Outlook Auto-Mapping and delegation to groups

As discussed here, Outlook doesn’t auto-load delegated mailbox if delegation target is a group.

In the backend, Exchange populates msExchDelegateListLink attribute for for delegated mailbox user that is linked to delegated users based on DN. However, it is not populated for groups as Exchange is not directly aware of group membership changes. As a workaround, you can do it yourself as a scheduled job. Here’s a script for that.

Notes:

  • It adds group member DNs msExchDelegateListLink to attribute and also cleans up removed members (both direct and group members)
  • Logging and internal comments have been removed
  • Script is quite expensive (resource-time wise), in my environment it takes 2-3 minutes to run.
  • I have scheduled it to run every 2-3 hours, adjust to your requirements.
    Outlook should pick up changes in a few minutes after run.
  • Run visible mailbox size checker first so you don’t blow user’s default 50GB OST limit.
  • I’m running Exchange 2016 but 2010 SP1 and up should work.
  • This script will directly write to your AD, understand and test script first, understand the risks.
  • You need to load Exchange PowerShell snap-in or remote management sessioon first.
Function Populate-msExchDelegateListLink {
	$MailboxList = get-Mailbox -ResultSize Unlimited
	ForEach ($Mailbox in $MailboxList) {
		$mailboxpermissions = get-mailboxpermission -identity $mailbox.name | where isinherited -EQ $false | where accessrights -EQ 'FullAccess'
		$UserMembers = @()
		$GroupMembers = @()
		ForEach ($MailboxPermission in $mailboxpermissions) {
			$NormalizedName = $mailboxpermission.user.ToString().split('\')[1]
			#This is dumb but... it works!
			$CheckIfGroup = $(Try {Get-AdGroup -Identity $NormalizedName} Catch {$null})
			$CheckIfUser = $(Try {Get-Aduser -Identity $NormalizedName} Catch {$null})
			If ($CheckIfGroup) {
				$GroupMembers += $CheckIfGroup.DistinguishedName
			} ElseIf ($CheckIfUser) {
				$UserMembers += $CheckIfUser.DistinguishedName
			}
		}
		Foreach ($GroupMember in $GroupMembers) {
			$GroupMemberShip = (Get-ADGroupMember -Identity $GroupMember -Recursive | Where-Object 'ObjectClass' -EQ 'user' | Where-Object 'DistinguishedName' -NE $mailbox.DistinguishedName).DistinguishedName
			$GroupMemberShip | % {$Usermembers += $_}
		}
		$MailboxDelegateList = (Get-ADUser -Identity $Mailbox.DistinguishedName -Properties msExchDelegateListLink).msExchDelegateListLink
		ForEach ($MailboxDelegateListEntry in $MailboxDelegateList) {
			If ($UserMembers -notcontains $MailboxDelegateListEntry) {
				Set-ADUser -Identity $Mailbox.DistinguishedName -Remove @{msExchDelegateListLink="$MailboxDelegateListEntry"}
			}
		}
		ForEach ($UserMember in $UserMembers) {
			If ($MailboxDelegateList -notcontains $UserMember) {
				Set-ADUser -Identity $Mailbox.DistinguishedName -Add @{msExchDelegateListLink="$UserMember"}
			}
		}
	}
}

6 thoughts on “Outlook Auto-Mapping and delegation to groups”

  1. In your get-mailbox command you could limit the scope to shared and resource mailboxes. That should reduce the cost of the script by reducing the number of mailboxes returned.

    Most mailboxes accessed by multiple persons are shared, equipment or resource boxes. Not too often that this would be applicable for a user but I guess it could be.

    ……….just a thought on reducing the cost of the script to run.

    1. I agree, it would significantly reduce runtime if you don’t have delegations to regular user mailboxes.
      But I do! 🙂
      That one really annoying use case why I actually wrote the script in first place.

  2. I’m trying to get this working in a hybrid environment (exchange online), amended it slightly and it now works (in that the DN is added to the Shared mailbox – but automapping doesn’t work for me)

    Is MSExchDelegateLinkListBL not needed?

    1. Hybrid (I presume your mailboxes are all at ExO) works very differently. MSExchDelegateLinkListBL is not synced to AAD (or maybe it’s synced but never transformed/used, I don’t remember and don’t want to look it up now). This only works with on-premises solution.

      My collegue wrote a script to achieve a similar solution (Hybrid, federated) but it works very differently, basically looking at group members and adding delegations directly to ExO shared mailbox. Not very elegant but as you don’t have any meaningful access to AAD, a necessary evil.

      I haven’t written here in a long time but I’ll try to take some time and write a new post about this solution.

        1. I don’t work at that place anymore but I can ask permission to share, if I don’t forget.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.