New-ComplianceSearch not visible in Exchange Online despite being in “Discovery Management”

So just today I learned new thing, I was missing New-ComplianceSearch cmdlet, I was a bit frustrated because I was in all the relevant groups:

Technet was not mentioning a WORD about one thing, I was able to use compliance cmdlets only after I connected diffrently, so if this is your connection string:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri -Credential $Credential -Authentication Basic –AllowRedirection

Change it to:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic –AllowRedirection

This should do the trick.



Exchange Online and Microsoft.Exchange.Data.SharingPolicyAction is invalid error on Get-MailboxFolderPermission


Recently we got an issue on Exchagne Online, for one mailbox (yes 1! :)) we were not able to properly read permissions, the error was:

•	WARNING: An unexpected error has occurred and a Watson dump is being generated: Value specified for a parameter of type <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>Microsoft.Exchange.Data.SharingPolicyAction is invalid<span id="mce_SELREST_end" style="overflow:hidden;line-height:0;"></span>: 0.
•	Parameter name: allowedActions
•	Value specified for a parameter of type Microsoft.Exchange.Data.SharingPolicyAction is invalid: 0.
•	Parameter name: allowedActions
•	    + CategoryInfo          : NotSpecified: (:) [Get-MailboxFolderPermission], EnumOutOfRangeException
•	    + FullyQualifiedErrorId : Microsoft.Exchange.ExchangeSystem.EnumOutOfRangeException,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission
•	    + PSComputerName        :


After contacting Microsoft they suggested running following command:

Get-SharingPolicy | Set-SharingPolicy -Domains Anonymous:CalendarSharingFreeBusySimple,*:CalendarSharingFreeBusyDetail

After running the above command we were able to properly rad permissions. More details about sharing policies can be found here.


Messages send to a distribution group visible in Exchange Online’s Get-MessageTrace as failed – not really failed.

So I noticed today that some messages are getting failed status, I was particulary interested in one message that for sure was a legit one – same as the distribution group it supposed to be delivered to.


Well..ok, so what happened to it then, I used Get-MessageTraceDetails to check it.

Continue reading “Messages send to a distribution group visible in Exchange Online’s Get-MessageTrace as failed – not really failed.”

Exhange Online and “Cannot process argument transformation on parameter…” RBAC error.

So today I was trying to create some RBAC roles for our IT support. All I wanted to do is to create a new RBAC role and then add some cmdlets that were missing there – it was about message tracking.

Apart from that thing I find seriously messed up is a fact that role group “Message Tracking” does not contain “Get-MessageTrace” cmdlet.


Whole story happens in Exchange Online so I tried to create am empty roleand add two needed cmdlets to it – I was not able to do it, as Exchange Online prevents from creating such empty roles – you need to specify a parent.

However, if a parent role does not contain a cmdlet you are interested in you are not able to add it.

Well, sweet… so I created a role based on a parent which contained a lot of others cmdlet and tried to remove entries using “where”, like this:

Get-ManagementRoleEntry “SupportTeam” | ? {$ -notmatch “get-messaget”}| Remove-ManagementRoleEntry

Simply – I wanted to leave only cmdlets responsible for message trace.

Here is the place I got error from the subject:


So I started to read about it, and apparently Remove-ManagementRoleEntry is not accepting pipeline in o365…

So you either need to prepare lines for each role entry in excel (for isntance using “concatenate”), or create a script, or use ready solution presented in the above blog.


X500 addresses – where is the beef?


Here is a great site that explains why x500 is needed and when it is used in on-prem and hybrid scenarios:

Also, here is a little bit related subject about how to marry together a local AD account and already created o365 mailbox:

Good article about history of x500:

And some good article about x400 history:

Sneaky tricky management scopes in Exchange Online.

If you’ve been creating scopes in Exchange Online in, for instance, following way…:

$Group = Get-DistributionGroup -Identity “RoomImpersonationGroup”
New-ManagementScope “Room Mailboxes Impersonation” -RecipientRestrictionFilter “MemberOfGroup -eq ‘$($Group.DistinguishedName)'”

…so using a DistinguishedName attribute – you might experience a moment when this solution stops to work.


Continue reading “Sneaky tricky management scopes in Exchange Online.”

Exchange – two ways to create new role assignments.

Forgotten this recently and got caught spending some time investigating.

Boys and girls, remember one thing – if you create role assignments like this:

New-ManagementRoleAssignment -Name "ASSIGNMENT NAME" -Role "ApplicationImpersonation" -CustomRecipientWriteScope "IMPERSONATION USERS" -SecurityGroup "IMPERSONATION ADMINS"

where “IMPERSONATION ADMINS” is your a security group created by you – this role assignment will NOT be visible in your “admin roles” area in Exchange Console:


Instead, you need firstly create a Role Group and assign role to it, for instance


New-ManagementRoleAssignment -Name "ASSIGNMENT NAME" -Role "ApplicationImpersonation" -CustomRecipientWriteScope "IMPERSONATION USERS" -SecurityGroup "ROLE GROUP IMPERSONATION ADMINS"

Only assigning a role to a role group allows it to appear in the admin roles area.

Remember about that!