Enhancing the Script with Group Membership and Mailbox Permissions
I previously wrote about a PowerShell script created to help organizations assess the work required to perform a tenant-to-tenant migration. The script gathers a lot of detailed information that is invaluable when planning a migration project. One of the key aims of the script was that it should not take multiple hours to run in a standard medium size environment (with a few thousand users) – as such, I omitted some items to save time while still capturing key preliminary information.
Based on feedback, I have now added two additional pieces of functionality as optional items – a Group Membership report and a Mailbox Permission report.
A Note on Permission Changes
With the original scope, the only permissions required to gather data were read-only Microsoft Graph permissions and the Global Reader management role. Unfortunately, these permissions do not allow the PowerShell script to run the ‘Get-RecipientPermission’ Exchange Online cmdlet.
To enable the script to get recipient permissions, I added the Exchange Administrator role to the Prepare-TenantAssessment.ps1 script. If you do not require the permissions report, you can remove the role by removing lines 173 – 187 of the preparation script.
Running the PowerShell Script with Optional Parameters
As mentioned above, there are two new optional items in the assessment script. Running the script as normal generates the same output as before. However, if you add the -IncludeGroupMembership and -IncludeMailboxPermissions parameters (as shown in Figure 1), two new tabs will be added to the report with detail about group members and mailbox permissions, respectively.
Including Group Membership
With the -IncludeGroupMembership parameter, the output file contains the tab “Group Membership”. This tab (Figure 2) contains a list of group memberships (capturing Users, Service Principals, and Groups) in the tenant. The Group ID and name are listed along with the ID of the member, their name, their User Principal Name and the type of object, and their membership type. This data gives a detailed record of group membership that can be used to form an import file for creating groups and adding members in the new tenant. Nested Groups are not expanded but are listed with the MemberObjectType of Group.
Similarly, the -IncludeMailboxPermissions parameter adds the tab “Mailbox Permissions” to the output file. This tab (Figure 3) contains a list of all Full Access and Send-as permissions for all user and shared mailboxes in Exchange Online. The usual details of the source object are included along with the individual permission and the user to which permissions are granted. This information can be invaluable during a hectic migration weekend where mailbox permissions usually get overshadowed by data migration activities. Outside of migrations, the report can be used to outline what permissions exist in the environment.
Everything Comes at a Cost
The additional data about group membership and mailbox permissions is useful to have. However, nothing comes for free. The additional data gathering extends the run time of the PowerShell script significantly, particularly in larger environments. To help monitor progress, both the Group Membership and Mailbox Permissions tasks use the progress bar to indicate how much work is left to do (Figure 4).
The features are optional so if you need a high-level assessment, just omit the -IncludeGroupMembership and -IncludeMailboxPermissions parameters.
Always More to Do
Group Membership and Mailbox Permissions were two of the items people have asked to be included in the PowerShell script, and they are valuable to have when assessing any migration. There are many more features and metrics that can be gathered for consideration in a tenant migration scenario, so I encourage you to make suggestions. Maybe you’ve already added functionality yourself which provides some interesting additions? It is always worthwhile sharing your experience and improvements with the community by voicing your ideas!