Exchange Online Management in Azure AD

Hi Developer Community,

My client is looking to have visibility into, and ultimately manage, shared mailboxes and mail enabled security groups in Azure AD. I see this functionality is now available using Exchange Online Management in Azure AD.

I just was hoping for some simple clarification on enabling this functionality and where to use it?

Based on the Azure Active Directory Connector Guide.
https://documentation.sailpoint.com/connectors/microsoft/azure_ad/help/integrating_azure_active_directory/exchange_online_mailbox_management.html#Exchange
For aggregating the shared mailboxes, the documentation says something like “all Exchange attributes must start with EXO_” and then subsequently that the account attribute which must be added for shared mailboxes is “sharedMailbox” and set the property to Multivalued, Entitlement, Managed. We don’t see ‘Managed’ in the UI, is this only done using the API?

When aggregating we should see mailboxes with permissions for each mailbox in the system and we are not

We also need to understand how the system will convert the mailbox to shared when needed?

One last question is regarding mail enabled groups. We need to confirm this is a true statement, when adding/removing users from mail enabled groups, the user needs to be the owner?? and If yes, how does that work?

Add/Remove Exchange Distribution Groups from Users
When adding a user to or removing a user from a Mail-Enabled Security group, the user configured in the Manage Exchange Online configuration must be the owner of the group. The Distribution does not have the same restriction, but SailPoint recommends that the user in the Manage Exchange Online configuration is the owner of the group.

hoping someone out there has seen this.

Regarding the last question (which might better have been a separate topic, to not mix different answers here):

Mail-Enabled Groups are basically just normal groups for IIQ/IDN. The only hold an extra flag.

If the user configured in the Manage Exchange Online configuration has any of the following roles in Azure AD (Entra ID) roles it can update the Mail-Enabled Group membership: ‘Groups Administrator’, ‘User Administrator’, ’ Directory Writers’, ’ Exchange Administrator’, Global Administrator’
(See Azure AD built-in roles - Microsoft Entra | Microsoft Learn)

• Remold

Thanks for responding Remold. Just another clarification, once you have verified the permissions to the account. Are there any additional steps needed to remove mail enabled security groups manually or via a lifecycle event?

When we try normal operations after validating the Service account permissions {Exchange Admin role} we getting the following error:
B6FAB5|Microsoft.Exchange.Configuration.Tasks.OperationRequiresGroupManagerException|You don’t have sufficient permissions. This operation can only be performed by a manager of the group.

To add some context here. I believe the issue that is generating that error is due to the powershell command that is being issued when managing mail enabled security groups. When we manually run the commands seen in the IQ trace logs, we see the same error as was posted. If we add the following switch to the powershell command, the action is successful: -BypassSecurityGroupManagerCheck

Alternately, if you make the service account used for this an owner on every security group, that seems to work as well.

Personally, its not feasable to make a service account owner on everything, so using the switch noted above would be fantastic. I believe though, that it will need to be done by Sailpoint on their end of things?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.