Tim D'Annecy


#Powershell #Exchange

I got a request to create a Dynamic Distribution List/Group in Exchange that was automatically populated based on the users' office location.

The requestor stated that they do not want to manage any additional O365 objects. I know how to do this in Azure AD with a Dynamic Assignment, but needed to figure out how to do this in Exchange Online.

Luckily, it's pretty easy.

You'll need the Exchange Online Powershell module before running the command.

Import-Module ExchangeOnline 
New-DynamicDistributionGroup -Name 'Raleigh Staff' -Alias 'Raleigh.Staff' -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (Office -eq 'Raleigh')"

It might take a few minutes, but after running that command, you'll see it update in the Exchange Online portal and the query will add users to the List/Group.

#Microsoft #Exchange

Let's say a user accidentally or external actor intentionally purged all emails from a mailbox hosted on Exchange Online. The user opens their computer and finds that they're missing all of their emails. A technician starts to troubleshoot, but finds that the user's Deleted Items folder is also emptied.

This could be a nightmare!

Luckily, Exchange Online has the ability to recover mailboxes using the Microsoft 365 Compliance center.

To do this, you'll need to use the eDiscovery tool in the Microsoft 365 Compliance center to do a few tasks:

  1. Create an eDiscovery case
  2. Specify Search criteria
  3. Export the search results
  4. Download the export
  5. Import the .pst file into the Outlook desktop app

Let's go over each of these steps.

Create an eDiscovery case

Open a browser and open the Microsoft 365 Compliance center dashboard. Login using an account with Global Admin (or equivalent) permissions. You may need to add some permissions to your account, including the eDiscovery Manager role.

On the left side of the page, expand eDiscovery and click on Core. From this page, click on the Create a case button:

Type a name for the case and a description (optional) and click the Save button:

Create Search criteria

Once you have a case created, you'll need to specify some search criteria. This means you have to specify which O365 items you want the eDiscovery to target.

Navigate back to the Core eDiscovery page and click on the name of the case to open it:

Navigate to the Searches tab. Click the “New search” button:

A new page will open with a wizard to specify search criteria. On the “Name and description” step, type in a friendly name that you'll remember and some descriptive text (optional), then click the “Next” button:

On the “Locations” step, flip the toggle for “Exchange mailboxes” and click on the “Choose users, groups, or teams” link under the “Included column”. In the pane, type the name of the user that you're wanting to restore, then click the “Done” button. Also make sure that you uncheck the box for “Add App Content for On-Premises Users”, this section is not needed. When you've selected the single mailbox, then click the “Next” button:

On the “Conditions” step, you can specify limiting factors (if needed), but leave all of the options blank to ensure you get the whole mailbox. Click the “Next” button to continue:

On the “Review your search” step, make sure the options look OK, then click the “Submit” button:

In the background, Microsoft will kick off a search with your criteria. After starting the search, go to the next step.

Export the search results

Navigate back to the Searches tab inside your case. The “Status” column will indicate when the search is complete. After the search results have been found, you'll need to export these results into a downloadable package.

Click on the name of the search to open the pane. From there, click on the “Actions” button at the bottom and select “Export results”:

The search results will begin to Export. This process can take a while, depending on the size of the mailbox.

Download the Export

Once the Export is packaged up, you'll need to download this file onto your local computer. Check the status of your eDiscovery Search Export by clicking on the Exports tab. Click on the name of your search export to open the pane.

When the export Status is complete, click on the “Download results” link:

A Windows desktop tool will download. Run the app to install the Microsoft Office 365 eDiscovery Export tool:

The application will download and install additional resources:

After the resources are downloaded, the tool will popup with some export settings. Copy and paste the Export key from the Compliance center Export page. Also, set the download location for the PST file:

The eDiscovery Export Tool will begin the process of prepping the data, downloading it, then cleaning up after it's complete:

Once it's complete, open File Manager on your computer and navigate to the Export Location you selected earlier. You'll see several files in the root directory:

The .pst file that you need will be in the Exchange folder.

Import the .pst file into the Outlook desktop app

For this next step, you'll need to use the Outlook desktop app to import the .pst file. This file has all of the users' emails and you'll be able to merge them back into the live mail profile.

Open the Outlook desktop app and navigate to the File tab in the ribbon. Navigate to Open & Export and click on the Import/Export button:

In the Import and Export Wizard popup, select “Import from another program or file” and click the Next button:

Select “Outlook Data File (.pst)” and click the Next button:

Click the Browse... button to select your downloaded .pst file and click the Next button:

Click through the last page of the wizard to begin the import. After the process completes, you can delete the downloaded .pst file.

Allow Outlook to sync the mailbox to Exchange Online. This will ensure that all email messages are synced and available at any location. This process may take a while, depending on the users' internet speed:


#Exchange #Powershell

I was looking for some good documentation online on how to recall emails from user inboxes.

First, import and connect to the relevant Powershell modules and environments:

Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName XXX # Change this value to your account with Global Admin or Compliance Admin permissions

Next, create a new Compliance Search by defining your scope and query. For this example, I'm going to keep it simple by targeting all Exchange content and a subject line search:

# Change the subject line to the emails' subject line in question
New-ComplianceSearch -Name "New search" -ExchangeLocation All -ContentMatchQuery '(Subject:"Spammy email subject line")' | Start-ComplianceSearch

Depending on the size of your tenant, this may take a while, maybe a few hours. You can check the status of the search by running Get-ComplianceSearch

After the search status says 'Completed', the following command to purge and delete all instances of the email from your tenant:

New-ComplianceSearchAction -SearchName "New search" -Purge -PurgeType HardDelete

This command may take a while too, depending on the size of your tenant. You can check the status of the search action with the command Get-ComplianceSearchAction

That's it! You can see your results in the Microsoft Compliance center and a full audit log will be available through the portal.


#powershell #Exchange

If you're using Microsoft Exchange Online, there's no way to currently see when a Mail Contact was created on the web dashboard.

I wanted to know when an address was added as a Mail Contact in one of our tenants, but I also wasn't able to get an audit trail using the Microsoft Compliance center.

As a workaround, this Powershell command will give the basic info for “WhenCreated”.

Get-Recipient -RecipientTypeDetails MailContact -ResultSize Unlimited | sort WhenCreated | select Name,Alias,WhenCreated