Determining if Shared Mailbox has delegates using Get-EXOMailbox cmdlet only in EXO V2, without addtional call to Get-EXOMailboxPermission

Animesh Anand 81 Reputation points
2020-10-08T00:54:36.423+00:00

For our solution, we had been using Exchange online V1 to connect to O365 to determine if shared mailboxes had delegates. We had been using the Get-Mailbox cmdlet to get information for all the shared mailboxes in one go.
Then we use the ExchangeSecurityDescriptor property to get the DiscretionaryAcl and then the DiscretionaryAcl.Get_Count() method to determine how many delegates does the mailbox have.

Now, when we are trying to use EXO V2(Get-EXOMailbox or Get-Mailbox) cmdlet, we are not getting the DiscretionaryAcl in the ExchangeSecurityDescriptor property. To determine if mailbox has delegates, we are now having to make additional Get-EXOMailboxPermission call for each mailbox identity.

This is slowing down our processing significantly. As earlier we were getting this information for all the mailboxes in a single cmdlet call and now we are required to do this with multiple calls.

For comparison refer the screenshot below:
**

  • ExchangeSecurityDescriptor.Value when using EXO V1:

**
30745-image.png

30670-image.png

**

  • ExchangeSecurityDescriptor.Value when using EXO V2:

**
30821-image.png

Microsoft Exchange Online
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 90,881 Reputation points MVP
    2020-10-08T12:16:25.873+00:00

    I think you're confusing things a bit. The difference you are seeing is because of the session type, not anything the V2 module introduces. More specifically, if you want the full object returned, you need to use implicit remoting.

    Here's an example that will work just fine in V2:

    (Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-Mailbox shared | Select-Object -ExpandProperty  ExchangeSecurityDescriptor}).DiscretionaryAcl.Count
    

    The REST based cmdlets will always return a string instead of the object, no workarounds there.


2 additional answers

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,631 Reputation points
    2020-10-08T02:43:53.973+00:00

    Hi @Animesh Anand , generally we can use some scripts to help export the delegators for shared mailbox.

    This link provides a good example to meet this need: Export Shared Mailbox Permission Report to CSV and referrring to the detailed usages about this script here

    I tried the script in my environment:

    30759-qa-2020-10-08-10-42-41.png


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     
     

    1 person found this answer helpful.
    0 comments No comments

  2. Animesh Anand 81 Reputation points
    2020-10-08T02:49:10.117+00:00

    @Joyce Shen - MSFT , at the moment to overcome this issue, I am piping the output of get-EXOMailbox to get-EXOMailBoxPermission. However, this is still an additonal call. Earlier(in EXO V1) we used to get this information with just the Get-MailBox call.
    Thank you for the script, I'll have a look and see if that helps.

    0 comments No comments