mailbox

Provisioning a New Office 365 User and Mailbox from Exchange Hybrid via PowerShell

Working with many Office365 clients, I receive queries on how to go about provisioning users and mailboxes for an Exchange hybrid deployment.

To begin with, let’s assume a couple things.

  1. We have a Windows 2012 R2 member server with Azure AD Connect (AAD Connect) version 1.1.105.00 (or newer) and the Azure AD Module for PowerShell installed; and
  2. We have an Exchange 2013 CU11 (or newer) server configured for hybrid with an active O365 tenant.

Now that we’ve established a baseline, there are a couple of options to perform the task of provisioning an AD user, creating a mailbox, and assigning an Office 365 license.

  1. The first option would be to create an AD user, create an on premise mailbox, migrate the mailbox to Office 365, and assign a license; or
  2. The second option would be to create an AD user, create a remote (or Office 365) mailbox, and assign a license.

In this post, I will cover the second option simply because it includes fewer steps and attempts to avoid confusion around where the mailbox should be created.

Do not create an AD user and then go to the Office 365 portal to create a new user and associated mailbox. This method will not properly create a synchronized O365 user and mailbox.

STEP 1: CREATE USER & MAILBOX

From the Exchange server, first create the AD user with remote mailbox using one command via Exchange Management Shell (EMS or Exchange PowerShell)…

In the command above, I created the AD user in an OU named “Office 365 Users”, set the password to “EnterPasswordHere”, and will require the user to change their password at next logon. However, I did not assign an SMTP address or remote routing address assuming that the email address policies are configured to be applied as new mailboxes are created.

STEP 2: SYNCHRONIZE USER

Once the AD user and mailbox are created, the AD object must to be synchronized to O365 in order to add the user with associated mailbox in the tenant. With the new version of AAD Connect, the scheduled sync time occurs every 30 minutes. In my case, I’m not that patient and will manually force a sync to O365.

From the server with AAD Connect installed, via an elevated PowerShell console, run the following command to perform the sync to O365…

This task will synchronize all changes made to AD since the user and mailbox were created.

STEP 3: ASSIGN LICENSE

In the final step, I assign an O365 license to the newly created and synchronized user. The following commands can be run from any machine that has both Microsoft Online Services Sign-in Assistant for IT Professionals RTW and Windows Azure Active Directory Module for Windows PowerShell installed. In my case, they are installed on each server, as well as my admin workstation.

Connect to O365 via PowerShell from an elevated PowerShell console; or using Azure AD Module for PowerShell console.

Confirm the new user does not have an O365 license assigned.

This command returns unlicensed O365 users in which the “isLicensed” parameter is “False”.

The next command returns the “AccountSkuId“, or subscription license(s), of my tenant that I will use to assign to the new user.

The AccountSkuId will look something similar to “tenantname:ENTERPRISEPACK“; where “ENTERPRISEPACK” represents my Office 365 Enterprise E3 subscription. Other subscriptions will have different representations.

Before I can assign any licenses to my new user, the user must be assigned a location (or country code). Since I’m am located in the United States, I use “US” as the two letter country code for the user, using this command…

Now that I’ve set a location for the new user, I can assign a license from my associated O365 subscription, using this command…

Finally, the user can access their assigned mailbox in Exchange Online.

Get PasswordAge for users in a particular domain

In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain.

In my case to check which users are covered and meeting policy and get the users addressed.

The output will be similar to:

Convert resource mailbox to a user mailbox

Based on my audit for a client I found that a user mailbox was at sometime converted to a resource mailbox. There is no convert button/ link to switch it back. I still don’t know how, or why this would have happened.

Anyways, for someone who may come across this weird issue, here is the fix for it.

This will convert it from a shared mailbox, or a resource mailbox to a user mailbox.

Saving emails in the ‘Sent Folder’ of shared mailboxes

When composing a message from a shared mailbox, by default when the message is ‘sent’, it is copied to the Sent Items for the user composing the message and not the Sent Items folder on the shared mailbox. Well, conveniently there is a way to enable this option in Exchange 2016 and Office365.

I don’t understand why this option is not turned on by default because it accounts for a message sent from a shared mailbox yet there is no historical record of the message being sent from the mailbox. Apart from journaling if it is enabled or a third party software/ service.

Exchange 2007: Give a user full access to all mailboxes

The following command will give full access to the Mailbox database including future mailboxes when they are created. Just change the name of the Mailbox Database to yours and the name to the one you wish to use

Now access to all mailboxes:

For Send As:

For Recieve As:

In exchange 2010 only you can use this command:

Make sure you have OWA enabled for the user to view the mailbox.

Assign a Room Mailbox Permissions

If we want to check the detail information of the room mailbox schedule or change the permission level of the Calendar permission.  We should do the following steps:

  •  Add a user as a full permission to the room mailbox via PowerShell:

    Assign Permission Add-MailboxPermission -Identity “[email protected]” -User “[email protected]” -AccessRights Fullaccess -InheritanceType All

  • Open room mailbox with OWA
  • Login to user who have the full permission of room mailbox by using OWA.
  • Click on “your alias” at top right corner and select room mailbox
  • When the OWA open room mailbox, we can click on “calendar” -> Share -> “Share this calendar”  and select the share permission. Then, we can select the person and send the announcement email.

On the Client Side the user will be able to the see the only if they have permissions. If no permissions are assigned it will give a warning saying it is unable to connect. This will go away once the permissions are set right!

  1. Open OWA (Outlook Web apps) by opening http://mail.office365.com
  2. Calendar – > My Calendars  -> open “other Calendars” ,then input the alias of the Room-mailbox

Microsoft Article: Create A New Room Mailbox

Set a Room Mailbox to Show Details of a Meeting in its Calendar

You may notice that meetings with a ‘Room’ mailbox will by default only show a “Busy” status.
Many, including the organisation I work for, wish to have (at the very minimum) the following displayed in the Room’s calendar:

  • Organiser of the meeting, and
  • The subject of the meeting

Below I will demonstrate how to set the permissions so that all meetings (except those explicitly marked as ‘Private’) publicise the above details to all who view its calendar.

  1. First make sure you have the remote signed execution policy set to true. You can do this by running PowerShell in admin mode and running: Set-ExecutionPolicy RemoteSigned
  2. Next, run the following to authenticate your self and import PowerShell commands to your local session:
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session

Set the Room calendar to show ‘limited details’ by default

We will do this using the Set-MailboxFolderPermission command. Click the link to see the full list of parameters you can pass in to the command. We will be using ‘limited details’ for the AccessRights variable.

Set-MailboxFolderPermission -AccessRights LimitedDetails -Identity Room:\calendar -User default

Set the Room calendar to show the ‘Organiser’ and ‘Subject’ of the meeting

We will do this using the Set-CalendarProcessing command. Click the link to see the full list of parameters you can pass in to the command.

Set-CalendarProcessing -Identity testroom -AddOrganizerToSubject $true -DeleteComments $false -DeleteSubject $false