@@ -12,13 +12,13 @@ Function Invoke-ExecModifyMBPerms {
1212
1313 $APIName = $Request.Params.CIPPEndpoint
1414 Write-LogMessage - headers $Request.Headers - API $APINAME - message ' Accessed this API' - Sev ' Debug'
15-
15+
1616 $Username = $request.body.userID
1717 $Tenantfilter = $request.body.tenantfilter
1818 $Permissions = $request.body.permissions
1919
2020 if ($username -eq $null ) { exit }
21-
21+
2222 $userid = (New-GraphGetRequest - uri " https://graph.microsoft.com/beta/users/$ ( $username ) " - tenantid $Tenantfilter ).id
2323 $Results = [System.Collections.ArrayList ]::new()
2424
@@ -33,10 +33,18 @@ Function Invoke-ExecModifyMBPerms {
3333 }
3434
3535 foreach ($Permission in $Permissions ) {
36- $PermissionLevel = $Permission.PermissionLevel
36+ $PermissionLevels = $Permission.PermissionLevel
3737 $Modification = $Permission.Modification
3838 $AutoMap = if ($Permission.PSObject.Properties.Name -contains ' AutoMap' $Permission.AutoMap } else { $true }
39-
39+
40+ # Handle multiple permission levels separated by commas
41+ if ($PermissionLevels -like " *,*"
42+ $PermissionLevelArray = $PermissionLevels -split ' ,' | ForEach-Object { $_.Trim () }
43+ }
44+ else {
45+ $PermissionLevelArray = @ ($PermissionLevels.Trim ())
46+ }
47+
4048 # Handle UserID as array of objects or single value
4149 $TargetUsers = if ($Permission.UserID -is [array ]) {
4250 $Permission.UserID | ForEach-Object { $_.value }
@@ -46,79 +54,136 @@ Function Invoke-ExecModifyMBPerms {
4654 }
4755
4856 foreach ($TargetUser in $TargetUsers ) {
49- try {
50- switch ($PermissionLevel ) {
51- ' FullAccess'
52- if ($Modification -eq ' Remove'
53- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-mailboxpermission' - cmdParams @ {
54- Identity = $userid
55- user = $TargetUser
56- accessRights = @ (' FullAccess'
57- Confirm = $false
57+ foreach ($PermissionLevel in $PermissionLevelArray ) {
58+ try {
59+ switch ($PermissionLevel ) {
60+ ' FullAccess'
61+ if ($Modification -eq ' Remove'
62+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-mailboxpermission' - cmdParams @ {
63+ Identity = $userid
64+ user = $TargetUser
65+ accessRights = @ (' FullAccess'
66+ Confirm = $false
67+ }
68+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Shared Mailbox permissions (FullAccess)"
69+ }
70+ else {
71+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Add-MailboxPermission' - cmdParams @ {
72+ Identity = $userid
73+ user = $TargetUser
74+ accessRights = @ (' FullAccess'
75+ automapping = $AutoMap
76+ Confirm = $false
77+ }
78+ $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) Mailbox (FullAccess) with automapping set to $ ( $AutoMap ) "
5879 }
59- $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Shared Mailbox permissions"
6080 }
61- else {
62- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Add-MailboxPermission' - cmdParams @ {
63- Identity = $userid
64- user = $TargetUser
65- accessRights = @ (' FullAccess'
66- automapping = $AutoMap
67- Confirm = $false
81+ ' SendAs'
82+ if ($Modification -eq ' Remove'
83+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-RecipientPermission' - cmdParams @ {
84+ Identity = $userid
85+ Trustee = $TargetUser
86+ accessRights = @ (' SendAs'
87+ Confirm = $false
88+ }
89+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) with Send As permissions"
90+ }
91+ else {
92+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Add-RecipientPermission' - cmdParams @ {
93+ Identity = $userid
94+ Trustee = $TargetUser
95+ accessRights = @ (' SendAs'
96+ Confirm = $false
97+ }
98+ $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) with Send As permissions"
6899 }
69- $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) Mailbox with automapping set to $ ( $AutoMap ) "
70100 }
71- }
72- ' SendAs'
73- if ($Modification -eq ' Remove'
74- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-RecipientPermission' - cmdParams @ {
75- Identity = $userid
76- Trustee = $TargetUser
77- accessRights = @ (' SendAs'
78- Confirm = $false
101+ ' SendOnBehalf'
102+ if ($Modification -eq ' Remove'
103+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Set-Mailbox' - cmdParams @ {
104+ Identity = $userid
105+ GrantSendonBehalfTo = @ {
106+ ' @odata.type' = ' #Exchange.GenericHashTable'
107+ remove = $TargetUser
108+ }
109+ Confirm = $false
110+ }
111+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Send on Behalf Permissions"
112+ }
113+ else {
114+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Set-Mailbox' - cmdParams @ {
115+ Identity = $userid
116+ GrantSendonBehalfTo = @ {
117+ ' @odata.type' = ' #Exchange.GenericHashTable'
118+ add = $TargetUser
119+ }
120+ Confirm = $false
121+ }
122+ $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) with Send On Behalf Permissions"
79123 }
80- $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) with Send As permissions"
81124 }
82- else {
83- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Add-RecipientPermission' - cmdParams @ {
84- Identity = $userid
85- Trustee = $TargetUser
86- accessRights = @ (' SendAs'
87- Confirm = $false
125+ ' ReadPermission'
126+ if ($Modification -eq ' Remove'
127+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-MailboxPermission' - cmdParams @ {
128+ Identity = $userid
129+ user = $TargetUser
130+ accessRights = @ (' ReadPermission'
131+ Confirm = $false
132+ }
133+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Read Permissions"
88134 }
89- $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) with Send As permissions"
90135 }
91- }
92- ' SendOnBehalf'
93- if ($Modification -eq ' Remove'
94- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Set-Mailbox' - cmdParams @ {
95- Identity = $userid
96- GrantSendonBehalfTo = @ {
97- ' @odata.type' = ' #Exchange.GenericHashTable'
98- remove = $TargetUser
136+ ' ExternalAccount'
137+ if ($Modification -eq ' Remove'
138+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-MailboxPermission' - cmdParams @ {
139+ Identity = $userid
140+ user = $TargetUser
141+ accessRights = @ (' ExternalAccount'
142+ Confirm = $false
99143 }
100- Confirm = $false
144+ $null = $results .Add ( " Removed $ ( $TargetUser ) from $ ( $username ) Read Permissions " )
101145 }
102- $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Send on Behalf Permissions"
103146 }
104- else {
105- $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Set-Mailbox' - cmdParams @ {
106- Identity = $userid
107- GrantSendonBehalfTo = @ {
108- ' @odata.type' = ' #Exchange.GenericHashTable'
109- add = $TargetUser
147+ ' DeleteItem'
148+ if ($Modification -eq ' Remove'
149+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-MailboxPermission' - cmdParams @ {
150+ Identity = $userid
151+ user = $TargetUser
152+ accessRights = @ (' DeleteItem'
153+ Confirm = $false
110154 }
111- Confirm = $false
155+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Read Permissions"
156+ }
157+ }
158+ ' ChangePermission'
159+ if ($Modification -eq ' Remove'
160+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-MailboxPermission' - cmdParams @ {
161+ Identity = $userid
162+ user = $TargetUser
163+ accessRights = @ (' ChangePermission'
164+ Confirm = $false
165+ }
166+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Read Permissions"
167+ }
168+ }
169+ ' ChangeOwner'
170+ if ($Modification -eq ' Remove'
171+ $MailboxPerms = New-ExoRequest - Anchor $username - tenantid $Tenantfilter - cmdlet ' Remove-MailboxPermission' - cmdParams @ {
172+ Identity = $userid
173+ user = $TargetUser
174+ accessRights = @ (' ChangeOwner'
175+ Confirm = $false
176+ }
177+ $null = $results.Add (" Removed $ ( $TargetUser ) from $ ( $username ) Read Permissions"
112178 }
113- $null = $results.Add (" Granted $ ( $TargetUser ) access to $ ( $username ) with Send On Behalf Permissions"
114179 }
115180 }
181+ Write-LogMessage - headers $Request.Headers - API $APINAME - message " Executed $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) " - Sev ' Info' - tenant $TenantFilter
182+ }
183+ catch {
184+ Write-LogMessage - headers $Request.Headers - API $APINAME - message " Could not execute $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) " - Sev ' Error' - tenant $TenantFilter
185+ $null = $results.Add (" Could not execute $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) . Error: $ ( $_.Exception.Message ) "
116186 }
117- Write-LogMessage - headers $Request.Headers - API $APINAME - message " Executed $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) " - Sev ' Info' - tenant $TenantFilter
118- }
119- catch {
120- Write-LogMessage - headers $Request.Headers - API $APINAME - message " Could not execute $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) " - Sev ' Error' - tenant $TenantFilter
121- $null = $results.Add (" Could not execute $ ( $PermissionLevel ) permission modification for $ ( $TargetUser ) on $ ( $username ) . Error: $ ( $_.Exception.Message ) "
122187 }
123188 }
124189 }
0 commit comments