精通Office 365 雲計算管理 Exchange Online 篇
第 1 章 開始使用 Office 365
1.1 域名管理
註冊世紀互聯 office 365 時會得到一個初始的Office 365的域名: XXX.partner.onmschina.cn
管理員登錄 office 365 portal : 左側“導航欄”--“安裝”--"域" -- “添加域”:
https://portal.partner.microsoftOnline.cn
2. 通過PowerShell 管理OFfice 365:
2.1 安裝Azure AD Module:
Install-Module AzureAD
Install-Module Msonline
Connect-MsolService -AzureEnvironment AzureChinaCloud
Get-MsolDomain -DomainName nipc.me |fl
設置默認域:
Set-MsolDomain -Name nipc.me -IsDefault
Get-MsolDomain
刪除域:
Remove-MsolDomain -DomainName nipc.me
如果自定義的域名在Office 365 全球版上綁定過,即使在Office 365中國版上添加完成,中國版的Exchange管理中心的“接受域”中的也會缺失這個域名,導致郵箱功能不正常。
1.2 用戶管理
創建用戶:
創建用戶的必需屬性:
DisplayName 顯示名稱
UserPrincipalName 用於登錄到Office 365服務的用戶名 eg: [email protected]
New-MsolUser -DisplayName "Gan Zhiyan" -UserPrincipalName [email protected] -FirstName Gan -LastName Zhiyan -UsageLocation CN -LicenseAssignment reseller-account:O365_BUSINESS_PREMIUM
查詢訂閱的許可證:
Get-MsolAccountSku
AccountSkuId ActiveUnits WarningUnits ConsumedUnits
------------ ----------- ------------ -------------
reseller-account:O365_BUSINESS_ESSENTIALS 0 0 2
reseller-account:O365_BUSINESS_PREMIUM 2 0 2
批量創建用戶:
準備一個CSV文件,其中包含相應的屬性:DisplayName,UserPrincipalName,FirstName,LastName,UsageLocation,LicenseAssignment(AccountSkuId)
再通過Powershell 完成批量創建用戶:
Import-Csv -Path "C:\users.csv" | foreach {New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName -FirstName $_.FirstName -LastName $_.LastName -UsageLocation $_.UsageLocation -LicenseAssignment $_.AccountSkuId} | Export-Csv -Path "C:\Results.csv"
管理員權限角色:
Get-MsolUser | where Displayname -Like "gan*" | sort displayname | select Displayname | more
獲取管理員角色名稱和描述:
Get-MsolRole | sort name | select Name,Description
Name Description
---- -----------
Application Administrator Can create and manage all aspects of app registrations and enterprise apps.
Application Developer Can create application registrations independent of the 'Users can register applications' setting.
Authentication Administrator Allowed to view, set and reset authentication method information for any non-admin user.
Azure DevOps Administrator Can manage Azure DevOps organization policy and settings.
Azure Information Protection Administrator Can manage all aspects of the Azure Information Protection product.
B2C IEF Keyset Administrator Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).
B2C IEF Policy Administrator Can create and manage trust framework policies in the Identity Experience Framework (IEF).
B2C User Flow Administrator Can create and manage all aspects of user flows.
B2C User Flow Attribute Administrator Can create and manage the attribute schema available to all user flows.
Billing Administrator Can perform common billing related tasks like updating payment information.
Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
Cloud Device Administrator Full access to manage devices in Azure AD.
Company Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
Compliance Administrator Can read and manage compliance configuration and reports in Azure AD and Office 365.
Compliance Data Administrator Creates and manages compliance content.
Conditional Access Administrator Can manage conditional access capabilities.
CRM Service Administrator Can manage all aspects of the Dynamics 365 product.
Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data.
Desktop Analytics Administrator Can access and manage Desktop management tools and services.
Device Administrators Device Administrators
Device Join Device Join
Device Managers Deprecated - Do Not Use.
Device Users Device Users
Directory Readers Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Directory Synchronization Accounts Only used by Azure AD Connect service.
Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users.
Exchange Service Administrator Can manage all aspects of the Exchange product.
External Identity Provider Administrator Can configure identity providers for use in direct federation.
Global Reader Can read everything that a global admin can read but not update anything.
Groups Administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view ...
Guest Inviter Can invite guest users independent of the 'members can invite guests' setting.
Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators.
Intune Service Administrator Can manage all aspects of the Intune product.
Kaizala Administrator Can manage settings for Microsoft Kaizala.
License Administrator Can manage product licenses on users and groups.
Lync Service Administrator Can manage all aspects of the Skype for Business product.
Message Center Privacy Reader Can read security messages and updates in Office 365 Message Center only.
Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only.
Office Apps Administrator Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect...
Partner Tier1 Support Do not use - not intended for general use.
Partner Tier2 Support Do not use - not intended for general use.
Password Administrator Can reset passwords for non-administrators and Password Administrators.
Power BI Service Administrator Can manage all aspects of the Power BI product.
Printer Administrator Can manage all aspects of printers and printer connectors.
Printer Technician Can manage all aspects of printers and printer connectors.
Privileged Authentication Administrator Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Privileged Role Administrator Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
Reports Reader Can read sign-in and audit reports.
Search Administrator Can create and manage all aspects of Microsoft Search settings.
Search Editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
Security Operator Creates and manages security events.
Security Reader Can read security information and reports in Azure AD and Office 365.
Service Support Administrator Can read service health information and manage support tickets.
SharePoint Service Administrator Can manage all aspects of the SharePoint service.
Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service.
Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools.
Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools.
Teams Service Administrator Can manage the Microsoft Teams service.
User Account Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins.
Workplace Device Join Workplace Device Join
爲賬戶分配角色:
Add-MsolRoleMember -RoleMemberEmailAddress [email protected] -RoleName "Exchange Service Administrator"
爲多個用戶分配角色:
創建一個如下的CSV文件,包括顯示名稱DisplayName和角色名稱RoleName
DisplayName,RoleName
"Gan Zhiyan","Exchange Service Administrator"
"Joe Xiao","SharePoint Service Administrator "
"Eric Yan","Helpdesk Administrator"
接下來運行如下命令:
Import-Csv -Path "C:\RoleAdd.csv" | foreach {Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser | Where DisplayName -eq $_.DisplayName).UserPrincipalName -RoleName $_.RoleName } | Export-Csv -Path "C:\RoleAddResults.csv"
注意:只能爲用戶分配管理員角色,不能爲組分配管理員角色。
1.2.2 刪除用戶:
刪除單一用戶:
Remove-MsolUser -UserPrincipalName [email protected]
無需提示確認:
Remove-MsolUser -UserPrincipalName [email protected] -Force
如果是目錄同步的賬戶,刪除後下次同步還是會還原到活動用戶中,因此,對於目錄同步的用戶,最好的辦法就是從本地刪除或者不同步這個用戶對象。
一次性刪除所有用戶:
$users=get-msoluser
$users | Remove-MsolUser –Force
$users=Get-MsolUser -All -ReturnDeletedUsers
$users | Remove-MsolUser -RemoveFromRecycleBin -force
移除用戶許可證:
Get-MsolAccountSku
Get-MsolUser -All | select UserPrincipalName,Licenses
從現有用戶中移除許可證,用Set-MsolUserLicense 帶參數 -RemoveLicenses 多個許可證用逗號隔開。
Set-MsolUserLicense -UserPrincipalName [email protected] -RemoveLicenses "reseller-account:O365_BUSINESS_PREMIUM","reseller-account:O365_BUSINESS_ESSENTIALS"
軟刪除和硬刪除用戶
軟刪除用戶存放在“已刪除的用戶”中,在永久刪除用戶數據前30天內,還可以還原並分配許可,用戶仍然可以正常訪問數據和服務。
硬刪除是用戶郵箱已經軟刪除超過30天,並關聯的Office 365用戶已經硬刪除。將永久刪除所有郵箱內容,如電子郵件,聯繫人和文件。
用以下Powershell 連接到Exchange Online:
Set-ExecutionPolicy RemoteSigned
$USerCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://partner.outlook.cn/PowerShell-LiveID/ -Credential $USerCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
獲取軟刪除郵箱的信息:
Get-Mailbox -SoftDeletedMailbox | Select-Object Name, ExchangeGuid
恢復郵箱:
New-MailboxRestoreRequest -SourceMailbox <ExchangeGuid> -TargetMailbox <Guid from new Target mailbox>
查看恢復結果:
Get-MailboxRestoreRequest
管理用戶許可證
獲取當前組織中的許可計劃以及每個計劃中包含的服務及順序(索引號)
(Get-MsolAccountSku | where {$_.AccountSkuid -eq 'reseller-account:O365_BUSINESS_PREMIUM' }).ServiceStatus
ServicePlan ProvisioningStatus
----------- ------------------
Microsoft Bookings Success
SHAREPOINTWAC Success
SHAREPOINTSTANDARD Success
OFFICE_BUSINESS Success
MCOSTANDARD Success
EXCHANGE_S_STANDARD Success
如果只想讓用戶只使用Exchange Online 其他的服務禁用,然後再給用戶分配。
首先定義一個許可證變量,
$LO = New-MsolLicenseOptions -AccountSkuId 'reseller-account:O365_BUSINESS_PREMIUM' -DisabledPlans 'Microsoft Bookings','SHAREPOINTWAC','SHAREPOINTSTANDARD','MCOSTANDARD'
New-MsolUser -UserPrincipalName [email protected] -DisplayName "Gan" -LicenseAssignment "reseller-account:O365_BUSINESS_PREMIUM" -LicenseOptions $LO -UsageLocation CN
如果是多個用戶,可創建一個txt 文件,每一行包含一個用戶賬號:
批量操作如下:
Get-Content "C:\Accounts.txt" | foreach {Set-MsolUserLicense -UserPrincipalName $_ -LicenseOptions $LO}
1.2.4 Office 365 中的多重身份認證(MFA):
“活動用戶” 選擇 “更多”下拉列表中的“多重身份驗證設置”
當用戶MFA 後,同時也需要在Exchange Online 中啓用新式驗證。Exchange Online PowerShell:
Get-OrganizationConfig | ft -Auto Name,OAuth*
看OAuth2ClientProfileEnabled是否爲Ture
如果結果爲False 通過下列命令改爲Ture:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
第2章 Exchange Online 管理
2.1 收件人
收件人是可以傳遞或將郵件路由到的任何已啓用郵件的對像。
每種收件人類型在Exchange Online PowerShell 的RecipientTypeDetails 屬性中具有有唯一值
2.1.1 用戶郵箱
1.創建用戶郵箱:
活動用戶在分配Exchange online 許可證時自動創建用戶郵箱。
2.刪除郵箱
Remove-Mailbox -Identity [email protected]
永久刪除用戶郵箱,刪除後無法恢復:
Remove-MsolUser -UserPrincipalName [email protected] -RemoveFromRecycleBin
郵箱刪除後,可以通過 Get-Mailbox <identity> 來驗證,當返回錯誤提示無法找到郵箱,代表已經刪除。
郵箱刪除後,在未啓用訴訟保留或就地保留時,Exchange Online 將保留郵箱及所有內容30天,30天后將永久刪除無法恢復。
如果郵箱是通過取消Exchange Online許可刪除的,可以在30天內重新分配許可就可以恢復郵箱,
如果是通過“活動用戶”進行刪除的,則可在30天內從“已刪除的用戶”中還原用戶來恢復郵箱。
3.管理郵件地址:
管理員可以爲同一個用戶郵箱添加一個"主SMTP地址"和多個"別名"的"代理地址"(最多400個)。
爲用戶郵箱添加SMTP地址:
Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses @{ add= “[email protected]”, “[email protected]” }
刪除地址:
Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses @{remove= "[email protected]","[email protected]" }
還可以直接指定所有地址:
Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses SMTP: [email protected],[email protected],[email protected]
還可以從CSV 文件導入多個用戶郵箱批量添加e-mail 地址:
Import-Csv "C:\AddEmailAddress.csv" | foreach { Set-Mailbox -Identity $_.Mailbox -EmailAddresses @{add=$_.NewEmailAddress}}
4.配置用戶郵箱的郵件大小限制:
Office 365 所有訂閱,默認情況下,用戶郵箱發送郵件限制爲35MB,接收限制爲36MB。
管理員可以更改收發郵件大小最大爲150MB,Office 365 郵箱用戶之間,最大的收發大小爲150MB的郵件,
當Office 365與非O365郵箱收發郵件時,因存在大約33%的轉碼,所以最大可以收發大小約爲112MB
更改一個郵箱用戶郵件大小限制:
Set-Mailbox -Identity "Zhiyan Gan" -MaxSendSize 150MB -MaxReceiveSize 150MB
修改所有用戶郵箱大小限制:
Get-Mailbox -RecipientTypeDetails Usermailbox -ResultSize Unlimited | Set-Mailbox -MaxSendSize 150MB -MaxReceiveSize 150MB
5.配置郵件轉發:
在Exchange Online管理中心:
“收件人”--“郵箱”--選擇要設置郵件轉發的郵箱,點擊"編輯"按鈕
“郵箱功能”--“郵件流”,點擊“查看詳情”
用戶自己配置郵件轉發:
登錄owa:https://partner.outlook.cn
點擊右上角“設置”按鈕--“郵件”--“賬戶”--“轉發”
如果要轉發到多個收件人,則可在OWA中創建收件箱規則:
“設置”--“郵件”--“自動處理”--"收件箱和整理規則"