watervur.blogg.se - Microsoft secure email powershell

FullName -AsByteStream $attachementBytes = :: ToBase64String ( $byteStream ) # request body which contains our message $requestBody = "message" = " } } ) "attachments" = "#" "name" = "" "contentType" = "text/plain" "contentBytes" = $attachementBytes }) } "saveToSentItems" = "true" } # make the graph request $request = "Headers" = Authorization = $msalToken. Path $byteStream = Get-Content -Path $attachementPath. # acquire an access token to interact with the app # we use a certificate from the users personal store $appRegistration = TenantId = "" ClientId = "1f5ffbea-f13f-4f1a-af63-258ce4344daf" ClientCertificate = Get - Item "Cert:\CurrentUser\My\164446192FE04237C206211D59730445CA892911" } $msalToken = Get-msaltoken appRegistration -ForceRefresh # get byte contents of attachement and encode it as base64 $attachementPath = Get-Item $MyInvocation.

Create the application access policy to only allow sending the app mails for the specified distribution group.

Liam also creates online training courses for Pluralsight, LinkedIn Learning, and Cloud. Over the past few years, his specialty has been security in Microsoft 365, Azure, and its surrounding platforms. Set-DistributionGroup -Identity $restrictedGroup.Identity -HiddenFromAddressListsEnabled $true He is a Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security, and crossing the boundary into software development. Optionally hide the group from the address list $restrictedGroup = New-DistributionGroup -Name "Mail service accounts" -Type "Security" -Members ") To limit the permissions we leverage exchange application access policies.Ĭonnect to Exchange Online with the ExchangeOnlineManagement PowerShell moduleĬreate a mail enabled security group which contains all the accounts you want to send mails from Otherwise the app can send mails on behalf of any user in your tenant.

We need to take additional steps to limit the permissions of the app registration. Start the script with a variable to hold the groups and then add a foreach loop to go through each of those groups and return the group membership.Simply create a new app registration with the Mail.Send permissions and use a certificate for the authentication.

For this article, we will work with just two groups - administrators and remote desktop users - but you can expand your coverage to other groups by adjusting the script accordingly. On a local server, the list of groups is likely quite short. How to gather local group memberships on Windows Server

First, we need to maintain a list of the groups to monitor, then get the members of each group and finally check for any changes since the last time the script ran. For both Windows servers and Active Directory, the approach to manage these groups will be similar.