Entra / Microsoft 365 · Exchange Online

Report mailboxes enabled for EWS

Report mailboxes still enabled for Exchange Web Services (EWS) and email a nominated recipient to review and disable EWS where no longer needed.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-AzAccount -Identity
# Fetch the username and password credentials for the HVE account to use from an Azure Key Vault
# Change the vault name to the name used in the Azure account

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-AzAccount -Identity
# Fetch the username and password credentials for the HVE account to use from an Azure Key Vault
# Change the vault name to the name used in the Azure account
$UserName = Get-AzKeyVaultSecret -VaultName "xxxx" -Name "UserName" -AsPlainText
$UserPassword = Get-AzKeyVaultSecret -VaultName "xxxx" -name "Password" -AsPlainText
# Create credentials object from the username and password
[securestring]$SecurePassword = ConvertTo-SecureString $UserPassword -AsPlainText -Force
[pscredential]$HVECredentials = New-Object System.Management.Automation.PSCredential ($UserName, $SecurePassword)
 
# Connect to your tenant with Exchange Online
Connect-ExchangeOnline -ManagedIdentity -Organization xxxxx
 
$EWSEnabled = (Get-OrganizationConfig).EWSEnabled
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
[array]$EWSEnabledMbx = Get-CasMailbox -filter "EWSEnabled -eq 1" -ResultSize Unlimited | Sort-Object DisplayName
 
# Process each mailbox and report what we find
ForEach ($Mbx in $EWSEnabledMbx) {
 
    $UserInfo = Get-User -Identity $Mbx.ExternalDirectoryObjectId
 
    $MbxReportLine = [PSCustomObject][Ordered]@{
        DisplayName         = $Mbx.DisplayName
        PrimarySMTPAddress  = $Mbx.PrimarySMTPAddress
        UPN                 = $UserInfo.UserPrincipalName
        Department          = $UserInfo.Department
        City                = $UserInfo.City
        Country             = $UserInfo.CountryOrRegion
        EntraIDObjectId     = $Mbx.ExternalDirectoryObjectId
        MailboxType         = $UserInfo.RecipientTypeDetails
    }
    $Report.Add($MbxReportLine)
}
 
# Create a HTML form of the report
$HtmlReport = $Report | ConvertTo-Html -Fragment
 
# Change this address to match your tenant
$DistributionListAddress = "Office365BookFans@office365itpros.com"
# Build some HTML content
$HTMLContent = ("<p>We found <b>{0}</b> mailboxes still enabled for Exchange Web Services.</p>" -f $Report.Count)
$HTMLContent = $HTMLContent + ("<p>The EWSEnabled setting in the organization confiuration is <b>{0}</b>.</p>" -f $EWSEnabled)
$HTMLContent = $HTMLContent + $HtmlReport
$HTMLContent = $HTMLContent + "<p>Please review these mailboxes and disable EWS for any mailbox that no longer needs this facility.</p>"
# Create the HVE parameters
$SendHVEMessageParams = @{}
$SendHVEMessageParams.Add('From', $UserName)
$SendHVEMessageParams.Add('To', $DistributionListAddress)
# Change this address for your tenant
$SendHVEMessageParams.Add('Bcc', 'Customer.Services@office365itpros.com')
$SendHVEMessageParams.Add('Subject', "Mailboxes Enabled for Exchange Web Services")
$SendHVEMessageParams.Add('Body', $HTMLContent)
$SendHVEMessageParams.Add('UseSsl', $true)
$SendHVEMessageParams.Add('Credential', $HVECredentials)
$SendHVEMessageParams.Add('SmtpServer', 'smtp-hve.office365.com')
$SendHVEMessageParams.Add('Port', 587)
$SendHVEMessageParams.Add('BodyAsHtml', $True)
 
# And send the message
Try {
    Send-MailMessage @SendHVEMessageParams -ErrorAction Stop
} Catch {
    Write-Output ("Failed to send email to {0} with error {1}" -f $Recipient, $_.Exception.Message)
}

Attribution

Author

Office365itpros

Source

https://github.com/12Knocksinna/Office365itpros

Report mailboxes enabled for EWS

Connect & set up

Run it

Add contacts to mailboxes

Add owners to apps

Add Teams to group expiration policy