Hi,
Does anyone have an example of a Remote Exchange Mailbox PowerShell Script that used in ISC context ?
How do you handle the RemoteRoutingAddress parameter?
@jesvin90 i see your post here
Native Rule - PowerShell session error - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
param(
[Parameter(Mandatory = $true)]
[String]$samAccountName,
[Parameter(Mandatory = $true)]
[String]$upn
)
$address = $UPN
[string]$userName = <userName>
[string]$userPassword = Get-Content "\\secret.txt" | ConvertTo-SecureString
# Convert to SecureString
[securestring]$secStringPassword = Get-Content "\\secret.txt" | ConvertTo-SecureString
$PSCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $userName, $secStringPassword
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://SERVER/PowerShell/ -Authentication Kerberos -Credential $PSCredential
if($Session -ne $null){
Import-PSSession $Session -DisableNameChecking
Enable-RemoteMailbox $samAccountName -RemoteRoutingAddress $address
Remove-PSSession $Session
}
Is this script still working as some commandlets in script are depricated.
Hi @baoussounda You can populate the targetAddress on-prem AD attribute via LDAP rather than use the PowerShell. In fact, you can enable a remote mailbox completely using LDAP, if you want.
@KRM7 Sorry about my last comment but what if I am using an IQ service connector to run this after script and it is suddenly skipping it?
Can we check the exact logs for this ?
Use this Rule Template
You can add logs in your Native Rule, that will store in IQ service.
@j_place can you please describe the process ?
By updating target Address, how mail box will be updated ?
Hi Ousmane
There are 3 main attributes you need to consider when creating remote mailboxes and these can be set using either LDAP or PowerShell.
I will assume you are provisioning into on-prem AD and letting AADC do the sync with Entra. I will use the AD attribute name (with the equivalent PowerShell parameter):
mail (PrimarySmtpAddress): [email protected]
targetAddress (RemoteRoutingAddress): [email protected]
mailNickname (Alias): joe2
Also,
userPrincipalName (N/A): [email protected]
although this is not set using enable-remotemailbox.
When using the enable-remotemailbox powershell command, these attributes will synchronise with Entra and when an Exchange Online license is assigned to the Entra User a mailbox will be created with the folllowing addresses:
SMTP:[email protected]
smtp:[email protected] (UPN)
smtp:[email protected] (for internal hybrid Exchange routing)
smtp:[email protected] (mail nickname at default tenant domain)
These attributes can be set using the AD connector attribute sync based on your own requirements and then the PowerShell triggered by an After operation doesn’t need to pass those parameters.
@j_place we try multiple time to update targetAddress but it is not populated in our Active Directory
Are you in a hybrid Exchange environment?
Yes i’m in Hybrid Exchange environment :
Apologies, I forgot, targetAddress has the syntax:
SMTP:[email protected]
Although, it should have let you update the targetAddress even with the wrong syntax. Permissions?
@j_place currently do you use this feature on Hybrid environment ?
Yes, it is needed for hybrid. You need the SMTP: prefix if you set the targetAddress with the LDAP connector. If, on the other hand, you use the enable-remoteMailbox command with the RemoteRoutingAddress parameter it doesn’t need the prefix, as PowerShell will add it.
Hi Krishna - I note in your script you are using UPN as RemoteRoutingAddress. I would suggest that in most cases the UPN wouldn’t be suitable as MS recommend the UPN to be a primary email address, not an internal routing address.
@j_place I cannot update targetAddress it is not reconnized :
“The specified directory service attribute or value does not exist.”
I want know currently update this in ISC in your environment ?
i have in my create account profile :
{
"name": "targetAddress",
"transform": {
"type": "identityAttribute",
"attributes": {
"name": "targetaddresses"
}
},
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
}
@j_place i’m able to push targetAddress on Active Directory.
But based on my customer requirement :
" It must not be set directly.
For a standard user, IDNow must create the Exchange Online mailbox using the “Enable-RemoteMailbox” command with the appropriate parameters, including “[-RemoteRoutingAddress ]” (SMTP:[email protected]).
This will also define the TargetAddress field for the user."
I dont know i pushing only target addresse will enable mailbox automatically ?
Here the described process :
I you confirm me that you work like that currently i can try to conviece them.
We have AAD sync and special group that affect MS365 Licence.
Hi
You still need to run enable-remotemailbox but if you set attributes first you don’t need to pass them as parameters to the command. I prefer to keep attributes in the connector definition where possible as it is more “out of the box” and supportable. For instance, are you setting mail as an attribute rather than in the poweshell?
I might be able to help you @baoussounda , as I am currently working on mailbox provisioning and license assignment throughout JML process. Would you like to connect over privately? As I might have to type a lot of things out here during our conversation here.
Regards,
Aman
You can actually set all the attributes required and not need powershell at all (which is what I do), but you have to have knowledge of another 3 AD attributes (fixed values) and that could be deemed less supportable.
As for your diagram above, you don’t need to wait for AAD Connect for the Sync to AAD before enable-remotemailbox, ie step 2 is redundant, but I wouldnt want to get too involved if that is what you have received from the Exchange guys.
