How IAM Systems can use Exchange RecipientManagement PSSnapin
Hi All,
I have already blogged about the Exchange 2019 Recipient Managemen PowerShell that can Manage Echange Objects without an Exchange Server running.
Install and use Exchange 2019 CU12 Recipient Management PowerShell
For Identity and Access Management Systems (IAM) provisioning, management and deprovisioning based in the past on crating a Remote PowerShell to Exchange Server. How do you Address this with the new Recipient Management?
In Fact there are two Solutions:
- You install the Recipient Management PSSnapIn on the IAM Server (Management Tools)
- You create a Remote PowerShell to a Server that has the Recipient Management PSSnapin installed
Let's have a look into the second Option.
$Cred = Get-Credential lab\administrator
New-PSSession
#Create PSSession
$PSSession= New-PSSession LAB03 -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
$PSSession= New-PSSession LAB03 -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
As you can see i get an Authentication Error
The Solution comes here
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role "Client" -DelegateComputer LAB03
Enable-WSManCredSSP -Role "Client" -DelegateComputer LAB03
Let's check the Settings with the following Command
winrm get winrm/config/client
Let's try it again
#Create PSSession
$PSSession= New-PSSession LAB03 -authentication credssp -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
$PSSession= New-PSSession LAB03 -authentication credssp -credential $cred
#Define String for Argumentlist
$Name = "Demo96"
#Invoke Remote Command
Invoke-Command -Argumentlist $Name -Session $PSSession -ScriptBlock {
param($SamAccountName)
Write-Host "Loading PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement" -ForegroundColor Green
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
Write-Host "SamAccountName: $SamAccountName"
Write-Host "Enable-RemoteMailbox"
Enable-RemoteMailbox -Identity "$SamAccountName" -Alias "$SamAccountName" -RemoteRoutingAddress "$SamAccountName@serveralivech.mail.onmicrosoft.com" -Shared
Write-Host "Get-RemoteMailbox"
Get-RemoteMailbox -Identity $SamAccountName
Write-Host "Remove-PSSnapIn"
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.RecipientManagement
Get-PSSnapin
}
#Remove PSSession
Get-PSSession | Remove-PSSession
As you can see that worked perfectly
Now you have the Solutions for your IAM System to Provision and Manage Exchange Objects without Exchange Services running. This improves the overall Security Posture as less Services are Exposed to the LAN or even Internet.
Keep in Mind that this Solution only works based on Kerberos - that means both Computers (IAM and Server with Recipient Managent PSSnapin) have to be Members of an Active Directory Domain.
Regards
Andres Bohren
