AutoMapping through Distribution Groups on 365

This question is answered This question is answered

We used regular mailboxes and shared mailboxes in our Office 365 deployment, and love the automapping feature that automatically adds the mailbox to a users Outlook when they have full control.


The only issue I've had that I'm trying to find a resolution on is how to use automapping when a user doesn't have direct/explicit permission to a mailbox.


For example: I have given myself permissions to a DL which in turn has Full Access to a 365 mailbox. The permissions are correct, and I can add the mailbox manually, but the automapping doesn't work and it won't mount the mailbox automatically. Is there a way to have the automapping feature look a level deeper and/or expand the contents of a Distribution Group to grab all the users inside? Thanks in advance!

Verified Answer
  • Here's how we're doing it:


    Create a group in AD and populate it with the users who you'd like to automap to the specified mailbox.  This AD group does not need to be synched to Office 365 as a distribution group.  You just need something to organize your users.


    Setup a recurring job on your local DirSync server (or whatever) which executes a PowerShell script which does the following:

    1. Compile a string array of all of the user names in the specified AD group using the "Get-ADGroupMember" cmdlet. You may have to go recursive if the AD group contains other groups as well as users.
    2. Use the "Get-MailboxPermission" cmdlet to compile a second string array of all of the user names which have already been applied automapping permission to the specified mailbox.
    3. Compare the two arrays of user names, for those names not already set for automapping, execute:
      • Add-MailboxPermission -Identity $mailboxName -User $userNameToAdd -AccessRights 'FullAccess' -AutoMapping:$true
    4. Perform clean up on the mailbox by comparing the arrays again, this time finding those user names which have automapping configured, but are no longer members of the AD group.  If any are present, execute:
      • Remove-MailboxPermission -Identity $mailboxName -User $userNameToRemove -AccessRights FullAccess -InheritanceType All -AutoMapping:$false

    Hopefully all of this makes sense and is helpful to you!

    -Dan

All Replies
  • Here's how we're doing it:


    Create a group in AD and populate it with the users who you'd like to automap to the specified mailbox.  This AD group does not need to be synched to Office 365 as a distribution group.  You just need something to organize your users.


    Setup a recurring job on your local DirSync server (or whatever) which executes a PowerShell script which does the following:

    1. Compile a string array of all of the user names in the specified AD group using the "Get-ADGroupMember" cmdlet. You may have to go recursive if the AD group contains other groups as well as users.
    2. Use the "Get-MailboxPermission" cmdlet to compile a second string array of all of the user names which have already been applied automapping permission to the specified mailbox.
    3. Compare the two arrays of user names, for those names not already set for automapping, execute:
      • Add-MailboxPermission -Identity $mailboxName -User $userNameToAdd -AccessRights 'FullAccess' -AutoMapping:$true
    4. Perform clean up on the mailbox by comparing the arrays again, this time finding those user names which have automapping configured, but are no longer members of the AD group.  If any are present, execute:
      • Remove-MailboxPermission -Identity $mailboxName -User $userNameToRemove -AccessRights FullAccess -InheritanceType All -AutoMapping:$false

    Hopefully all of this makes sense and is helpful to you!

    -Dan

  • Thanks Dan! This is a great way to think about it, especially since you have to wait for DirSync to do it's thing before changes would be sync'd to 365 anyways. My follow up question to you regarding this is: do you manually update a CSV (or something like that) in which your powershell script pulls from to get a list of all AD Groups that should be viewed and then applied? Or do you have it automated somehow? Thanks!

  • Yeah, its pretty nice since I can leave the group administration to my help desk staff and all the associated changes in Office 365 are handled by the script.

    I actually wrapped everything into a function within PowerShell.  I supply the name of the mailbox to be administered as well as the name of the local AD group as parameters.

  • I put all of the automapping control groups in a separate OU which I query to retrieve all their names.  This way I don't need to maintain a list of the actual group names.  I just iterate through all of the group names to perform the maintenance.  I name each group something like "AutoMap - sharedmailbox@our.org" so I can parse out the mailbox name and use that as one of the parameters.

  • This seems to be working fine for us.

  • Great, thanks for the helpful insight.

  • I am wondering what is the command that you use for Step #2.  I have tried different variations and have not been able to identify who has this value set to true.  Example of one of my many variations:  Get-MailboxPermission -Identity  helpdesk@someplace.com | where ($_.AutoMapping -eq $true) | Select user

  • AutoMapping (Mailbox Autodiscovery) ocurrs when a user is assigned full access to a designated mailbox. So, if you run the following cmdlet:

    Add-MailboxPermission -Identity $MailboxName -User $UserPrincipalName -AccessRights 'FullAccess';

    ...the next time they start Outlook, that mailbox will be automapped for them.  Now, there isn't a flag or attribute to look for when you're studying a specified mailbox as you look for users who will automap to it. All you need to do is run:

    $users = Get-MailboxPermission -Identity $MailboxName;

    ...and look to see who has "FullAccess" permission for the mailbox.

  • Alright guys, here's a source file containing the function definitions and code examples for how we've constructed our solution for managing mailbox automapping via Active Directory groups. 

    Please note, that I've only spent a small amount of time cleaning this up in order to remove anything specific to our own AD and Office 365 tenant.  I think its all fine, but your mileage may vary.

    Please feel free to suggest any improvements or methods for tightening the code.

    Finally, this source file assumes that you're already connected to Office 365 via PowerShell and also have the following PowerShell modules loaded: Microsoft.ActiveDirectory.Management, MSOnline, MSOnlineExtended

     

    Enjoy!

    -TransporterAccident

    1 out of 1 people found this post helpful.

  • Hi TransporterAccident,

    I know this post was a while ago, however I was wondering if you still had the script as discussed above? Saves me re-inventing the wheel!

    Thanks