Querying msExchDelegateListLink in Exchange Online with PowerShell

There are a number of articles that describe the relationship between the FullAccess permission of an Exchange mailbox and the msExchDelegateListLink attribute. Here are two good ones:

In short, this attribute lists all the other mailboxes your mailbox has FullAccess to, unless AutoMapping was set to $false when assigning the permission. It can be a handy attribute to query when trying to learn what mailboxes might appear in an end-user’s Outlook profile.

This attribute is synced to Office 365 via Azure AD Connect, however, for whatever reason, it is not synced back on-premises for new or migrated mailboxes. It is also not exposed in Get-User, Get-Mailbox, Get-MailboxStatistics, Microsoft Graph or Azure AD Graph.

The information is however included in the user’s AutoDiscover XML response. This is how Outlook knows what mailboxes to mount. If you want to look at this data manually, use the ctrl+right-click tool from the Outlook icon on the system tray. This article describes how to do that, if somehow you’re reading this but don’t already know about this tool:

You can also look at the AutoDiscover XML file via the venerable TestConnectivity.Microsoft.com web site. Look at the bottom of of the file, and you’ll see “AlternativeMailbox” entries.

<AlternativeMailbox>

        <Type>Delegate</Type>

        <DisplayName>crowley test 1</DisplayName>

        <SmtpAddress>crowleytest1@mikecrowley.us</SmtpAddress>

        <OwnerSmtpAddress>crowleytest1@mikecrowley.us</OwnerSmtpAddress>

      </AlternativeMailbox>

      <AlternativeMailbox>

        <Type>Delegate</Type>

        <DisplayName>crowley test 2</DisplayName>

        <SmtpAddress>crowleytest2@mikecrowley.us</SmtpAddress>

        <OwnerSmtpAddress>crowleytest2@mikecrowley.us</OwnerSmtpAddress>

</AlternativeMailbox>

While not exactly the msExchDelegateListLink attribute, its the same difference.

This is neat, but to be useful at scale, we need to query this in PowerShell. Fortunately, there are two methods to fetch the AutoDiscover XML.

You can query these endpoints directly or through the the Exchange Web Services (EWS) API. If you don’t have a preference, Microsoft’s documentation recommends SOAP, which is the approach I’ll discuss here.

Using Invoke-WebRequest and SOAP, we can request specific attributes, such as AlternateMailboxes. Other useful attributes are listed in this article:

While I’m not a developer (developers, please keep your laughter to yourself!), I did manage to cobble together the following SOAP request, which will be the string we “post” to the AutoDiscover service. You’ll notice I’ve marked the user we’re querying and any attributes I might want in bold (modify this list to suit your needs):

<soap:Envelope xmlns:a=”http://schemas.microsoft.com/exchange/2010/Autodiscover&#8221;
xmlns:wsa=”http://www.w3.org/2005/08/addressing&#8221;
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;
xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”&gt;
<soap:Header>
<a:RequestedServerVersion>Exchange2013</a:RequestedServerVersion>
<wsa:Action>http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetUserSettings</wsa:Action&gt;
<wsa:To>https://autodiscover.exchange.microsoft.com/autodiscover/autodiscover.svc</wsa:To&gt;
</soap:Header>
<soap:Body>
<a:GetUserSettingsRequestMessage xmlns:a=”http://schemas.microsoft.com/exchange/2010/Autodiscover”&gt;
<a:Request>
<a:Users>
<a:User>
<a:Mailbox>bob@contoso.com</a:Mailbox>
</a:User>
</a:Users>
<a:RequestedSettings>
<a:Setting>UserDisplayName</a:Setting>
<a:Setting>UserDN</a:Setting>
<a:Setting>UserDeploymentId</a:Setting>
<a:Setting>MailboxDN</a:Setting>
<a:Setting>AlternateMailboxes</a:Setting>
</a:RequestedSettings>
</a:Request>
</a:GetUserSettingsRequestMessage>
</soap:Body>
</soap:Envelope>

(For this post, I only care about AlternateMailboxes.)

AutoDiscover requires authentication, so we’ll also need to use the Get-Credential cmdlet. Interestingly, any mailbox can query the AutoDiscover response for any other user in the Office 365 tenant. This means, through PowerShell, I can look up the msExchDelegateListLink / AlternativeMailbox values for other users (even without administrative privileges).

I’ve written a function to return the results in a PowerShell array like this:

Get-AlternateMailboxes-Example

 

I should also point out:

  • It has the Exchange Online URL hard-coded within, though you could adapt this for other URLs if you’d like.
  • Both SMTPAddress and Credential parameters require valid Exchange Online mailboxes (though, as previously mentioned they do not need to be the same mailbox).

Usage Example:

Get-AlternateMailboxes -SMTPAddress bob@contoso.com -Credential (Get-Credential)

Finally, here is the script itself:

 

The Cost of Doing Nothing: A Ransomware Backup Story

Once again, I had the chance to present on the topic of ransomware with Redmond Magazine, as this continues to be a hot topic! Quest software’s John O’Boyle and I did what we could to summarize the current state of ransomware in a Microsoft-based environment and provide real-life experiences and advice for dealing with this type of malware. While we had a great turnout, I’m sure some of you missed it, so I invite you to view the offline recording below:

quest-ransomware

The Cost of Doing Nothing: A Ransomware Backup Story

Do You Need Built-in or Bolt-on Security for Office 365?

This week I had a chance to meet with Mimecast’s Strategic Technical Consultant and fellow Microsoft MVP J. Peter Bruzzese to discuss the need or possible lack thereof 3rd party add-on solutions to Office 365 in a webcast this week. This is familiar territory to both J. Peter and I so we had no trouble jumping right into a lively discussion!

If you missed it, please see the offline recording here:

Built-in-Or-Bolt-on.PNG

Preventing and Mitigating Ransomware Infections

Today I had a chance to interview the accomplished author and founder of KnowBe4, Stu Sjouwerman on the subject of Ransomware. Stu shared some great insight and real world experiences in dealing with ransomware outbreaks and the realities we’re faced with (e.g. actually paying the ransom).

If you missed it, you can view the recording for free, here:

cymld2lwgaisima

https://redmondmag.com/webcasts/2016/11/knowbe4121-preventing-and-mitigating-account-compromises.aspx

Discussing Mobile Application Management On RunAsRadio

Microsoft has made Windows Intune a big focus area this year, and at Baseline Technologies, we’re seeing an uptick in customer interest as well. Microsoft’s MDM tool can now truly protect your organization’s data without the old “all or nothing” approach from years past.

A few weeks back I was invited to discuss this with Richard Campbell at RunAsRadio. If you’re interested in this hot area of technology, why not check out the free show!

RunAsRadio499.PNG

Awarded the Microsoft MVP for the 7th year!

7thYearMVPI am thrilled to report that Microsoft has awarded me with the Most Valuable Professional award for the 7th consecutive year!

By far, the best benefit of this program are the great relationships I’ve been able to build both with the Microsoft product groups as well as other MVPs. MVPs are a fantastic community of experts who generously share their knowledge and their time. I’m honored to once again be included among their ranks.

Recent Webcasts

Hiya folks, for those that don’t follow me on Twitter, I wanted to point out a few webcasts I’ve been involved with. Check ’em out!

 

Best Practices for Migrating PSTs and Email Archives to Office 365

pstarchivewebcasthttps://redmondmag.com/webcasts/2016/06/delljuly19.aspx

Office 365 Migrations and Beyond – Planning for Potential Risks

o365beyondwebcast
https://redmondmag.com/webcasts/2016/08/mimecast-sept8.aspx