poiriersimon · February 25, 2019 18:13
diff --git a/Extract-SharedMailboxPermission.ps1 b/Extract-SharedMailboxPermission.ps1
 <#
 .SYNOPSIS
  Extract Shared Mailbox Full Access to give a full list of users

 .DESCRIPTION
  Extract Shared Mailbox Full Access to give a full list of users

 .PARAMETER SharedMailbox
  Name of the Shared Mailbox to gather data from

 .PARAMETER ExportCSV
  Folder where to export the CSV File

 .INPUTS
  None

 .OUTPUTS
  Output the Unique member in an Array

 .NOTES
  Version:        1.0
  Author:         Simon Poirier
  Creation Date:  2019-02-05
  Purpose/Change: Initial script development
  
 .EXAMPLE
  .\Extract-SharedMailboxPermission.ps1 -SharedMailbox SMB-Test1
 #>

 ################################################################################# 
 #  
 # The sample scripts are not supported under any Microsoft standard support  
 # program or service. The sample scripts are provided AS IS without warranty  
 # of any kind. Microsoft further disclaims all implied warranties including, without  
 # limitation, any implied warranties of merchantability or of fitness for a particular  
 # purpose. The entire risk arising out of the use or performance of the sample scripts  
 # and documentation remains with you. In no event shall Microsoft, its authors, or  
 # anyone else involved in the creation, production, or delivery of the scripts be liable  
 # for any damages whatsoever (including, without limitation, damages for loss of business  
 # profits, business interruption, loss of business information, or other pecuniary loss)  
 # arising out of the use of or inability to use the sample scripts or documentation,  
 # even if Microsoft has been advised of the possibility of such damages 
 # 
 #################################################################################

 #requires -version 3
 #Requires -Modules MSOnline
 [CmdletBinding()]
 Param
 (
    [Parameter(Mandatory = $True)]
    [System.String]
    $SharedMailbox,
    [Parameter(Mandatory = $False)]
    [System.String]
    $ExportCSV
 )
 begin {
 #From : https://365lab.net/2016/01/07/recursively-enumerate-azure-ad-group-members-with-powershell/
 #Minor update line 32 - added [array] as suggested in comment
    function Get-JDMsolGroupMember { 
    <#
    .SYNOPSIS
        The function enumerates Azure AD Group members with the support for nested groups.
    .EXAMPLE
        Get-JDMsolGroupMember 6d34ab03-301c-4f3a-8436-98f873ec121a
    .EXAMPLE
        Get-JDMsolGroupMember -ObjectId  6d34ab03-301c-4f3a-8436-98f873ec121a -Recursive
    .EXAMPLE
        Get-MsolGroup -SearchString "Office 365 E5" | Get-JDMsolGroupMember -Recursive
    .NOTES
        Author   : Johan Dahlbom, johan[at]dahlbom.eu
        Blog     : 365lab.net 
        The script are provided “AS IS” with no guarantees, no warranties, and it confer no rights.
    #>
        
        param(
            [CmdletBinding(SupportsShouldProcess=$true)]
            [Parameter(Mandatory=$true, ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
            [ValidateScript({Get-MsolGroup -ObjectId $_})]
            $ObjectId,
            [switch]$Recursive
        )
        begin {
            $MSOLAccountSku = Get-MsolAccountSku -ErrorAction Ignore -WarningAction Ignore
            if (-not($MSOLAccountSku)) {
                throw "Not connected to Azure AD, run Connect-MsolService"
            }
        } 
        process {
            Write-Verbose -Message "Enumerating group members in group $ObjectId"
            [array]$UserMembers = Get-MsolGroupMember -GroupObjectId $ObjectId -MemberObjectTypes User -All
            if ($PSBoundParameters['Recursive']) {
                $GroupsMembers = Get-MsolGroupMember -GroupObjectId $ObjectId -MemberObjectTypes Group -All
                if ($GroupsMembers) {
                    Write-Verbose -Message "$ObjectId have $($GroupsMembers.count) group(s) as members, enumerating..."
                    $GroupsMembers | ForEach-Object -Process {
                        Write-Verbose "Enumerating nested group $($_.Displayname) ($($_.ObjectId))"
                        $UserMembers += Get-JDMsolGroupMember -Recursive -ObjectId $_.ObjectId 
                    }
                }
            }
            Write-Output ($UserMembers | Sort-Object -Property EmailAddress -Unique) 
                
        }
        end {
            
        }
    }

    $MSOLAccountSku = Get-MsolAccountSku -ErrorAction Ignore -WarningAction Ignore
    if (-not($MSOLAccountSku)) {
        throw "Not connected to Azure AD, run Connect-MsolService"
    }
    Try{
        $OrgConfig = Get-OrganizationConfig -ErrorAction Stop
    }
    Catch {
        throw "Not connected to Exchange Online, run Connect-EXOPSSession"
    }
 } 
 process {
    #1- Get Shared Mailbox Permission Full Access
    Try{
        [array]$PermissionList = Get-MailboxPermission $SharedMailbox  -ResultSize unlimited -ErrorAction Stop |where {$_.Deny -eq $False -and $_.user -notlike "*\*" -and $_.user -notlike "S-1-5-21*" -and $_.AccessRights -contains "FullAccess"}
    }
    Catch{
        Throw "Couldn't retrieve Mailbox Permission for $SharedMailbox"
    }
    #2- Get recipient List
    [array]$RecipientList = $PermissionList |Select -ExpandProperty user |Get-Recipient -ResultSize unlimited | Select DisplayName,PrimarySmtpAddress,alias,RecipientType
    #3- if DL/Secuirty MsolGroup check for nested Group
    [Array]$MSOLUsers = @()
    if(($RecipientList |where{$_.recipienttype -like "*MailUniversal*Group"}) -ne $NULL){
        foreach($Group in ($RecipientList |where{$_.recipienttype -like "*MailUniversal*Group"})){
            [array]$MSOLGroups = Get-MsolGroup -SearchString $($Group.PrimarySmtpAddress)
            if($MSOLGroups.count -gt 1){
                Write-host "Multiple Group Matching the Primary Email Address, please do manual validation"
            }
            foreach($MSOLGroup in $MSOLGroups){
                [Array]$MSOLUsers += Get-JDMsolGroupMember $($MSOLGroup.ObjectId) -Recursive | Select EmailAddress
            }
        }
    }
    $RecipientList = $RecipientList |where{$_.RecipientType -eq "MailUser"}
    foreach($MSOLUser in $MSOLusers){
        [array]$RecipientList += Get-Recipient $MSOLUser.EmailAddress
    }
 }
 end{
    if(![string]::IsNullOrEmpty($ExportCSV)){
        if((Test-Path $exportCSV) -eq $False){
            New-Item -Path $exportCSV -Type Directory
        }
        $($RecipientList |Select -Unique Displayname, primarySMtpaddress, Alias) | Export-CSV -NoTypeInformation -Path $(join-path $ExportCSV $("$SharedMailbox - $(Get-date -Format d).csv"))
    }
    else{
        Return $($RecipientList |Select -Unique Displayname, primarySMtpaddress, Alias)
    }
    
 }
	<#
	.SYNOPSIS
	Extract Shared Mailbox Full Access to give a full list of users

	.DESCRIPTION
	Extract Shared Mailbox Full Access to give a full list of users

	.PARAMETER SharedMailbox
	Name of the Shared Mailbox to gather data from

	.PARAMETER ExportCSV
	Folder where to export the CSV File

	.INPUTS
	None

	.OUTPUTS
	Output the Unique member in an Array

	.NOTES
	Version: 1.0
	Author: Simon Poirier
	Creation Date: 2019-02-05
	Purpose/Change: Initial script development

	.EXAMPLE
	.\Extract-SharedMailboxPermission.ps1 -SharedMailbox SMB-Test1
	#>

	#################################################################################
	#
	# The sample scripts are not supported under any Microsoft standard support
	# program or service. The sample scripts are provided AS IS without warranty
	# of any kind. Microsoft further disclaims all implied warranties including, without
	# limitation, any implied warranties of merchantability or of fitness for a particular
	# purpose. The entire risk arising out of the use or performance of the sample scripts
	# and documentation remains with you. In no event shall Microsoft, its authors, or
	# anyone else involved in the creation, production, or delivery of the scripts be liable
	# for any damages whatsoever (including, without limitation, damages for loss of business
	# profits, business interruption, loss of business information, or other pecuniary loss)
	# arising out of the use of or inability to use the sample scripts or documentation,
	# even if Microsoft has been advised of the possibility of such damages
	#
	#################################################################################

	#requires -version 3
	#Requires -Modules MSOnline
	[CmdletBinding()]
	Param
	(
	[Parameter(Mandatory = $True)]
	[System.String]
	$SharedMailbox,
	[Parameter(Mandatory = $False)]
	[System.String]
	$ExportCSV
	)
	begin {
	#From : https://365lab.net/2016/01/07/recursively-enumerate-azure-ad-group-members-with-powershell/
	#Minor update line 32 - added [array] as suggested in comment
	function Get-JDMsolGroupMember {
	<#
	.SYNOPSIS
	The function enumerates Azure AD Group members with the support for nested groups.
	.EXAMPLE
	Get-JDMsolGroupMember 6d34ab03-301c-4f3a-8436-98f873ec121a
	.EXAMPLE
	Get-JDMsolGroupMember -ObjectId 6d34ab03-301c-4f3a-8436-98f873ec121a -Recursive
	.EXAMPLE
	Get-MsolGroup -SearchString "Office 365 E5" \| Get-JDMsolGroupMember -Recursive
	.NOTES
	Author : Johan Dahlbom, johan[at]dahlbom.eu
	Blog : 365lab.net
	The script are provided “AS IS” with no guarantees, no warranties, and it confer no rights.
	#>

	param(
	[CmdletBinding(SupportsShouldProcess=$true)]
	[Parameter(Mandatory=$true, ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
	[ValidateScript({Get-MsolGroup -ObjectId $_})]
	$ObjectId,
	[switch]$Recursive
	)
	begin {
	$MSOLAccountSku = Get-MsolAccountSku -ErrorAction Ignore -WarningAction Ignore
	if (-not($MSOLAccountSku)) {
	throw "Not connected to Azure AD, run Connect-MsolService"
	}
	}
	process {
	Write-Verbose -Message "Enumerating group members in group $ObjectId"
	[array]$UserMembers = Get-MsolGroupMember -GroupObjectId $ObjectId -MemberObjectTypes User -All
	if ($PSBoundParameters['Recursive']) {
	$GroupsMembers = Get-MsolGroupMember -GroupObjectId $ObjectId -MemberObjectTypes Group -All
	if ($GroupsMembers) {
	Write-Verbose -Message "$ObjectId have $($GroupsMembers.count) group(s) as members, enumerating..."
	$GroupsMembers \| ForEach-Object -Process {
	Write-Verbose "Enumerating nested group $($_.Displayname) ($($_.ObjectId))"
	$UserMembers += Get-JDMsolGroupMember -Recursive -ObjectId $_.ObjectId
	}
	}
	}
	Write-Output ($UserMembers \| Sort-Object -Property EmailAddress -Unique)

	}
	end {

	}
	}

	$MSOLAccountSku = Get-MsolAccountSku -ErrorAction Ignore -WarningAction Ignore
	if (-not($MSOLAccountSku)) {
	throw "Not connected to Azure AD, run Connect-MsolService"
	}
	Try{
	$OrgConfig = Get-OrganizationConfig -ErrorAction Stop
	}
	Catch {
	throw "Not connected to Exchange Online, run Connect-EXOPSSession"
	}
	}
	process {
	#1- Get Shared Mailbox Permission Full Access
	Try{
	[array]$PermissionList = Get-MailboxPermission $SharedMailbox -ResultSize unlimited -ErrorAction Stop \|where {$_.Deny -eq $False -and $_.user -notlike "\" -and $_.user -notlike "S-1-5-21*" -and $_.AccessRights -contains "FullAccess"}
	}
	Catch{
	Throw "Couldn't retrieve Mailbox Permission for $SharedMailbox"
	}
	#2- Get recipient List
	[array]$RecipientList = $PermissionList \|Select -ExpandProperty user \|Get-Recipient -ResultSize unlimited \| Select DisplayName,PrimarySmtpAddress,alias,RecipientType
	#3- if DL/Secuirty MsolGroup check for nested Group
	[Array]$MSOLUsers = @()
	if(($RecipientList \|where{$_.recipienttype -like "MailUniversalGroup"}) -ne $NULL){
	foreach($Group in ($RecipientList \|where{$_.recipienttype -like "MailUniversalGroup"})){
	[array]$MSOLGroups = Get-MsolGroup -SearchString $($Group.PrimarySmtpAddress)
	if($MSOLGroups.count -gt 1){
	Write-host "Multiple Group Matching the Primary Email Address, please do manual validation"
	}
	foreach($MSOLGroup in $MSOLGroups){
	[Array]$MSOLUsers += Get-JDMsolGroupMember $($MSOLGroup.ObjectId) -Recursive \| Select EmailAddress
	}
	}
	}
	$RecipientList = $RecipientList \|where{$_.RecipientType -eq "MailUser"}
	foreach($MSOLUser in $MSOLusers){
	[array]$RecipientList += Get-Recipient $MSOLUser.EmailAddress
	}
	}
	end{
	if(![string]::IsNullOrEmpty($ExportCSV)){
	if((Test-Path $exportCSV) -eq $False){
	New-Item -Path $exportCSV -Type Directory
	}
	$($RecipientList \|Select -Unique Displayname, primarySMtpaddress, Alias) \| Export-CSV -NoTypeInformation -Path $(join-path $ExportCSV $("$SharedMailbox - $(Get-date -Format d).csv"))
	}
	else{
	Return $($RecipientList \|Select -Unique Displayname, primarySMtpaddress, Alias)
	}

	}