+1 123-456-7890

Convert remote-enabled shared mailbox to cloud-only shared mailbox

info

This guide will not include:
– AD permission
– Exchange permissions
– Entra Connect permissions
– Entra Permissions

This code must be executed in Visual Studio Code

Make sure you first have set up Visual Studio Code and all PowerShell modules.

There are no speed-checks in here (at least for now) so, first check per block if everything is working.

Operationally you would only need to change one variable: $sharedMailbox

Initially you have to fill in one time these variables:
– $notSyncedOU
– $ad_domain
– $entraConnect
and it will prompt you to enter the UPN of your admin account and it’s password
(still need to figure out some other authentication methods, connecting to exchange-online and mggraph still requires some input from the administrator)

Good luck – no garantees.
Roger

# Enter - Primairy emailaddress of shared mailbox
$sharedMailbox = 'primairyemailaddress@domain.com'
$notSyncedOU = 'OU=NotSyncedToEntraOU,DC=domain,DC=com' 

# PowerShell - Store domain credentials if not present in a secure text file
if ( (Test-Path 'C:\Temp\usera.txt') -eq $false ) {Read-Host -Prompt "Enter your adminaccount for DOMAIN (e.g. admin-john.doe@domain.com)" | Out-File -FilePath 'C:\Temp\usera.txt'}
if ( (Test-Path 'C:\Temp\creda.txt') -eq $false ) {Read-Host -Prompt "Enter password for your adminaccount for DOMAIN" -AsSecureString | ConvertFrom-SecureString | Out-File -FilePath 'C:\Temp\creda.txt'}
$password_domain = Get-Content -Path 'C:\Temp\creda.txt' | ConvertTo-SecureString
$user_domain = Get-Content -Path 'C:\Temp\usera.txt'
$cred_domain = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user_domain, $password_domain

# AD - Import Active Directory PS-session
$ad_domain = 'domaincontroller.domain.com'
$session_domain = New-PSSession -ComputerName $ad_domain -Credential $cred_domain
Invoke-Command -Session $session_domain -ScriptBlock {Import-Module ActiveDirectory} 
Import-PSSession -Session $session_domain -DisableNameChecking -AllowClobber -Module ActiveDirectory | Out-Null

# Exchange - Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName $user_domain

# Exchange - Collect permissions on shared mailbox
$fullpermissions = (Get-MailboxPermission $sharedmailbox | Where-Object {$_.AccessRights -like 'Full*' -and $_.User -notlike '*SELF'}).User
$sendaspermissions = (Get-RecipientPermission -Identity $sharedmailbox | Where-Object {$_.AccessRights -like 'SendAs' -and $_.Trustee -notlike '*SELF'}).Trustee

# AD - Collect varialbles from shared mailbox ad-account
$samAccountName = (Get-ADUser -Filter * -Properties mail | Where-Object {$_.mail -eq $sharedMailbox}).SamAccountName
$distinguishedName = (Get-ADUser -Identity $samAccountName).DistinguishedName
$emailAlias = (Get-ADUser -Identity $samAccountName -Properties mailNickname).mailNickname
$displayName = (Get-ADUser -Identity $samAccountName -Properties displayName).displayName

# AD - Move the shared mailbox account to a non-synced OU
Move-ADObject -Identity $distinguishedName -TargetPath $notSyncedOU

# Entra Connect - Import Entra Connect server PS-session 
$entraConnect = 'entraconnectserver.domain.com'
$session_domain = New-PSSession -ComputerName $entraConnect -Credential $cred_domain
Invoke-Command -Session $session_domain -ScriptBlock {Import-Module ADSync} 
Import-PSSession -Session $session_domain -DisableNameChecking -AllowClobber -Module ADSync | Out-Null

# Entra Connect - Start Entra Connect delta sync to synchronize AD with Entra
Start-ADSyncSyncCycle -PolicyType Delta 

# Exchange - Retrieve the GUID of the deleted shared mailbox
$sharedmailboxGuid = (Get-Mailbox -SoftDeletedMailbox $sharedMailbox).Guid

# MgGraph - Permanently delete the soft-deleted Entra account of the shared mailbox
$directoryObjectId = (Get-MgDirectoryDeletedItemAsUser -Filter "Mail eq '$sharedMailbox'").Id
Remove-MgDirectoryDeletedItem -DirectoryObjectId $directoryObjectId

# Exchange - Restore the deleted shared mailbox to a new Entra account
New-Mailbox -InactiveMailbox $sharedmailboxGuid -Alias $emailAlias -MicrosoftOnlineServicesID $sharedMailbox -Name $samAccountName -DisplayName $displayName

# Exchange - Convert restored mailbox to shared mailbox
Set-Mailbox $sharedMailbox -Type Shared

# Exchange - Set the shared mailbox to leave a copy in the sent items folder of the shared mailbox
Set-Mailbox -Identity $emailAddress -MessageCopyForSentAsEnabled $true -MessageCopyForSendOnBehalfEnabled $true

# Exchange - Re-add full permissions for a user to a shared mailbox
foreach ($user in $fullpermissions) {Add-MailboxPermission -Identity $sharedmailbox -User $user -AccessRights 'FullAccess' -InheritanceType 'All' -AutoMapping $false -Confirm:$false}

# Exchange - Re-add SendAs permissions for a user on a shared mailbox
foreach ($user in $sendaspermissions) {Add-RecipientPermission -Identity $sharedmailbox -Trustee $user -AccessRights 'SendAs' -Confirm:$false}

# AD - remove ad-account
Remove-ADUser -Identity $samAccountName -Confirm:$false

Leave a Reply

Your email address will not be published. Required fields are marked *