Articles in the "Mailbox Delegate Management" series
- Super duper delegate retrieval script
- PowerShell module for managing Exchange mailbox delegates
- Small update to delegate management module
- Delegate management module updated to v1.3.5
- Delegate management module updated to support Exchange Online
- Delegate management module updated to v1.4.5
- Delegate management module updated to 1.4.6
- Delegate management module updated to v1.5.0
- Delegate management module updated [This article]
The module has been updated to version 1.5.1. This version adds automatic support for localization of the Sent Items and Deleted Items folders. If the display name of those folders in the owner’s mailbox is not in English, the localized display name of the folder will be used when getting, setting, or removing delegates.
I have also added permission validation to the owner’s mailbox for the person executing a cmdlet. When using impersonation, if you don’t have permission to a mailbox Exchange responds with an error indicating as much. But if using full access, Exchange doesn’t respond with such an error, just failing on whatever request is being made. Usually when permission is the issue, the error contains “The specified object was not found in the store,” so the module checks for that error, informs you that it appears you don’t have permission, and then gracefully aborts the cmdlet.
Download the updated module and overwrite your existing copy. If you were already using v1.5.0, keep your existing settings file so your specific settings remain.
DelegateManagement.zip (9.2 KiB)
Hi Scott… the DelegateManagement module looks great… and just what I need to give c. 17 users access (to view items marked as Private) in c. 8 Shared Mailboxes but sadly I’ve got a small problem running it.
I’m starting off with a simple ‘Get-MailboxDelegate’ for a mailbox which I know has Delegates and the script is reporting ‘ has no delegates’.
I’m running this against a 3 month old Office 365 Tenant. I’m tried using Impersonation and not (and I’m using a user with appropriate rights – they’re a member of the ‘Discovery Management’ Admin Role). I have EWS Managed API 2.2 installed (maybe this is too new??). I’ve obviously allowed execution of non-digitally signed scripts etc.
I think I’ve read through everything you’ve written and all forum comments/posts about the module and can’t see anything that explains it. Any ideas what’s up?
Being a member of the Discovery Management role group does not grant permission to any mailboxes. (It allows you to search mailboxes through eDiscovery, but you’re never connecting first-hand to a mailbox.) You need to be granted either Full Access permission directly to the mailbox (Add-MailboxPermission) or be granted the ApplicationImpersonation role with a management scope that includes the mailbox (which is the default when you create a role assignment).
Hi Scott, thanks for producing this fantastic module. You’d said in a comment response to the very first post regarding this module that groups cannot be set as delegates but that’s not true – you absolutely can do it and in fact my org does it as part of standard operating procedures. Your module will also Delegate groups with get-mailboxDelegate but of course you can’t actually add or modify them via add/set-mailboxDelegate.
Is this a limitation of EWS or just of your module?
Thanks for your help.
Mail-enabled security groups can be added as delegates, but not distribution groups or Office 365 Groups. I can update the module to allow the supported group type as a delegate. I had started updating the module to support OAuth (in light of Basic auth deprecation, which has now been pushed back to 2021, but still needs to be added, regardless) and other things, like using JSON for the config file instead of XML. If you are wanting support for mail-enabled security groups right away, I can branch the current version and add it.