New-ComplianceSearch not visible in Exchange Online despite being in “Discovery Management”

So just today I learned new thing, I was missing New-ComplianceSearch cmdlet, I was a bit frustrated because I was in all the relevant groups:

Technet was not mentioning a WORD about one thing, I was able to use compliance cmdlets only after I connected diffrently, so if this is your connection string:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell/ -Credential $Credential -Authentication Basic –AllowRedirection

Change it to:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $Credential -Authentication Basic –AllowRedirection

This should do the trick.

o365kicksadminasses

Advertisements

Exchange Online and Microsoft.Exchange.Data.SharingPolicyAction is invalid error on Get-MailboxFolderPermission

Hello,

Recently we got an issue on Exchagne Online, for one mailbox (yes 1! :)) we were not able to properly read permissions, the error was:

•	WARNING: An unexpected error has occurred and a Watson dump is being generated: Value specified for a parameter of type <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>Microsoft.Exchange.Data.SharingPolicyAction is invalid<span id="mce_SELREST_end" style="overflow:hidden;line-height:0;"></span>: 0.
•	Parameter name: allowedActions
•	Value specified for a parameter of type Microsoft.Exchange.Data.SharingPolicyAction is invalid: 0.
•	Parameter name: allowedActions
•	    + CategoryInfo          : NotSpecified: (:) [Get-MailboxFolderPermission], EnumOutOfRangeException
•	    + FullyQualifiedErrorId : Microsoft.Exchange.ExchangeSystem.EnumOutOfRangeException,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission
•	    + PSComputerName        : ps.outlook.com

1mvd95.jpg

After contacting Microsoft they suggested running following command:

Get-SharingPolicy | Set-SharingPolicy -Domains Anonymous:CalendarSharingFreeBusySimple,*:CalendarSharingFreeBusyDetail

After running the above command we were able to properly rad permissions. More details about sharing policies can be found here.

 

Messages send to a distribution group visible in Exchange Online’s Get-MessageTrace as failed – not really failed.

So I noticed today that some messages are getting failed status, I was particulary interested in one message that for sure was a legit one – same as the distribution group it supposed to be delivered to.

FailedMessage

Well..ok, so what happened to it then, I used Get-MessageTraceDetails to check it.

Continue reading “Messages send to a distribution group visible in Exchange Online’s Get-MessageTrace as failed – not really failed.”

Exhange Online and “Cannot process argument transformation on parameter…” RBAC error.

So today I was trying to create some RBAC roles for our IT support. All I wanted to do is to create a new RBAC role and then add some cmdlets that were missing there – it was about message tracking.

Apart from that thing I find seriously messed up is a fact that role group “Message Tracking” does not contain “Get-MessageTrace” cmdlet.

WTFMS

Whole story happens in Exchange Online so I tried to create am empty roleand add two needed cmdlets to it – I was not able to do it, as Exchange Online prevents from creating such empty roles – you need to specify a parent.

However, if a parent role does not contain a cmdlet you are interested in you are not able to add it.

Well, sweet… so I created a role based on a parent which contained a lot of others cmdlet and tried to remove entries using “where”, like this:

Get-ManagementRoleEntry “SupportTeam” | ? {$_.name -notmatch “get-messaget”}| Remove-ManagementRoleEntry

Simply – I wanted to leave only cmdlets responsible for message trace.

Here is the place I got error from the subject:

errorrbac.jpg

So I started to read about it, and apparently Remove-ManagementRoleEntry is not accepting pipeline in o365…

https://blogs.technet.microsoft.com/rmilne/2015/02/05/remove-multiple-management-role-entries-in-office-365/

So you either need to prepare lines for each role entry in excel (for isntance using “concatenate”), or create a script, or use ready solution presented in the above blog.

 

X500 addresses – where is the beef?

x500aliens

Here is a great site that explains why x500 is needed and when it is used in on-prem and hybrid scenarios:

https://eightwone.com/2013/08/12/legacyexchangedn-attribute-myth/

Also, here is a little bit related subject about how to marry together a local AD account and already created o365 mailbox:

http://techgenix.com/match-office-365-mailbox-new-premises-user-hybrid-deployment/

Good article about history of x500:

https://www.experts-exchange.com/articles/9650/NDRs-and-the-legacyExchangeDN.html

And some good article about x400 history:

http://techgenix.com/x400-addresses-exchange-2010-part1/

Sneaky tricky management scopes in Exchange Online.

If you’ve been creating scopes in Exchange Online in, for instance, following way…:

$Group = Get-DistributionGroup -Identity “RoomImpersonationGroup”
New-ManagementScope “Room Mailboxes Impersonation” -RecipientRestrictionFilter “MemberOfGroup -eq ‘$($Group.DistinguishedName)'”

…so using a DistinguishedName attribute – you might experience a moment when this solution stops to work.

itisatrap

Continue reading “Sneaky tricky management scopes in Exchange Online.”

Exchange – two ways to create new role assignments.

Forgotten this recently and got caught spending some time investigating.

Boys and girls, remember one thing – if you create role assignments like this:

New-ManagementRoleAssignment -Name "ASSIGNMENT NAME" -Role "ApplicationImpersonation" -CustomRecipientWriteScope "IMPERSONATION USERS" -SecurityGroup "IMPERSONATION ADMINS"

where “IMPERSONATION ADMINS” is your a security group created by you – this role assignment will NOT be visible in your “admin roles” area in Exchange Console:

adminrolesarea

Instead, you need firstly create a Role Group and assign role to it, for instance

New-RoleGroup -Name "ROLE GROUP IMPERSONATION ADMINS"

New-ManagementRoleAssignment -Name "ASSIGNMENT NAME" -Role "ApplicationImpersonation" -CustomRecipientWriteScope "IMPERSONATION USERS" -SecurityGroup "ROLE GROUP IMPERSONATION ADMINS"

Only assigning a role to a role group allows it to appear in the admin roles area.

Remember about that!

remember