At C:\Scripts\MailboxPermissionReport.ps1:225 char:7
 +       | Where-Object {$_.PrimarySMTPAddress -notcontains "@student.do ...
 +       ~
 An empty pipe element is not allowed.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : EmptyPipeElement

Error above when running the script.

The Get-MgMFAStatus script always produces this error when run;

Select-MgProfile: C:\Program Files\PowerShell\Scripts\Get-MgMFAStatus.ps1:69
Line |
69 | Select-MgProfile Beta
| ~~~~~~~~~~~~~~~~
| The term 'Select-MgProfile' is not recognized as a name of a cmdlet, function, script file, or executable
| program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
| again.

Apparently this cmdlet is no longer usable since a newer version of the Graph powershell module was released.

Line 75 of Merge-DuplicateItems.ps1 says:

Write-Host " - Duplicatie folder found: " $itemPath -ForegroundColor Yellow

But should say:

Write-Host " - Duplicate folder found: " $itemPath -ForegroundColor Yellow

In some cases
$sentItems = Get-EXOMailboxFolderStatistics -Identity $.UserPrincipalName -Folderscope sentitems_
returns details for additional folders and not only the Sent Items folder, resulting in the error as per title of this issue.

It can be corrected (and I have successfully tested) by qualifying using "| Where {$_.FolderPath -eq "/Sent Items"} ", as follows.

Replace

$sentItems = Get-EXOMailboxFolderStatistics -Identity $.UserPrincipalName -Folderscope sentitems | Select-Object ItemsInFolderAndSubfolders,@{Name = "sentItemSize"; Expression = {$.FolderAndSubfolderSize.ToString().Split("(")[0]}}

with

$sentItems = Get-EXOMailboxFolderStatistics -Identity $.UserPrincipalName -Folderscope sentitems | Where {$_.FolderPath -eq "/Sent Items"} | Select-Object ItemsInFolderAndSubfolders,@{Name = "sentItemSize"; Expression = {$.FolderAndSubfolderSize.ToString().Split("(")[0]}}

It seems as if some of the functionality is broken within the script.

Getting "Failed to create report" with no sign of where the error occurs. This only happens when running switches such as csv files, manually entering names. Does not happen when running the script without any switches.

It will create the CSV but not populate with information.

Does not matter where the csv output is going, whether or not the switch for the csv output is used etc.

The screenshot used shows close exchange online connection No but this problem happens regardless and the last success (with the all users no switches was run after a no)

Also an enhancement request is it possible to create the following switch?

A way to have each line email the respective mailbox owner of who has permissions? But only be for that specific user?

I get these error, while using the paramter "./MailboxPermissionReport.ps1 -adminUPN [email protected] -sharedMailboxes only" with Visual Studio Code at MacOS.

ParserError: /Users/mec/pwsh/MailboxPermissionReport.ps1:206:209
Line |
206 | … k Button--medium Button d-lg-none color-fg-inherit p-1"> <span cla …
| ~
| The '<' operator is reserved for future use.

this is what my mfaData array looked like for some users:

$mfaData = @(
    @{
        "Id" = "28c10230-6103-485e-b985-444c60001490"
        "AdditionalProperties" = @{
            "@odata.type" = "#microsoft.graph.passwordAuthenticationMethod"
            "createdDateTime" = "2022-08-22T20:15:01Z"
        }
    },
    @{
        "Date" = @("Tue, 20 Feb 2024 18:25:46 GMT")
        "OData-Version" = @("4.0")
        "x-ms-ags-diagnostic" = @("{}")
        "Vary" = @("Accept-Encoding")
        "Transfer-Encoding" = @("chunked")
        "client-request-id" = @("d1cb00e6-e362-45ef-8484-f7dfd8ec29de")
        "Strict-Transport-Security" = @("max-age=31536000")
        "request-id" = @("ef51d0d8-e5fb-4831-a44c-6d200cd927cb")
    }
)

on the second pass of the foreach loop it would error with Cannot index into a null array.

I fixed it by filtering down mfaData to just elements that contain AdditionalProperties:

$mfaDataFiltered = $mfaData | Where-Object { $_.AdditionalProperties  }
ForEach ($method in $mfaDataFiltered) {

It works with just my display name, otherwise I'm having this error in addition:

Write-ErrorMessage : Cannot process argument transformation on parameter 'HeaderMatchesPatterns'. Cannot convert value "System.String[]" to type "Microsoft.Exchange.MessagingPolicies.Rules.Tasks.Pattern[]". Error: ""The pattern '[
"Display Names"
]' exceeds the maximum length of 128 characters.""

Seems pretty darn close...

I use azure runbook,
Grant right:
Access control

• User access administrator
• contributor
  -application administrator

Still cannot get the existing user by Get-AzureADServiceAppRoleAssignment
which the $existingUsers is empty

But I run the script fully success on localhost by using Credential.

Am I missed any permission needed?

Get-AzureADuser,Get-AzureADServicePrincipal,Get-AzureADUser,New-AureADUserAppRoleAssignment: All work

Only Get-AzureADServiceAppRoleAssignment not work.

When using this script (tested in 3 different tenants with global admin) some users are not being exported properly.

Any clue how to resolve this? I tried troubleshooting it a lot but can't seem to find why it's doing this.

Get-EXOMailbox -Identity $identity -Properties GrantSendOnBehalfTo, ForwardingSMTPAddress |
select UserPrincipalName, DisplayName, PrimarySMTPAddress, RecipientType, RecipientTypeDetails, GrantSendOnBehalfTo, ForwardingSMTPAddress

  This seems to be going well; however the function Get-AllMailboxPermissions shows many empty lines

When running the Employee Off boarding script getting this error

Unable to find current loggedon user in AD Unable to find a default server with Active Directory Web Services running. I'm sure that user i'm trying to off board do exist in my O365 tenant and can't figure out what's wrong

find the full vebrose

VERBOSE: Exporting function 'Get-CurrentUser'.
VERBOSE: Exporting function 'Get-UserDetails'.
VERBOSE: Exporting function 'Get-Manager'.
VERBOSE: Exporting function 'Get-UserMailbox'.
VERBOSE: Exporting function 'Set-OutOfOfficeReply'.
VERBOSE: Exporting function 'Set-MailboxToShared'.
VERBOSE: Exporting function 'Get-EmailTemplate'.
VERBOSE: Exporting function 'Send-MailtoManager'.
VERBOSE: Exporting function 'Send-MailtoAdmin'.
VERBOSE: Exporting function 'Remove-UserFromGroup'.
VERBOSE: Exporting function 'Remove-O365License'.
VERBOSE: Exporting function 'Revoke-UserSessions'.
VERBOSE: Importing function 'Get-CurrentUser'.
VERBOSE: Importing function 'Get-EmailTemplate'.
VERBOSE: Importing function 'Get-Manager'.
VERBOSE: Importing function 'Get-UserDetails'.
VERBOSE: Importing function 'Get-UserMailbox'.
VERBOSE: Importing function 'Remove-O365License'.
VERBOSE: Importing function 'Remove-UserFromGroup'.
VERBOSE: Importing function 'Revoke-UserSessions'.
VERBOSE: Importing function 'Send-MailtoAdmin'.
VERBOSE: Importing function 'Send-MailtoManager'.
VERBOSE: Importing function 'Set-MailboxToShared'.
VERBOSE: Importing function 'Set-OutOfOfficeReply'.
Unable to find current loggedon user in AD Unable to find a default server with Active Directory Web Services running.

When running in PowerShell 7, the MSOnline module must be loaded using compatibility mode (-UseWindowsPowerShell) or it will fail:

Line |
126 | Connect-MsolService
| ~~~~~~~~~~~~~~~~~~~
| Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral,
| PublicKeyToken=b77a5c561934e089'.

Hi, there´s an error on line 168;

Invoke-Item $path Should Be Invoke-Item $CSVpath

PS: Thank you for the scripts. really great job.

Any idea why a user can be MFA enforced but not enabled?

I had a similar script and about a year ago it stopped working. Basically MFA was enforced and the phone # was added correctly and verified via PS but when I would try to log in it would have the text icon which when I clicked on I would get "we're having trouble identifying your account". My script (Similar to yours) worked fine up until that point. Wonder if you ever experienced this?

Hello,

What's the condition of the "isadmin"? Does it check the assigned role or user property?

If a site has multiple DCs, a problem will occur. I modified it myself to the following and it will work. I don’t know if it is correct.
About line 275:
The information obtained is

PS C:\Windows\system32> ($repPartnerData).LastReplicationAttempt

Friday, November 10, 2023 1:20:13 PM
Friday, November 10, 2023 1:07:35 PM
Friday, November 10, 2023 1:07:35 PM
Friday, November 10, 2023 1:07:35 PM
Friday, November 10, 2023 1:07:35 PM
Friday, November 10, 2023 1:07:34 PM

Presented after modification
PS C:\Windows\system32> ($repPartnerData | Where-Object {$_.Partner -match ($replResult.repPartner)}).LastReplicationAttempt

Friday, November 10, 2023 1:20:13 PM

Modify code 275-276

        $replLastRepAttempt = ($repPartnerData | Where-Object {$_.Partner -match ($replResult.repPartner)}).LastReplicationAttempt
        $replFrequency = (Get-ADReplicationSiteLink -Filter *)[0].ReplicationFrequencyInMinutes

Modify code 286
$replLastRepSuccess = ($repPartnerData | Where-Object {$_.Partner -match ($replResult.repPartner)}).LastReplicationSuccess