Rate this post

First published at https://nivleshc.wordpress.com
When planning to migrate mailboxes to Office 365, a lot of care must be taken around which mailboxes are moved together. The rule of the thumb is “those that work together, move together”. The reason for taking this approach is due to the fact that there are some permissions that do not work cross-premises and can cause issues. For instance, if a mailbox has delegate permissions to another mailbox (these are permissions that have been assigned using Outlook email client) and if one is migrated to Office 365 while the other remains on-premises, the delegate permissions capability is broken as it does not work cross-premises.

During the recent Microsoft Ignite, it was announced that there are a lot of features coming to Office 365 which will help with the cross-premises access issues.

I have been using Roman Zarka’s Export-MailboxPermissions.ps1 (part of https://blogs.technet.microsoft.com/zarkatech/2015/06/11/migrate-mailbox-permissions-to-office-365/ bundle) script to export all on-premises mailboxes permissions then using the output to decide which mailboxes move together. Believe me, this can be quite a challenge!
Recently, while having a casual conversation with one of my colleagues, I was introduced to an Excel  spreadsheet that he had created. Being the Excel guru that he is, he was doing various VLOOKUPs into the outputs from Roman Zarka’s script, to find out if the mailboxes he was intending to migrate had any permission dependencies with other mailboxes. I just stared at the spreadsheet with awe, and uttered the words “dude, that is simply awesome!”
I was hooked on that spreadsheet. However, I started craving for it to do more. So I decided to take it on myself to add some more features to it. However, not being too savvy with Excel, I decided to use PowerShell instead. Thus was born Find_MailboxPermssions_Dependencies.ps1
I will now walk you through the script and explain what it does
 

  1. The first pre-requisite for Find_MailboxPermissions_Dependencies.ps1 are the four output files from Roman Zarka’s Export-MailboxPermissions.ps1 script (MailboxAccess.csv, MailboxFolderDelegate.csv, MailboxSendAs.csv, MaiboxSendOnBehalf.csv)
  2. The next pre-requisite is details about the on-premises mailboxes. The on-premises Exchange environment must be queried and the details output into a csv file with the name OnPrem_Mbx_Details.csv. The csv must contain the following information (along the following column headings)“DisplayName, UserPrincipalName, PrimarySmtpAddress, RecipientTypeDetails, Department, Title, Office, State, OrganizationalUnit”
  3. The last pre-requisite is information about mailboxes that are already in Office 365. Use PowerShell to connect to Exchange Online and then run the following command (where O365_Mbx_Details.csv is the output file)
    Get-Mailbox -ResultSize unlimited | Select DisplayName,UserPrincipalName,EmailAddresses,WindowsEmailAddress,RecipientTypeDetails | Export-Csv -NoTypeInformation -Path O365_Mbx_Details.csv 

    If there are no mailboxes in Office 365, then create a blank file and put the following column headings in it “DisplayName”, “UserPrincipalName”, “EmailAddresses”, “WindowsEmailAddress”, “RecipientTypeDetails”. Save the file as O365_Mbx_Details.csv

  4. Next, put the above files in the same folder and then update the variable $root_dir in the script with the path to the folder (the path must end with a )
  5. It is assumed that the above files have the following names
    • MailboxAccess.csv
    • MailboxFolderDelegate.csv
    • MailboxSendAs.csv
    • MailboxSendOnBehalf.csv
    • O365_Mbx_Details.csv
    • OnPrem_Mbx_Details.csv
  6.  Now, that all the inputs have been taken care of, run the script.
  7. The first task the script does is to validate if the input files are present. If any of them are not found, the script outputs an error and terminates.
  8. Next, the files are read and stored in memory
  9. Now for the heart of the script. It goes through each of the mailboxes in the OnPrem_Mbx_Details.csv file and finds the following
    • all mailboxes that have been given SendOnBehalf permissions to this mailbox
    • all mailboxes that this mailbox has been given SendOnBehalf permissions on
    • all mailboxes that have been given SendAs permissions to this mailbox
    • all mailboxes that this mailbox has been given SendAs permissions on
    • all mailboxes that have been given Delegate permissions to this mailbox
    • all mailboxes that this mailbox has been given Delegate permissions on
    • all mailboxes that have been given Mailbox Access permissions on this mailbox
    • all mailboxes that this mailbox has been given Mailbox Access permissions on
    • if the mailbox that this mailbox has given the above permissions to or has got permissions on has already been migrated to Office 365
  10. The results are then output to a csv file (the name of the output file is of the format Find_MailboxPermissions_Dependencies_{timestamp of when script was run}_csv.csv
  11. The columns in the output file are explained below
Column NameDescription
PermTo_OtherMbx_Or_FromOtherMbx?This is Y if the mailbox has given permissions to or has permissions on other mailboxes. Is N if there are no permission dependencies for this mailbox
PermTo_Or_PermFrom_O365Mbx?This is TRUE if the mailbox that this mailbox has given permissions to or has permissions on is  already in Office 365
Migration ReadinessThis is a color code based on the migration readiness of this permission. This will be further explained below
DisplayNameThe display name of the on-premises mailbox for which the permission dependency is being found
UserPrincipalNameThe userprincipalname of the on-premises mailbox for which the permission dependency is being found
PrimarySmtpThe primarySmtp of the on-premises mailbox  for which the permission dependency is being found
MailboxTypeThe mailbox type of the on-premises mailbox  for which the permission dependency is being found
DepartmentThis is the department the on-premises mailbox belongs to (inherited from Active Directory object)
TitleThis is the title that this on-premises mailbox has (inherited from Active Directory object)
SendOnBehalf_GivenToemailaddress of the mailbox that has been given SendOnBehalf permissions to this on-premises mailbox
SendOnBehalf_GivenOnemailaddress of the mailbox that this on-premises mailbox has been given SendOnBehalf permissions to
SendAs_GivenToemailaddress of the mailbox that has been given SendAs permissions to this on-premises mailbox
SendAs_GivenOnemailaddress of the mailbox that this on-premises mailbox has been given SendAs permissions on
MailboxFolderDelegate_GivenToemailaddress of the mailbox that has been given Delegate access to this on-premises mailbox
MailboxFolderDelegate_GivenTo_FolderLocationthe folders of the on-premises mailbox that the delegate access has been given to
MailboxFolderDelegate_GivenTo_DelegateAccessthe type of delegate access that has been given on this on-premises mailbox
MailboxFolderDelegate_GivenOnemail address of the mailbox that this on-premises mailbox has been given Delegate Access to
MailboxFolderDelegate_GivenOn_FolderLocationthe folders that this on-premises mailbox has been given delegate access to
MailboxFolderDelegate_GivenOn_DelegateAccessthe type of delegate access that this on-premises mailbox has been given
MailboxAccess_GivenToemailaddress of the mailbox that has been given Mailbox Access to this on-premises mailbox
MailboxAccess_GivenTo_DelegateAccessthe type of Mailbox Access that has been given on this on-premises mailbox
MailboxAccess_GivenOnemailaddress of the mailbox that this mailbox has been given Mailbox Access to
MailboxAccess_GivenOn_DelegateAccessthe type of Mailbox Access that this on-premises mailbox has been given
OrganizationalUnitthe Organizational Unit for the on-premises mailbox

The color codes in the column Migration Readiness correspond to the following

  • LightBlue – this on-premises mailbox has no permission dependencies and can be migrated
  • DarkGreen  – this on-premises mailbox has got a Mailbox Access permission dependency to another mailbox. It can be migrated while the other mailbox can remain on-premises, without experiencing any issues as Mailbox Access permissions are supported cross-premises.
  • LightGreen – this on-premises mailbox can be migrated without issues as the permission dependency is on a mailbox that is already in Office 365
  • Orange – this on-premises mailbox has SendAs permissions given to/or on another on-premises mailbox. If both mailboxes are not migrated at the same time, the SendAs capability will be broken. Lately, it has been noticed that this capability can be restored by re-applying the SendAs permissions to both the migrated and on-premises mailbox post migration
  • Pink – the on-premises mailbox has FolderDelegate given to/or on another on-premises mailbox. If both mailboxes are not migrated at the same time, the FolderDelegate capability will be broken. A possible workaround is to replace the FolderDelegate permission with Full Mailbox access as this works cross-premises, however there are privacy concerns around this workaround as this will enable the delegate to see all the contents of the mailbox instead of just the folders they had been given access on.
  • Red – the on-premises mailbox has SendOnBehalf permissions given to/or on another on-premises mailbox. If both mailboxes are not migrated at the same time, the SendOnBehalf capability will be broken. A possible workaround could be to replace SendOnBehalf with SendAs however the possible implications of this change must be investigated

Yay, the output has now been generated. All we need to do now is to make it look pretty in Excel 🙂
Carry out the following steps

  • Import the output csv file into Excel, using the semi-colon “;” as the delimiter (I couldn’t use commas as the delimiter as sometimes department,titles etc fields use them and this causes issues with the output file)
  • Create Conditional Formatting rules for the column Migration Readiness so that the fill color of this cell corresponds to the word in this column (for instance, if the word is LightBlue then create a rule to apply a light blue fill to the cell)

Thats it Folks! The mailbox permissions dependency spreadsheet is now ready. It provides a single-pane view to all the permissions across your on-premises mailboxes and gives a color coded analysis on which mailboxes can be migrated on their own without any issues and which might experience issues if they are not migrated in the same batch with the ones they have permissions dependencies on.

In the output file, for each on-premises mailbox, each line represents a permission dependency (unless the column PermTo_OtherMbx_Or_FromOtherMbx? is N). If there are more than one set of permissions applicable to an on-premises mailbox, these are displayed consecutively underneath each other.
It is imperative that the migration readiness of the mailbox be evaluated based on the migration readiness of all the permissions associated with that mailbox.

Find_MailboxPermissions_Dependencies.ps1 can be downloaded from  GitHub
A sample of the spreadsheet that was created using the output from the Find_MailboxPermissions_Dependencies.ps1 script can be downloaded from https://github.com/nivleshc/arm/blob/master/Sample%20Output_MailboxPermissions%20Dependencies.xlsx
I hope this script comes in handy when you are planning your migration batches and helps alleviate some of the headache that this task brings with it.
Till the next time, have a great day 😉

Category:
Office 365, PowerShell
Tags:
, , , , , ,

Leave a Reply

  Subscribe  
newest oldest most voted
Notify of
Felipe Moreno
Guest

Hi Kloud Team,
This article is amazing! Thank you for sharing.
I am sure that this content will help a lot of people around the world.
Greetings from Brazil

Eman Mamayson
Guest

Thank you Nivlesh 🙂

Kris
Guest
Kris

Thanks for this – you should add the below for Part 2
Get-Mailbox -ResultSize unlimited | Select DisplayName,UserPrincipalName,PrimarySmtpAddress,RecipientTypeDetails,Department,Title,Office,State,OrganizationalUnit | Export-Csv -NoTypeInformation -Path c:\OnPrem_Mbx_Details.csv

Mlee
Guest
Mlee

Do I have the ability to edit my posts? I’d like to remove info.

Mlee
Guest
Mlee

Ok so I didn’t catch that I had to run the other export script, but now I’ve ran the Roman Zarka’s Export-MailboxPermissions.ps1 which gave me the 4 files necessary, however, When running the script again after that, it gets to Creating Hashtable for O365 Mbxs it errors out. Not sure why…I don’t have any O365 mailboxes yet, so the directions above say to create empty CSV with the necessary headers if you don’t have O365 mailboxes. Also states to create a csv called OnPrem_Mbx_Details.csv which is also empty…….but contains the necessary headers. What am I missing here? Rerunning it produces… Read more »

Mlee
Guest
Mlee

Hello, I figured it out, apparently I can’t read instructions very well ;). I had to also query myself for the OnPrem_Mbx_Details.csv data, then run the tool.
I have now completed the script and formatted the spreadsheet as instructed and all looks good.
If you can can you remove my very first post and keep all the following posts as they will be helpful for others where as the first one will not be useful.
Thanks

mrphilbrooks
Guest

Amazing! Will this also work for on-prem migration from 2010 to 2016?

Louis
Guest
Louis

Hi
my output file:
PermTo_OtherMbx_Or_FromOtherMbx?;PermTo_Or_PermFrom_O365Mbx?;Migration Readiness;DisplayName;UserPrincipalName;PrimarySmtp;MailboxType;Department;Title;SendOnBehalf_GivenTo;SendOnBehalf_GivenOn;SendAs_GivenTo;SendAs_GivenOn;MailboxFolderDelegate_GivenTo;MailboxFolderDelegate_GivenTo_FolderLocation;MailboxFolderDelegate_GivenTo_DelegateAccess;MailboxFolderDelegate_GivenOn;MailboxFolderDelegate_GivenOn_FolderLocation;MailboxFolderDelegate_GivenOn_DelegateAccess;MailboxAccess_GivenTo;MailboxAccess_GivenTo_DelegateAccess;MailboxAccess_GivenOn;MailboxAccess_GivenOn_DelegateAccess;OrganizationalUnit
what I’m I doing wrong?

Greg Fisher
Guest
Greg Fisher

Nivlesh – This script works great – I was just wondering, how do you work out the batches from the output? Do I have to follow the trail to every user? For instance, User A has given editor access on his calendar to User B and User C. Ok, so we know User A, B, and C have to move together for sure. But what if User B has given access to his calendar to User D? That would mean that Users A, B, C, and D have to be moved together. How do I find all of the dependencies… Read more »

Greg Fisher
Guest
Greg Fisher

Thanks again, Nivlesh – I ended up using my wife’s legendary Excel skills to create for me a series of pivots and tables wherein I could use your source data and in a sheet I could add the names of the people I wanted to move at once (a pilot group, for example). The sheet is slick enough to show me the number of and names of the dependencies in that group. I then add those dependencies, which may or may not show me more that need to move together – until I get to zero outstanding dependencies. At that… Read more »

sfilinto
Guest

Great script Nivlesh !!
Any suggestions on how to list out mailboxes using the authOrig & unAuthOrig attribute ( senders that are allowed to send to a mailbox) to and map the dependencies ?
this feature too does not work across a hybrid deployment and needs the receiver & sender mailbox to be moved together.
(the value of the attribute is a DN)

Howell Strain
Guest
Howell Strain

I have a user who has MailboxAccess_GivenOn and SendAs_GivenOn on the same mailbox so he shows up as both Dark Green and Orange. Do you have a method to reconcile this discrepancy for how safe he is to migrate? I expect this would be the same problem if rights were split across a couple mailboxes. It would be safe to work from most difficult to least difficult but not the other way around.

Julian Gudsell
Guest
Julian Gudsell

Love your work Niv!

Mark
Guest
Mark

Hi Niv – I hope this message gets to you as I am having a problem with the script. I have run the prereq script and have the 4 output CSV files. I have exported onprem mailbox info and manually created the O365 file. I have verified all headers are correct. When running the Find script, I receive the following error: Exception getting “Item”: “Key cannot be null. Parameter name: key” At D:\Scripts\Mark\O365\Dependencies\Find_MailboxPermissions_Dependencies.ps1:241 char:9 + $existing_value = $hash_MailboxSendOnBehalf_GivenTo.Item($rec … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], GetValueInvocationException + FullyQualifiedErrorId : ExceptionWhenGetting Appreciate the help! Mark

Deeps
Guest
Deeps

Hello Niv, I am also getting the same error as MArk. >Reading File >>>>Reading Mailbox SendOnBehalf file..Done. Read 3208 records >>>>Reading Mailbox SendAs file..Done. Read 3837 records >>>>Reading Mailbox Folder Delegate file..Done. Read 21755 records >>>>Reading Mailbox Access file..Done. Read 9487 records >>>>Reading O365 Mbxs file..Done. Read 26 records >>>>Reading OnPrem Mbxs file..Done. Read 5548 records >>>>Creating HashTable for MailboxSendOnBehalf_GivenToException getting “Item”: “Key cannot be null. Parameter name: key” At C:\Mailbox Migrations\Find_MailboxPermissions_Dependencies.ps1:241 char:9 + $existing_value = $hash_MailboxSendOnBehalf_GivenTo.Item($rec … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], GetValueInvocationException + FullyQualifiedErrorId : ExceptionWhenGetting I have made sure all the steps are followed… Read more »

Rahim
Guest
Rahim

Hi, I cant seem to figure out where to download the script from. Searching on GitHub shows no results. Can you point me in the right direction.

Follow Us!

Kloud Solutions Blog - Follow Us!