Background

Office 365 groups are growing in popularity for organizations with mail services in Exchange Online. One of the big selling points for O365 groups is that end-users can manage their O365 groups via Outlook 2016 or via Outlook Web Access (OWA). This multivariate access lifts the burden off of IT administrators from creating and managing group membership, thereby positively impacting both IT administrators and end-users. There are cases, however, where organizations may want a handful of end-users to be able to manage more than just group membership for O365 groups. For example, what if you want an end-user to be able to manage SendAs permissions, or limit who can send email messages to certain O365 groups?

Solution

Using a very simple PowerShell script, we have created a tool that allows end-users to add SendAs permissions to O365 groups. Begin by running the O365 Groups Management script. End-users will be prompted to enter the name of the O365 group and the user who will have SendAs permissions.

Note: You can limit the scope of the groups that end-users can manage in O365 by creating RBAC rules in Exchange Online. In a later post I demonstrate how to create RBAC rules for O365 groups.

The integration of O365 Groups Management PowerShell script is fairly straightforward. To implement the O365 Groups Management script, follow the steps below.

  • Copy all content in the script section and save it as a.PS1 file under your file share location
  • Change line 1 to a file share location
  • Change line 2 to a file share location
  • Change line 3 to an administrator account in your organization
  • Perform a find and replace for the text \\fileshare\Backups\Temp\Services
    to your file share location

Result

The administrator should execute the script the first time to enter the password of the service account

The credential file is stored on the file share

Every other time, the first screen will ask the user if they want to add SendAs permissions to an O365 group.

Enter the group name

Enter the alias of the user you want to give SendAs permissions to

Click yes to confirm

Permissions have been added

Log File

The log file tracks if a module is successfully loaded or not. The log file can be found under \\fileshare\backup\temp\services\O365Groups.log.

Script

$logfile = ("\\fileshare\Backups\Temp\Services\O365Groups.log")
$PasswordFile = "\\fileshare\Backups\Temp\Services\cred.txt"
$AdminAccount = "admin@domain.onmicrosoft.com"
$Box = new-object -comobject wscript.shell

[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')

#Log File Function

function log{

     param (
     [String]$text,
     [Switch]$fout
     )

ac $logfile $text
if($showConsoleOutput){
     if($fout){
          Write-Host $text -ForegroundColor Red
          }else{

          Write-Host $text -ForegroundColor Green
               }

        }

}

log -text "-----$(Get-Date) Services - $($env:USERNAME) on $($env:COMPUTERNAME) starting-----"

#Add Creds to secure text file
$PasswordFileCheck = Test-Path $PasswordFile
If ($PasswordFileCheck -eq $False){
    Read-Host -Prompt "Enter Password for $AdminAccount" -AsSecureString | ConvertFrom-SecureString | Out-File "\\web-services\Backups\Temp\Services\cred.txt"
    log -text "Created a password file under \\fileshare\Backups\Temp\Services"
}
Else{
     log -text "Password file already created under \\fileshare\Backups\Temp\Services"
}

$Pass = Get-Content $PasswordFile | ConvertTo-SecureString
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminAccount, $Pass

#Connect to O365 services
Import-Module MSOnline
$Connect = Connect-MsolService -Credential $cred -ErrorAction SilentlyContinue -ErrorVariable ProcessError | ft '1' -HideTableHeaders
If ($ProcessError) {
    log -text "------ Didn't Connect to Office 365 services"
    }
Else{
        log -text "Connect to Office 365 Services"}

#Connect to Exchange Online Services
$Pass = Get-Content $PasswordFile | ConvertTo-SecureString
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminAccount, $Pass

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber

If ($ProcessError) {
    log -text "------ Didn't Connect to Exchange Online"
    }
Else{
     log -text "Connected to Exchange Online"
}

#Dialog box header information
$titleGroup = 'O365 Group Name'
$msgGroup   = 'Please Enter your O365 Group Name'
$titleSender = 'Sender'
$msgSender   = 'Please Enter the senders name'

#Dialog box configuration
$intAnswer = $box.popup("Do you want to provide sendas permission for your O365 group?", 0,"O365 Groups",4)
If ($intAnswer -eq 6) {
    $GroupName = [Microsoft.VisualBasic.Interaction]::InputBox($msggroup, $titlegroup)
    $SenderName = [Microsoft.VisualBasic.Interaction]::InputBox($msgsender, $titlesender)
    $groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $GroupName
    log -text "----- Attempting to provide $SenderName SendAs permission to group $GroupName"
    Add-RecipientPermission -Identity $groupsRecipientDetails.Name -Trustee $SenderName -AccessRights SendAs
}

else {
$Box.popup("Send As was not added to an Office 365 group")
}

Remove-PSSession $Session