Public/Exchange/Role/Get-ExRoleReport.ps1
|
<#
.SYNOPSIS Get-ExRoleReport - Reports on Exchange RBAC roles and permissions. .DESCRIPTION This script produces a report of the membership of Exchange RBAC role groups. By default, the report contains only the groups with members. .OUTPUTS The report is output to an array contained all the audit logs found. To export in a csv, do Get-ExRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8 .EXAMPLE Get-ExRoleReport This command retrieves the Exchange RBAC role report for Exchange Online. .LINK https://ps365.clidsys.com/docs/commands/Get-ExRoleReport .NOTES #> function Get-ExRoleReport { [CmdletBinding()] param ( [switch]$OnPrem ) if (-not $OnPrem) { try { Import-Module ExchangeOnlineManagement -ErrorAction stop } catch { Write-Warning 'First, install the official Microsoft Import-Module ExchangeOnlineManagement module : Install-Module ExchangeOnlineManagement' return } if (-not (Get-ConnectionInformation | Where-Object { $_.ConnectionUri -eq 'https://outlook.office365.com' })) { Connect-ExchangeOnline } } try { if ($OnPrem) { $exchangeRoles = Get-RoleGroup -ErrorAction Stop } else { # -ShowPartnerLinked (only for Exchange Online) # This `-ShowPartnerLinked` switch specifies whether to return built-in role groups that are of type PartnerRoleGroup. You don't need to specify a value with this switch. # This type of role group is used in the cloud-based service to allow partner service providers to manage their customer organizations. # These types of role groups can't be edited and are not shown by default. $exchangeRoles = Get-RoleGroup -ShowPartnerLinked -ErrorAction Stop } } catch { Write-Warning "Unable to retrieve Exchange RBAC roles. $($_.Exception.Message)" } [System.Collections.Generic.List[Object]]$exchangeRolesMembership = @() foreach ($exchangeRole in $exchangeRoles) { try { $roleMembers = @(Get-RoleGroupMember -Identity $exchangeRole.ExchangeObjectId -ResultSize Unlimited) # Add green color if member found into the role if ($roleMembers.count -gt 0) { Write-Host -ForegroundColor Green "Role $($exchangeRole.Name) - Member(s) found: $($roleMembers.count)" } else { Write-Host -ForegroundColor Cyan "Role $($exchangeRole.Name) - Member found: $($roleMembers.count)" } if ($exchangeRole.Description -eq '' -and $exchangeRole.Name -like 'ISVMailboxUsers_*') { $roleDescription = 'Third-party application developer mailbox role' } else { $roleDescription = $exchangeRole.Description } if ($roleMembers.count -eq 0) { $object = [PSCustomObject][ordered]@{ 'Role' = $exchangeRole.Name 'MemberName' = '-' 'MemberDisplayName' = '-' 'MemberPrimarySMTPAddres' = '-' 'MemberIsDirSynced' = '-' 'MemberObjectID' = '-' 'MemberRecipientTypeDetails' = '-' 'RoleDescription' = $roleDescription } $exchangeRolesMembership.Add($object) } else { foreach ($roleMember in $roleMembers) { $object = [PSCustomObject][ordered]@{ 'Role' = $exchangeRole.Name 'MemberName' = $roleMember.Name 'MemberDisplayName' = $roleMember.DisplayName 'MemberPrimarySMTPAddres' = $roleMember.PrimarySmtpAddress 'MemberIsDirSynced' = $roleMember.IsDirSynced 'MemberObjectID' = $roleMember.ExternalDirectoryObjectId 'MemberRecipientTypeDetails' = $roleMember.RecipientTypeDetails 'RoleDescription' = $roleDescription } $exchangeRolesMembership.Add($object) } } } catch { Write-Warning $_.Exception.Message } } return $exchangeRolesMembership } |