Permissions

Azure AD vs Exchange/SharePoint/Etc Permissions

So in Azure, Azure AD controls all the permissions. In Microsoft 365 there are a bunch of different applications like SharePoint and Exchange that were built with Azure and have a different permissions model. So the Exchange Admin Center (EAC) has a permissions area that has all the permissions that are relevant for Exchange. Here’s a direct quote from the learn docs:

Other online services have their own permission models. For example, Exchange Online uses a similar Azure RBAC model to define administrator roles, but it also uses a security model based on individual permissions for its mailboxes. SharePoint Online has its own security permission model based on security groups, permissions, and permission levels. This model enables administrators to assign individual permissions or groups of permissions to its resources, such as site collections, sites, and documents.

Just In Time Permissions

There’s a thing called Privileged Identity Management which gives you just in time permissions to do things. It seems that the main workflow is that when you request access that access has to be approved by a person. This makes it not so useful for me.

Here’s a link that goes over a bunch of stuff.

Powershell

Install

You can install powershell via snap.

Prep for module installs

By default the Install-Module does not trust the built in repo (PSGallery). You can use this to check what repos you have enabled

Get-PSRepository

And use this to trust PSGallery.

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Get Help

You can prepend any command with Get-Help. It’s like man. However you can also do something like

Get-Help Set-PSRepository -Examples

to get a whole bunch of examples of the Set-PSRepository command.

Installing Management Shit

Exchange Online

Simply install ExchangeOnlineManagement module using using

Install-Module ExchangeOnlineManagement

AzureAD/MSOnline/Microsoft.Graph

AzureAD Vs MSOnline vs Microsoft.Graph:

MSOnline has been deprecated. Commands from here have Msol in their name. You get that info on a careful reading of this documentation.

AzureAD was the new way of doing things. Commands from here have AzureAD in their name. However, very recently Microsoft announced that they are going to stop supporting the endpoints that AzureAD uses in June 2022.

Microsoft.Graph is the current best practice way to do things.

Installing AzureAD

This is somewhat complicated because it’s not technically supported on Linux. Yet. I went digging and found this github issue which gives the following:

Register-PackageSource -Trusted -ProviderName 'PowerShellGet' -Name 'Posh Test Gallery' -Location https://www.poshtestgallery.com/api/v2/
Install-Module -Name AzureAD.Standard.Preview
Import-Module AzureAD.Standard.Preview

This worked for me.

Installing Microsoft.Graph

This is supported on linux. Docs

Install-Module Microsoft.Graph -Scope CurrentUser

I will note that Microsoft.Graph has a very strong sense of permissions. When activating it you don’t get all the permissions your user has by default. Instead you get basically only the permisions you request. So here’s an example of connecting and asking form permissions.

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"

Other Powershell Shit

  • Get-Credential This is built into powershell. It returns a special “Credential Object” with a username and password (so no MFA). Docs

Exchange Online

Overall Notes

The new Exchange Admin Center (EAC) is still kinda fresh and buggy. Since I don’t wanna learn some old shit, the recommended approach is to use powershell. Not only can I script this and stuff but it’s not on it’s way out and it’s not buggy.

Setting Up Powershell

Logging In

There are a bunch of different ways to log in. First off lets list the ways that ultimately end up opening something in the browser that you log into using the normal flow.

  • Connect-ExchangeOnline -UserPrincipalName [email protected]

    This feels like the Right Way to do things if you can. “UserPrincipalName” is just your username. When you press enter it opens a tab where you can enter your creds (or at least it should). You’ll get an error if you do this on a droplet.

  • Connect-ExchangeOnline -Device

    This is for if you want to log in on a device. It gives you a link and a little code. You open the link and enter the code. Then you log in and boop. Ur done.

Now for the login methods that are username password.

  • $UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential

    I get the impression that if you’re gonna be a scrub and not have MFA (or use the above methods), this is The Way.

  • Connect-ExchangeOnline -InlineCredential

    This will prompt you for your username and password.

Archiving

Archive Folder vs In-Place/Online Archive

According to this article there are two things to know.

  • The “archive” folder that you see by default when you open Outlook on the web is just a folder. The Online Archive is the actual archiving feature that gives you more storage and such.

  • Online Archive and In-Place Archive are the same thing.

Enabling Archiving

Archiving is not enabled by default so you have to go in and do that by hand. Not only that but the new EAC is still kinda buggy so it doesn’t always work when you try to do it there. So I’ll give you three different ways to do this. Which I got from the docs.

Powershell

First you need to get the names of users with mailboxes:

> Get-Mailbox
Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId
----                      -----           --------                       -----------------    -------------------------
DiscoverySearchMailbox{D… DiscoverySearc… NAMPR13DG079-db105             50 GB (53,687,091,2… 
PiaGallegos               pia             NAMPR13DG129-db137             49.5 GB (53,150,220… b633c3a0-911a-474e-8a7a-846d354b9b1a

You can use the name or alias for this next part (Identity).

Enable-Mailbox -Identity pia -Archive

There is also the command Disable-Mailbox which does what you would expect.

From the compliance center

This kinda doesn’t work but go to the compliance center then hit the tab on the rigth that says “information governence” then there should be a tab up top that says “Archive”.

From the new EAC

On the left side tabs, under “Recipients” hit “Mailboxes”. Now click the username and pane on the right should show up. Under “More actions” there should be a “Manage mailbox archive” and you can just toggle that there.

Stuff To Do

  • Delete default archive mailbox

  • Enable archive mailboxes

  • Ask pia if she wants me to set up a retention label for the serious shit in her archive