using the PowerShell command Get-HistoricalSearch, the “request for information” is registered as a “task” in Exchange Online, and executed Only after several hours.
• The information that we get from the PowerShell command Get-HistoricalSearch can be overwhelming (TMI – too much information), and it’s not easy to read and understand the large chunk of information.

Recap

The main advantage of the PowerShell command Get-MessageTrace is its ability to quickly and Effectively help us to get a “high level” information about the mail transaction that registered in the Exchange Online log file.

In case that we need to perform deeper level investigation about a specific mail transaction that was registered in the Exchange Online log file, or gets information about mail transaction older than 30 days, we will need to use the PowerShell command – Get-HistoricalSearch.

Working with the Get-MessageTrace PowerShell command | Basic concepts

The MessageTrace PowerShell command serves a “viewer” that we can use for “picking” in the Exchange Online mail transaction log file.

The most fundamental building block is the “time range.”

In case that we don’t use a PowerShell parameter that defines the time range, the
Get-MessageTrace default is to get only the data from the last 48 hours.

The required “time range” is defined by the PowerShell parameters: StartDate + EndDate

After we provide the information about the required time range, we can add additional “blocks” that help us to filter or narrow the search results.

For example,

• We can ask to get information about mail transactions that related to E-mails, sent from a specific sender or, sent to a specific recipient.
• We can ask to get information about mail transactions that related to E-mails, with a specific subject or a specific status.

In case that you want to get information about all the available PowerShell parameter when using the PowerShell command – Get-MessageTrace, you can use the Get-Member PowerShell command:

Get-MessageTrace | Get-Member

PS C:\script> Get-MessageTrace | Get-Member
TypeName: Deserialized.Microsoft.Exchange.Management.FfoReporting.MessageTrace

Name               MemberType   Definition                                                                                                                                                                  
----               ----------   ----------                                                                                                                                                                  
GetType            Method       type GetType()                                                                                                                                                              
formatProvider)
PSComputerName     NoteProperty string PSComputerName=outlook.office365.com                                                                                                                                 
PSShowComputerName NoteProperty bool PSShowComputerName=False                                                                                                                                               
RunspaceId         NoteProperty guid RunspaceId=9b812ad0-4ca5-404e-85fd-ad4cd78d495d                                                                                                                        
EndDate            Property     System.DateTime {get;set;}                                                                                                                                                  
FromIP             Property     System.String {get;set;}                                                                                                                                                    
Index              Property     System.Int32 {get;set;}                                                                                                                                                     
MessageId          Property     System.String {get;set;}                                                                                                                                                    
MessageTraceId     Property     System.Guid {get;set;}                                                                                                                                                      
Organization       Property     System.String {get;set;}                                                                                                                                                    
Received           Property     System.DateTime {get;set;}                                                                                                                                                  
RecipientAddress   Property     System.String {get;set;}                                                                                                                                                    
SenderAddress      Property     System.String {get;set;}

Define the specific “time\date” range of the information that we want to get from Exchange log files

As mentioned, the most basic building block when using the Get-MessageTrace command is the definition of the required time frame or time range.

The time range is defined by providing the start date and the end date. The time range is the “space” between these two “borders.”

Exchange Online is willing to “expose” the information by using a limitation of maximum 30 days.

In case that we write a time range that is Greater than 30 days, the following error appears:

When using the Get-MessageTrace command, there are two major syntax methods, that we can use for defining the time range

Option 1 – by “manually writing” the specific dates (the start date and the End date) in the format of month, day and a year (described as <mm/dd/yyyy>).

Option 2 – by using the PowerShell function

The other method which I prefer to use is a method in which we use the PowerShell function – Get-Date.

As the name implies, the Get-Date PowerShell function “fetch” the information about the current time. The information includes the current second, minutes, hour, day, month and a year.

When using the Get-MessageTrace command, the Get-Date PowerShell function is used for defining the “End-Date”.

The “Start-Date” defined by using “time units” such as “AddHours” or “Adddays”, and subtracting this time unit from the current date.

In the following example, we define a time range of “30 days” by using the time unit “Adddays” and using the value “-30”.

This syntax is “telling” PowerShell that we want to define a date that is calculated by subtracting 30 days from the current time (the current time that we get from the Get-Date PowerShell function).

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy>

Get-MessageTrace -StartDate 01/01/2017 -EndDate 01/30/2017

In the following section, I would like to review a couple of examples if defending time range by using the “other method” in which we use the Get-Date
PowerShell function as a baseline + additional PowerShell time unites the functions such as – AddHours, Adddays etc.

Get-MessageTrace -StartDate (Get-Date).Addminutes(-30) -EndDate (Get-Date)

Get-MessageTrace -StartDate (Get-Date).AddHours(-30) -EndDate (Get-Date)

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date)

Get-MessageTrace -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)

Define a time range using variable

In case that you want to avoid from typing long and complex date values, you can use the method, in which the time range will be defined using variables.

The variables that we define, will “contain” the required date range.

The Get-MessageTrace command that we use, define the time range by using the variables that were defined in the “former step.”

$DateEnd = Get-Date
$DateStart = $DateEnd.AddHours(-30)

Get-MessageTrace -StartDate $DateStart -EndDate $DateEnd

“Clean” the displayed results from unnecessary information

When we use the MessageTrace PowerShell command in an Exchange Online environment without a very specific filter, the “output” includes unnecessary information (white noise) about “systems” and internal Exchange Online mail messages.

In the following example, we can see information about “system emails”, that is not relevant to our search.

In case that we want to “clean” the search result by removing the information about the “system emails”, we add filters that will instruct PowerShell to “ignore” specific emails such as the system emails.

PS C:\script>  Get-MessageTrace -StartDate (Get-Date).Adddays(-3) -EndDate (Get-Date) 

Received               Sender Address                                                              Recipient Address                                                                Subject                                                                      
--------               --------------                                                              -----------------                                                                -------                                                                      
01/06/2017 5:47:16 AM  Root@o365info2.onmicrosoft.com                                              publicfoldermailboxes.849adb9d4ce04c84bf663a41b011c05e@o365info2.onmicrosoft.com HierarchySync_Ping_4715_a1712e75-0ed6-4a37-a8a1-96d2337c017e                 
01/06/2017 5:37:15 AM  Root@o365info2.onmicrosoft.com                                              publicfoldermailboxes.849adb9d4ce04c84bf663a41b011c05e@o365info2.onmicrosoft.com HierarchySync_IncrementalSync_4714_a1712e75-0ed6-4a37-a8a1-96d2337c017e      
01/06/2017 5:37:15 AM  Root@o365info2.onmicrosoft.com                                              root@o365info2.onmicrosoft.com                                                   HierarchySync_IncrementalSync_4714_a1712e75-0ed6-4a37-a8a1-96d2337c017e      
01/06/2017 5:33:57 AM  wordpress@o365info.com                                                      John@o365info.com                                                                [o365info.com] Please moderate: "Manage Distribution Groups by using Power...
01/06/2017 5:32:19 AM  wordpress@o365info.com                                                      John@o365info.com                                                                [o365info.com] Please moderate: "Manage Distribution Groups by using Power...
01/06/2017 5:27:15 AM  Root@o365info2.onmicrosoft.com                                              publicfoldermailboxes.@o365info2.onmicrosoft.com HierarchySync_Ping_4713_a1712e75-0ed6-4a37-a8a1-96d2337c017e

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) |  Where {$_.SenderAddress -notlike '*micro*' -or $_.SenderAddress -notlike '*root*' }

PS C:\script> Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) |  Where {$_.SenderAddress -notlike ‘*micro*’ -or $_.SenderAddress -notlike ‘*root*’ }

Received               Sender Address          Recipient Address       Subject                                                                                          Status   
--------               --------------          -----------------       -------                                                                                          ------   
01/06/2017 11:07:36 PM info@twitter.com        info@o365info.com   beauty tips Tweeted: Please RT #beauty #makeup ##skincare MAC Studio Fix Additions               Expanded 
01/06/2017 7:58:22 PM  ilan.caner@gmail.com    John@o365info.com Re:                                                                                              Delivered
01/06/2017 6:00:36 PM  info@hyperfish.com      John@o365info.com       Webinar: Leveraging People Data in SharePoint Intranets Presented by Bonzai Intranet & Hyperfish Delivered
01/06/2017 4:13:15 PM  joanna@getriverteam.com John@o365info.com Easybellezza - 4 things people say about River                                                   Delivered
01/06/2017 4:13:15 PM  joanna@getriverteam.com info@o365info.com   Easybellezza - 4 things people say about River                                                   Expanded 
01/06/2017 12:34:59 PM omsingh.om@outlook.com  john@o365info.com       SEO Service Proposal                                                                             Delivered
01/06/2017 12:33:01 PM seo.devender.raviya@... info@o365info.com       Create an IPhone & Android App for your business                                                 Delivered
01/06/2017 10:13:52 AM noreply-dmarc-suppor... 1u8pjtbx@ag.dmarcian... Report domain: o365info.com Submitter: google.com Report-ID: 9662862343435806656                 Delivered
01/06/2017 10:13:52 AM noreply-dmarc-suppor... dmarc-report@o365inf... Report domain: o365info.com Submitter: google.com Report-ID: 9662862343435806656                 Resolved

In the former article, we review in details the concept of the “Time ranges” when using the Get-MessageTrace PowerShell command.
In the current article, we continue to explorer the additional parameter that we can use together with the Get-MessageTrace PowerShell command.

The concept of sender and recipient when using the MessageTrace command

Before we start with Get-MessageTrace PowerShell command examples, I would like to quickly relate to the terms – sender and recipient.

In many scenarios, we “filter” or narrow the Get-MessageTrace PowerShell command result by adding filter parameters.

I have notice that the filter parameters described as “sender” and “recipient” sometimes causes confusion, so it’s important to clarify the meaning of these terms.

• The term “sender,” relate to the originating entity that “write the E-mail message.”
• The term “recipient,” relate to the “destination entity,” meaning the person or the persons that the E-mail message was sent to them.”

In the following diagram, we can see that when Bob sends E-mail to Adele, Bob defined as the Sender (SenderAddress) and Adele (RecipientAddress) defend as the Recipient.

Working with the group by PowerShell parameter and Message Trace results

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date)  | Group-Object -Property SenderAddress | Select name,count | Sort count -desc

S C:\script> Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date)  | Group-Object -Property SenderAddress | Select name,count | Sort count -desc

Name                                                                        Count
----                                                                        -----
Root@o365info2.onmicrosoft.com                                                889
John@o365info.com                                                              23
apollotheme@gmail.com                                                          14
virus@o365pilot.com                                                             8
info@twitter.com                                                                6
noreply@addthis-email.com                                                       6
noreply-dmarc-support@google.com                                                6
wordpress@o365info.com                                                          5
bob@o365info.com                                                                4
dmarcrep@microsoft.com                                                          4
team@accounts.bitly.com                                                         4
MicrosoftExchange3e@o365info2.onmicrosoft.com                                   2
hemaslab@hemsons-lk.cf                                                          2

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date)  | Group-Object -Property RecipientAddress | Select name,count | Sort count -desc

PS C:\script> Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date)  | Group-Object -Property RecipientAddress | Select name,count | Sort count -desc

Name                                                                     Count
----                                                                     -----
publicfoldermailboxes.@o365info2.onmicrosoft.com   445
root@o365info2.onmicrosoft.com                                           444
John@o365info.com                                                        30
apollotheme@gmail.com                                                    19
info@o365info.com                                                        14
Jeff@o365info.com                                                        10
dmarc-report@o365info.com                                                5
1u8pjtbx@ag.dmarcian.com                                                 5
Alice@o365info.com                                                                   4
ilan@gmail.com                                                                       3
virus@o365pilot.com                                                                  2
hemaslab@hemsons-lk.cf                                                               2

Get information about emails that was sent from a Specific sender

Get-MessageTrace -SenderAddress <Sender Email address>

Get-MessageTrace -SenderAddress Bob@o365info.com

Get-MessageTrace -StartDate (Get-Date).Adddays(-x) -EndDate (Get-Date) -SenderAddress <Sender Email address>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -SenderAddress Bob@o365info.com

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -SenderAddress Bob@o365info.com | Group-Object -Property SenderAddress | Select name,count

Get-MessageTrace -StartDate (Get-Date).Adddays(-x) -EndDate (Get-Date) -SenderAddress <*@Domain name>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -SenderAddress *@o365info.com

$AllSender = Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Group-Object -Property SenderAddress | Select name
$AllSender = $AllSender.name
$ErrorActionPreference = "SilentlyContinue"
ForEach ($sender in $AllSender)
{
Get-MessageTrace -StartDate (Get-Date).Adddays(-3) -EndDate (Get-Date) - SenderAddress $sender | Export-Csv c:\temp\$sender.csv –NoTypeInformation -Encoding UTF8
}

Get information about emails that was sent to a Specific recipients

Get-MessageTrace -RecipientAddress <recipient Email address>

Get-MessageTrace -RecipientAddress Bob@o365info.com

Get-MessageTrace -StartDate (Get-Date).Adddays(-x) -EndDate (Get-Date) -RecipientAddress <recipient Email address>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -RecipientAddress Bob@o365info.com

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -RecipientAddress Bob@o365info.com | Group-Object -Property SenderAddress | Select name,count

Get-MessageTrace -StartDate (Get-Date).Adddays(-x) -EndDate (Get-Date) -RecipientAddress <*@Domain name>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -RecipientAddress *@o365info.com

Get information about emails with a specific status

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Status <Status>

Get-MessageTrace -StartDate (Get-Date).Adddays(-x) -EndDate (Get-Date) -Status <Status>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -Status Failed

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Where {$_.Status -eq "Failed"}

$statuses = "None", "Failed", "Pending", "Delivered", "Expanded"
ForEach ($status in $statuses)
{
Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -Status $status | Export-Csv c:\temp\$status.csv
}

Get information about emails with a specific subject

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> | Where {$_.Subject -like "*<string>*"}

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Where {$_.Subject -like "*test*"}

Get information about emails | Filter information by source or destination IP address

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -ToIP <IP address>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -ToIP 10.0.0.2

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -FromIP <IP address>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -FromIP 10.0.0.2

Define the setting that relates to the maximum number of results

Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -PageSize <number or records that each page includes>

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) -PageSize 5000

Get more details on a specific mail transaction by using MessageTraceDetail

Get-MessageTrace -StartDate (Get-Date).Adddays(-3) -EndDate (Get-Date) | Get-MessageTraceDetail

Export information from Get-MessageTrace results to a file

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Out-File C:\Temp\"All emails in the last month.TXT"

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Export-CSV C:\Temp\"All emails in the last month.CSV" –NoTypeInformation -Encoding UTF8

Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | ConvertTo-Html | Out-File C:\Temp\"All emails in the last month.HTML"

In the past, to the only way for getting the host name of the Office 365 DKIM selector, was by using the “manual method,” in which we need to “collocate” the DKIM TXT record host name, by using a formula that “construct” the Host name based on “different components” such as – the onMicrosoft domain name, the Office 365 tenant name whom we register and so on.

Later, Office 365 added a new a PowerShell cmdlet named Get-DkimSigningConfig, that was created to simplify this process by, provides us the ability to “display” the Office 365 DKIM selector TXT record host names who were generated for a specific Public domain name.

It’s up to you to choose the “method” (calculate the value versus using PowerShell command) that you prefer.

DKIM in Office 365 | using CNAME records that include two host names.

The foundation for the implementation of outbound DKIM signing for a specific domain name in Office 365 environment, is based on the mandatory need to publish two CNAME records that will include information about “our” DKIM infrastructure.

Each CNAME record consisting of two host names.

When a DNS client asks for information about the host name – A, the CNAME record, will redirect the request to Host name – B.

In our scenario, “Host A” is a logical name of a DKIM selector.
We use the term “logical” because, in reality, this DKIM selector host name does not exist.

This “logical” DKIM selector host name,” is added to the outgoing E-mail message, in the process of outgoing DKIM signature.

When the “receiving mail server,” asks the DNS server about “Host – A (the logical name of the DKIM selector),” the DNS CNAME record, will redirect the request to “Host B.”

In our scenario, “Host -B,” is the host name of the “real” Office 365 DKIM selector TXT record, that contains the Public key which was used for signing the outgoing E-mail.

The DKIM CNAME record stature

The structure of the Office 365 DKIM CNAME record is implemented in the following way:

1. The logical DKIM host name (the first part).

The “first part” of the DKIM CNAME record, meaning, the “logical DKIM Selector” host name, is a “fixed value.”

In Office 365, the name of the “logical” DKIM host name is implemented by using the following naming convention:

Selector1._domain key<Public domain name>
Selector2._domain key<Public domain name>

For example, in our example, we want to implement the option of outbound DKIM signing for the domain name – o365pilot.com

2. The “real” host name of the Office 365 DKIM selector (the second part).

When we enable the option of DKIM outbound signing, Office 365 generates a dedicated TXT record that contains the public-key value of the Office 365 DKIM selector.

The “host name” of this DKIM TXT record, will be created based on a “formula,” that generate the host name based on the Office 365 tenant and domain names.

In the next section, we will learn how to use this formula for calculating the host name of the Office 365 TXT record that “represent” a specific domain name.

Calculating the Office 365 DKIM TXT record host name

In this section, we review the “formula” that we use for the Office 365 DKIM selector TXT record.

The structure of the “Office 365 DKIM selector TXT record” that is generating for a specific public domain name, is based on the following two “parts”: Domain GUID and onMicrosoft domain name.

In case that the thought – “what WT.. Are these terms?”
Do not worry; we will explain them in the next section

In the following diagram, we can see the structure of the “Office 365 DKIM selector TXT record”.

We can see that the DNS record consisting of four parts:

In the following diagram, we can see an example of “Office 365 DKIM hostname.”

Part 1 – this is the “reserved host name.”
In Office 365, we will need to define two DKIM records using the following host names: – selector1 and selector2

Part 2 – the second part defines as DomainGUID.
The DomainGUID name is the left part of the Office 365 MX record that represents our registered public domain name.

In the following diagram, we can see an example for MX record that is used in Office 365 for the public domain o365pilot.com

The “left part” of the host name is the Domain GUID

Part 3 – the DKIM sub domain name

The part of the DKIM subdomain is a “predefined value” that is written using the following naming convention – ._domainkey

The special “dash character that we use for defining the Office 365 hostnames

Notice that the DKIM subdomain vale includes a special dash character that is a mandatory part of the DKIM subdomain value.

Part 4 – the Office 365 tenant name

This is the part that is “taken” from the Office 365 tenant name.

For example – o365info2.onmicrosoft.com

In the following diagram, we can see an example of the Office 365 DKIM selector TXT record host name structure.

Part 1#2 | How to get the information about our domain GUID in Office 365?

As mentioned, the Domain GUID is the “left part” of the Exchange Online MX record.

To be able to get information about the Office 365 MX records that represent a particular public domain name, we a use a couple of options:

Option 1 – using the Office 365 portal

When we log in to the Office 365 portal, on the left-side menu bar, we can choose the domain menu and then select a specific domain name such as o365pilot.com in our scenario.
To be able to view information about the DNS records that “belong” to the specific domain, we will choose the menu domain settings

In the following screenshot, we can see information about the Office 365 MX records of the
domain name – o365pilot.com

The DomainGUID name appears as the left part of the Office 365 MX record.

Option 2 – using the nslookup tool

Another way that we can use for display information about the MX record of specific Office 365 domains is by using the nslookup command line tool.

We can use the following parameters to query the DNS server regarding the domain name.

Nslookup

Set q=mx

<Domain name>

Part 3 – the third part is the DKIM sub-domain (reserved names). As mentioned, this name is the “reserved sub-domain name” (._domainkey).

Part 4 – the fourth part is the “onMicrosoft domain” name.
This is the domain name that automatically generated for our Office 365 tenant in the first time that we create our Office 365 tenant.

Part 2#2 | How to get the name of the OnMicrosoft domain name?

To be able to get the name of our “onMicrosoft domain” name we can be login to the Office 365 portal.
In the following screenshot, we can see an example to Office 365 tenant that include three registered domain names.

Two of the domain names considers as a “public domain” (other terms, a vanity domain or a custom domain) name and one domain is the onMicrosoft Domain name (number 2).

Restore Exchange Online mailbox | Article series index

The only way for getting the required DKIM host name records is, by implementing a “manual calculation (which was reviewed in a former article) or, by using a PowerShell command that will get us the required DKIM host names.

The additional challenge that stands before of us is, that the PowerShell command that we use, provide only a “partial information” about the Hostnames that we will need to use for creating the required DKIM CNAME records.

To make your life easier, I have written a small PowerShell script , that will “fetch” the required data about the DKIM host names and present the information in a more user-friendly way.

Getting the information about the DKIM CNAME in Office 365

Option 1#2 - Getting the host name of Office 365 DKIM selector using PowerShell

Get-DkimSigningConfig <domain name> | FL *CNAME

Get-DkimSigningConfig o365pilot.com | FL *CNAME

Get-DkimSigningConfig o365pilot.com | FL *CNAME

Selector1CNAME : selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com
Selector2CNAME : selector2-o365pilot-com._domainkey.o365info2.onmicrosoft.com

Option 2#2 - How to use the – “Show my Office 365 CNAME DKIM records” PowerShell script

Download the “Show me my DKIM host name record” PowerShell script

Restore Exchange Online mailbox | Article series index

Scenario and task description

The scenario

The domain for which we want to activate the “outbound DKIM signing” is – o365pilot.com

The prerequisite for enabling the outbound DKIM signing is – a creation of two CNAME records, that will be created in the DNS server who hosts the specified domain.

In our scenario, the 2 “DKIM CNAME” records, will include the following host’s names:

The Task

Using our public DNS management interface for creating the required two CNAME record that will be used for DKIM outbound signing in Office 365 environment.

Creating the required two CNAME required for Outbound DKIM signing using GoDaddy DNS management interface.

In the next section, I will demonstrate how to create the two CNAME records, that will point to the Office 365 DKIM Selectors using the GoDaddy DNS management interface.

Regarding “other DNS management interfaces,” the major concepts of creating CNAME records are less or more the same on every DNS management interface, beside of some minor changes.

In the Gooday DNS management interface

• Select the DNS ZONE FILE tab
• Select the option of – Add Record

In our scenario, we would like to create a NEW CNAME record.

• In the RECORD TYPE:* option box, click on the small arrow

• Select the option of – CNAME (Alias) record

In our specific scenario, the CNAME record will include the following hosts names:

In the “upper section” named – HOST:, we will add the host name: selector1._domainkey

It’s important to understand that because this hostname is hosted “under” the domain name –  o365pilot.com , the FQDN (Fully qualified Hostname) will be – selector1._domainkey.o365pilot.com

In other words, don’t add the “full hostname” in the upper part, but only the “partial hostname” without the “Domain suffix part.”

The host name in the “upper part,” will be used for redirected requests to the dedicated Office 365 DKIM Selector record, that includes the Office 365 DKIM Public Key.

In the “bottom section” named – POINTS TO:, we will add the following host name:

selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

Before we continue, it’s important to me to briefly review the concept of the DNS CNAME record because, many times this concept can be a bit confusing.

The CNAME record serves as a “logical router” that accepts a request for “object A” and redirects the required to “object B.”
In our case, each DNS query for the “DKIM selector” that is represented by the host name – selector1._domainkey.o365pilot.com, will be redirected
to the Host name selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

Creating and configuring the second DKIM CNAME record

We will need to repeat this process for cratering an additional CNAME record, that will use for redirecting DKIM request to additional Office 365 host named – selector2

To add an additional record, we will click on the button – ADD ANOTHER

In the “upper section” named – HOST:, we will add the host name: selector2._domainkey

In the “bottom section” named – POINTS TO:, we will add the host name:

selector2-o365pilot-com._domainkey.o365info2.onmicrosoft.com

• Save the new CNAME records that added by selecting the menu – Save Changes.

In the following screenshot, we can see the result; two new CNAME records created.

The next step

It’s recommended to continue to read the next article, which describe the “next step,” in which we review the process of – verify if the DKIM CNAME records are successfully published and available for external clients.

Restore Exchange Online mailbox | Article series index

A little about the concept of DKIM records in Office 365 environment

A quick reminder about the concept of DKIM host records in Office 365:

When we implement outbound DKIM signature in an Office 365 environment, outbound E-mail that sent to external recipients, will include DKIM signature + the “logical host name” of the DKIM selector that sign the E-mail.

in our example, the logical host name that represent the domain o365pilot.com is – selector1._domainkey.o365pilot.com.

We use the term “logical host name” because, the DKIM selector host name which appears on the E-mail message doesn’t exist!

When the “destination mail server” receives the E-mail message, he addresses a public DNS server, looking for information about the DKIM selector host name, that appeared in the mail header (“logical host name”).

The external mail server asks the DNS server if he has a TXT record, that uses the specific host name.

The DNS server include a CNAME record, that serves as a “logical router” that “route” DNS client request to “another host”.

The DNS server “answer” is, a redirection to “another host.” In our example, the redirection message includes the host name –
selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

The “other host name” is the real host name of the Office 365 DKIM selector.

The “mail server” addresses again the DNS server, and asks the DNS server if he has a TXT record that uses the specific host name.

In this step, the DNS sends to the “DNS client” (the mail server) the content of the TXT record, that includes the Public Key of the Office 365 selector that signed the E-mail message.

Scenario and task description

The scenario

The domain name for which we have already activated the “outbound DKIM signing” is – o365pilot.com.

The prerequisite for enabling the outbound DKIM signing in Office 365 is – a creation of two CNAME records, that will be created on the DNS server, who hosts the specified domain.

Note – we review the process of creating the required two CNAME records in the former article.

In our scenario, the 2 “DKIM CNAME” records, will include the following host’s names:

Note – in case that you need to get more information about this specific host’s names whom we use in our scenario, and the PowerShell command that we use for getting the required host names for a specific domain; you can read the following article.

The Task

Our task is to verify that when the external mail server gets E-mail send from our organization recipient; he will manage to complete the DKIM verification process.

• We need to verify that “External mail server,” can address public DNS server, which contains information about our domain name (com in our scenario). The external mail server will send a DNS query, looking for information about the “logical name” of the DKIM selector that appears in the outbound E-mail.
• Verify that the external mail server DNS query, will successfully be redirected to the “real” Host name of the Office 365 DKIM selector.
• Verify that the external mail server successfully gets the value of the Public key that is stored within the TXT record.

Verifying the information from the DKIM CNAME records in an Office 365 environment

Step 1#2 | How to verify that the two DKIM CNAME records were successfully published + the CNAME “redirect” process is successfully implemented?

In our scenario, the “logical” host name – “selector1._domainkey.o365pilot.com , should redirect DNS queries to the Office 365 DKIM selector
“real” host name- selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.

To verify this “Flow” we will simulate a DNS query.

Technically speaking, there are many methods and free web-based tools, that enable us to verify information about DNS records such as a CNAME record.

In our example, I will use the MXTOOLBOX site, for verifying information about the DKIM CNAME record that we publish.

To perform a CNAME look, we will use the following link – MXTOOLBOX CNAME record lookup

To verify that our CNAME record was successfully published, and in addition, perform the required “redirection,” we will need to provide the “first part” of the CNAME record.

In our specific scenario, the host name is – “selector1._domainkey.o365pilot.com.

In the following screenshot, we can see that the test complete successfully.

In the result’s pen, we can see that the “CNAME redirection” process, was successfully completed.

The query for the specific host name whom we provide in the former step, was “redirected” to the Host name – selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.

Step 2#2 | How to verify the “content” of the Office 365 DKIM text record that represents our public domain name.

In this step, we want to verify if the Office 365 DKIM text record, that represents our public domain name, includes the required information – the DKIM Public key value.

To be able to perform this test, we need to know the Host name of the “real Office 365 DKIM selector” host name.

In this scenario, we query the public DNS about the content of a “TXT DNS record.”

To perform a query about a TEXT record, use the following link – MXTOOLBOX TXT record lookup

In our scenario, we look at a TXT record that uses the following host name:

selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

In the following screenshot, we can see the results.

The results include the information that is “stored” in the TXT record.
In our case, the Office 365 TXT record stores the Public key of the Office 365 DKIM selector, that represent our domain name.

Additional methods for verifying DKIM DNS records

In this section, I would like to review more “sophisticated” test options, that are offered by the MXTOOLBOX site.

Versus the “tests” that we review in the former section, MXTOOLBOX includes a “dedicated tool” that we can use for testing a DNS record that was created for publishing DKIM infrastructure.

When using the DKIM records lookup, we will need to provide:

1. The domain name that uses DKIM services, in our example – com
2. The host name of our DKIM selector in our example – selector1

Notice that the DKIM record lookup tool is “Smart enough” to complete by himself all the rest of the information.

For example, the DKIM record lookup tool “know” that the FQDN of DKIM host record includes additional “parts” such as the “reserved name” – ._domainkey” and the domain name suffix that needs to be added to the host name.

In the following screenshot, we can see the result

We can see that the DKIM record lookup tool manages to “locate” the DNS record of the DKIM selector that “represent” the o365pilot.com domain.

In additional, the “CNAME redirection” process was successfully completed and in the “result page,” we can see the content of the Office 365 TXT record that included the value of the public DKIM key.

Restore Exchange Online mailbox | Article series index

Activating (enabling) the Outbound DKIM signing for our domain name

In this phase, we assume that the required DNS CNAME records that redirect “DKIM queries” to the “dedicated Office 365 DKIM selector host name” that represent our public domain name were already created.

To activate (enabling) the option of Outbound DKIM signing for a specific domain name, use the following steps:

• Logon to Exchange Online admin console
• On the left menu bar, select the protection
• On the top menu bar, select the dkim

In our example, we want to enable Outbound DKIM signing for the domain – o365pilot.com.

In the following screenshot, we can see that by default, the option of – Outbound DKIM signing option for the public domain name, is disabled. In other words, the option of “Enable” is active.

To enable Outbound DKIM signing for the domain – o365pilot.com, all we need to do is – to select the required domain name, and click the Enable menu.

In the following screenshot, we can see that the Outbound DKIM signing is Enabled

An additional option for enabling Outbound DKIM signing for a domain is via the – Office 365 Security & Compliance portal

• Logon to Security & Compliance portal
• On the left menu bar, select the Threat management menu
• Select the dkim menu

Verifying the process of Outbound DKIM signing + incoming DKIM verification test

After we have enabled the option of Outbound DKIM signing, the next task is to verify that the configuration is implemented properly.

Our expectations are, that E-mail that is sent by our organization recipients, whom their E-mail address includes the domain name suffix for which we enabled the Outbound DKIM signing, will be signed by a DKIM selector, that his host name include our domain name.

For example, each E-mail that sent from the domain o365pilot.com, will contain information about a DKIM selector, that his host name includes the domain name o365pilot.com.

Just a quick reminder, in an Office 365 based environment, each “outgoing E-mail” will be automatically included DKIM signature, using the “default Office 365 DKIM selector” that use the domain name – “onMicrosoft”.

The purpose of enabling Outbound DKIM signing is – to change this default, so the DKIM selector name will include our domain name suffix.

After we enable the option of – Outbound DKIM signing, the “DKIM signature” will not include the default Office 365 DKIM selector host name (onMicrosoft) and instead, in our example, will include the host name selector1._domainkey.o365pilot.com or, the host name – selector2._domainkey.o365pilot.com.

If we want to be more accurate, although the “formal” host name of the DKIM selector that represents our domain name is “selector1._domainkey.o365pilot.com”, the “destination mail server”, will relate to a shorten version of the host name.

When we look at the information that appears in the E-mail message header that was sent to external recipient, the DKIM selector host name will appear as “Selector1.o365pilot.com”.

In the next sections, we review the process in which we verify that the Office 365 DKIM infrastructure functioning properly.

In the next section, we will run two “DKIM outgoing flow” test.

The verification process of the Outbound DKIM signing will be implemented by:

• Test 1 – Analyzing the E-mail message header that was sent to the “destination recipient”, using the Microsoft Remote Connectivity Analyzer.
• Test 2 – Analyzing the E-mail message header that was sent to the “destination recipient”, using a free web-based tool.

Verifying the process of Outbound DKIM signing – Analyzing E-mail header
| Using Microsoft Remote Connectivity Analyzer

In this section, we want to verify that the Office 365 DKIM infrastructure is “working properly,” and
that E-mail messages that sent by our organization recipients are

• Digitally signed by using a DKIM signature
• That the DKIM selector that sign the E-mail is using the host name o365pilot.com

Scenario description

Our organization mail infrastructure (Exchange Online), was configured to implement Outbound DKIM signing for the public domain name – o365pilot.com.

In our scenario, an organization recipient who uses the E-mail address – craig@o365pilot.com, sent E-mail to external recipients.

Analyzing the information stored in the E-mail header | Destination recipient

In the following screenshot, we can see the E-mail message that was sent to “G-Mail recipient.”

• To view to E-mail header, we select the E-mail message.
• Click on the small arrow that appears on the right side.
• Select the menu – Show original.

In the following screenshot, we can see that the DKIM signature was “approved” by the mail server that accepts the E-mail.

The information about the DKIM signature appears as – “PASS with domain o365pilot.com”.

To get more detailed information, we will copy the content of the E-mail header and analyze the information by using mail header analyzer.

In the next step, we will use the Microsoft E-mail header analyzer using a web-based tool
named – Microsoft Remote Connectivity Analyzer

• Paste the content of the E-mail header in the “white box”
• Select – Analyze headers

In the following screenshot, we can see the information about the “DKIM signature.”
The information includes the Public Key that the DKIM selector use.

The important information in our case is, the name of the DKIM selector that “stamp” the E-mail using a DKIM signature.

Authentication-Results

In the section named – “Authentication-Results”, we can see that the DKIM test was successful

The information appears as – “dkim=pass header.i=@o365pilot.com”.

DKIM-Signature

In the section named – “DKIM-Signature,” we can see the information about the “DKIM Selector” host name.

In our example, the DKIM selector host name is – d=o365pilot.com; s=selector1;

• The letter “d” represent the Domain name (o365pilot.com in our example).
• The letter “s” represent the selector host name (selector1 in our example).

Verifying the process of Outbound DKIM signing – Analyzing E-mail header | Using web-based tools

In the next step, we perform the “Outbound DKIM signing test” using a free web-based tool
named – DKIM, SPF, SpamAssassin Email Validator

The verification process is implemented by sending E-mail to a “unique E-mail address” that provided by the web-based tool.

The E-mail message that we send will be accepted by the “destination mail server”, and after the E-mail is accepted, the web-based tool will provide a report that relates to the result of the DKIM signature test.

• Copy the E-mail address that appears on the web page.

In this step, we send E-mail to the specific E-mail address from one of our organization users.

In our example, we want to verify the E-mail message that sent from a recipient who uses the domain name suffix – o365pilot.com include a “proper” DKIM signature.

After the E-mail message was sent, we will access the Web-based tool again and select the button – View Results

In the following screenshot, we can see the content of the E-mail message that was accepted by the “destination recipient.”

The information about that the “DKIM signature” inform us that the DKIM test “pass”, and the important thing is that the DKIM selector host name who signed the E-mail message is – selector1.o365pilot.com.

Restore Exchange Online mailbox | Article series index

The content of the article series

In the second article, we review the various PowerShell commands that we can use for getting, and exporting information about the mailbox migration process such as – Get-MoveRequest, Get-MoveRequestStatistics, Get-MigrationUser, Get-MigrationUserStatistics and more.

In the third article, we review how to use a menu based PowerShell script that I have written that will simplify the process of:

• Connecting to Exchange Online using remote PowerShell.
• Exporting information about the migration process to various file types.
• Export information from on-Premises environment that include On-Premise Active Directory and Exchange on-Premises.
• Perform basic troubleshooting steps in Exchange on-Premises environment.

Exchange on-Premises versus Exchange Online

Although the focus in the current article series is – the migration process that is implemented by migrating Exchange on-Premises mailboxes to Office 365, most of the concepts and the PowerShell commands that we review, are also relevant to Exchange on-Premises based environment.

The terms that we use for defining a mailbox migration process

Mailbox move

In Exchange based environment, the term “mailbox migration” is translated into the term “Mailbox move”.

As the name implies, when we “migrate” Exchange mailbox from Exchange Database A to Database B, or from Exchange server A to Exchange server B (from Exchange on-Premises infrastructure to Exchange Online infrastructure in our scenario), Exchange server relate to the migration process as a “Mailbox move”.

Move request

The process of mailbox migration is realized is “Move request”

The Exchange server that is going to be the “NEW host” of the mailbox (the “receiving Exchange server”), send a “Move request” to the Exchange server the is currently host the mailbox.

In our specific scenario, Exchange Online server “requests” from Exchange on-Premises to Move a specific mailbox.

The relationship of Exchange mailbox and Active Directory user account

Although we use most of the time the term “Mailbox”, it is important to emphasize that Exchange mailbox is not a “standalone entity”.

Instead, each Exchange mailbox is associated with Active Directory user (mailbox owner).
So, if we want to be more accurate, when we use the term “mailbox migration” we are also relating to the “user account entity” that is associated with the Exchange mailbox.

The mailbox migration process relates to the user account that is associated with the Exchange mailbox as – “Migrated user”.

This term “Migrated user” can be a little bit confusing because, in reality, we don’t relay migrate the Active Directory user account.

In Office 365 infrastructure, we assume that that the mailbox migration process will “copy” the On-Premise Active Directory user account to the cloud or ,another option is, using Directory synchronization server that synchronized the On-Premise Active Directory user account to the cloud (Azure Active Directory).

The mailbox migration entities

The “Mailbox migration process” is composed from couple of “entities”.

Before we start to run the related PowerShell commands, it’s important that we get a general concept of the various “entities” that involved in this process (the mailbox migration to Office 365) and the “role” of each of these entities.

In the following diagram, we can see an example of the “entities” that are involved in the process.

The “entities” that involved in the mailbox migration to Office 365 and the associated PowerShell commands

Exchange PowerShell cmdlets that relate to the process of mailbox migration, enable us to address each of this “entities” that involved in the mailbox migration process.

The purpose of this “Get” PowerShell cmdlets is – getting information about the various migration entities such as – the specific settings and properties of each entity, the status of the specific entity and so on.

The PowerShell commands that we review in the current article are:

• Get-MigrationEndpoint
• Get-MigrationBatch
• Get-MoveRequest
• Get-MoveRequestStatistics
• Get-MigrationUser
• Get-MigrationUserStatistics

In the following diagram, we can see that PowerShell cmdlets that are associated with the user account object” and the Exchange mailbox object.

In the following diagram, we can see that PowerShell cmdlets that are associated with the migration batch object” and the migration endpoint object.

The Migration batch object as a logical container

An additional concept that I would like to mention regarding the mailbox migration entities is the concept of the “Migration batch”.

We can relate to the “Migration batch entity” as a logical container, that “hold inside” the migrated mailbox and the users accounts that are associated with each Exchange mailbox.

In a case that we run multiple Migration batches at the same time, in some scenarios, we will need to get information about all the migration entities that are related to the specific Migration batch.

In the next articles –Using PowerShell for view and export information about mailbox migration to Office 365 | Part 3#5 and Using PowerShell for view and export information about mailbox migration to Office 365 | Part 4#5, we review the PowerShell commands that we can use for getting information about objects such as “Move Requests” and “Migration users that are related to a specific Migration batch.

A short description of the migration entities

The scope of the article series

The basic assumption is that in this phase you have already mange to create the required “Exchange on-Premises endpoint”.

The meaning is, that your Exchange on-Premises server have all the required prerequires such a public availability”, that enable Exchange Online to establish the connection with your Exchange on-Premises server.

In case that you need to “establish” the connection between Exchange Online and Exchange on-Premises, and you need more information about the required preparations and prerequires you can read the following articles:

• Office 365 Cutover mail migration – Exchange on-Premises pre requirements
• Hybrid deployment in Office 365 | Checklist and pre requirements | Part 1/3
• Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3

You can read additional information about the process of creating migration endpoint in the following articles:

• Create migration endpoints
• New-MigrationEndpoint
• Cutover migration to Office 365
• Troubleshooting issues where the hybrid migration endpoint cannot be created

The various type of mail migration to Office 365

At the current time, Exchange Online support the following types of mailbox migration

1. Cutover migration
2. Stage migration
3. Exchange Hybrid migration
4. IMAP migration

Although that each of the “Exchange Online mail migration method have unique characters of its own, the PowerShell command that we review are relevant for all the above mail migration methods.

Restore Exchange Online mailbox | Article series index

1. Migration Statistics | Get-MigrationStatistics

Get + Export Information | Migration Statistics

The PowerShell command Get-MigrationStatistics, provide us information about the migration process using properties such as – Synced Count,Total Count and more.

Get-MigrationStatistics -Diagnostic

PS C:\> Get-MigrationStatistics -Diagnostic

MigrationType      TotalCount FailedCount SyncedCount
-------------      ---------- ----------- -----------
ExchangeRemoteMove 4          0           0

Get-MigrationStatistics -Diagnostic |Format-List | Out-File c:\temp\"Get-MigrationStatistics -Diagnostic.txt" -Encoding UTF8

Migration Users

Get + Export Information | Migration Users

As mentioned, each Exchange mailbox must have a “user account” that is associated with the mailbox (mailbox owner).

The PowerShell command that we use for getting information about the user account that is “attached” to the mailbox that we migrate are:

• Get-MigrationUser
• Get-MigrationUserStatistics

2. Get migraiotion user information | Get-MigrationUser

The PowerShell command – Get-MigrationUser, display information about the user account properties that is associated with the Exchange mailbox that we migrate + high level information about the mailbox migrated content.

Get-MigrationUser <Migrated user account>

PS C:\> Get-MigrationUser onpremmbx-01@o365info.com

Identity                                 Batch                          Status                    LastSyncTime                                                                                                                 
--------                                 -----                          ------                    ------------                                                                                                                 
onpremmbx-01@o365info.com                Eyal Migration batch -001      Completed                 2/23/2017 10:47:28 AM

Get-MigrationUser onpremmbx-01@o365info.com |Format-List | Out-File c:\temp\"Get-MigrationUser - onpremmbx-01@o365info.com.txt" -Encoding UTF8

Get-MigrationUser | Format-List | Out-File c:\temp\"Get-MigrationUser.txt" -Encoding UTF8

Get-MigrationUser | Select Identity,RecipientType,SkippedItemCount,SyncedItemCount,Status,BatchId,LastSuccessfulSyncTime | Out-File c:\temp\"Get-MigrationUser.txt" -Encoding UTF8

3. Get migraiotion user Statistics information | Get-MigrationUserStatistics

The PowerShell command Get-MigrationUserStatistics will get us additional information about “migrated user” that is associated with the mailbox that we migrate + more detailed information about the mailbox content meaning, mail items that are migrated.

Get-MigrationUserStatistics <Migrated user account>

PS C:\> Get-MigrationUserStatistics onpremmbx-01@o365info.com

Identity                                 Batch                          Status                    Items Synced     Items Skipped   
--------                                 -----                          ------                    ------------     -------------   
onpremmbx-01@o365info.com                Eyal Migration batch -001      Completed                 4                0

Get-MigrationUserStatistics onpremmbx-01@o365info.com | Format-List | Out-File c:\temp\"Get-MigrationUser.txt" -Encoding UTF8

Get-MigrationUserStatistics onpremmbx-01@o365info.com -IncludeReport -Diagnostic -IncludeSkippedItems | Format-List | Out-File c:\temp\"Get-MigrationUser.txt" -Encoding UTF8

Get-MigrationUserStatistics -IncludeReport -Diagnostic -IncludeSkippedItems| Export-CliXml c:\temp\"Get-MigrationUserStatistics -IncludeReport -Diagnostic.xml" -Encoding UTF8

5. On-Premise infrastructure information

The current article series is dedicated to the Office 365 and Exchange Online environment but in some troubleshooting scenario, we will need to get more information about the “on-Premises infrastructure”.

For example, we get migration errors that are related to a specific user, or a specific mailbox.
We suspect that the issue can be realities to a problem with the On-Premise Active Directory user account or, to a “problematic Exchange on-Premises mailbox”.

On-Premise Active Directory

Get-Aduser onpremmbx-01@o365info.com -Properties * | Format-List | Out-File c:\temp\npremmbx-01@o365info.com -Active Directory  user.TXT

Exchange on-Premises infrastructure

To get information about specific Exchange on-Premises mailbox we can use the following two PowerShell commands:

• Get-Mailbox
• Get-MailboxStatistics

Get-Mailbox PowerShell command

To get information about specific Exchange on-Premises mailbox + export the information to TXT file, we can use the following syntax:

Get-Mailbox onpremmbx-01@o365info.com | Format-List | Out-File c:\temp\onpremmbx-01@o365info.com-Get-Mailbox on-Premises.txt

Get-MailboxStatistics PowerShell command

The PowerShell command Get-MailboxStatistics, can help us to get a very detailed information about Exchange mailbox “structure”, that include information about each mailbox folder, the number of mail items in each folder and much more.

Get-MailboxStatistics onpremmbx-01@o365info.com | Format-List | Out-File c:\temp\”onpremmbx-01@o365info.com -Get-MailboxStatistics on-Premises.txt

Get-MailboxStatistics onpremmbx-01@o365info.com –IncludeMoveHistory| Export-CSV c:\temp\"onpremmbx-01@o365info.com -Get-MailboxStatistics on-Premises - IncludeMoveHistory.CSV" –NoTypeInformation -Encoding utf8

Restore Exchange Online mailbox | Article series index