June 2018 – Deep in PowerShell – Detective Work (Calendar Permissions)

Investigating what calendars a user or group has access to

Using a recent incident as an example here.

User C was found to have full access to User A and User B’s calendars; the CEO and GM respectively.
But how did they have access?
Ran the following command to see what permissions were present on both these calendars:

Get-MailboxFolderPermission -Identity "UserX@contoso.com:\calendar"

User C was not listed in the results.

However, a peculiar display name of “FixMeetings” was present which had Owner Access Type.
Lo and behold, User C was a member of this group – seems they were added recently to address some other access issues.
However, this was not looked into properly and turned out to be a group initially created post migration to O365 for two Admin staff to go through and correct some Meetings – but was never removed after task completed.

So what did this Group have access to? And how to remove it from all the calendars it had access to?

The answer is Arrays, and lots of PowerShell

#First we grab all the mailboxes to perform the investigation on and store in a PowerShell Object.
$MBs = Get-Mailbox

#Here we create a counter for the Mailboxes and an Array for them to live in.
$Counter = 1
 $MBsCount = $MBs.count
 $Array = @()

#Here we look through each mailbox store the permissions into a PSObject 
foreach ($MB in $MBs){
 write-host "$Counter of $MBscount"
 $MailboxFolderPerm = Get-MailboxFolderPermission -Identity ($MB.PrimarySMTPAddress + ":\calendar")
 $counter = $counter + 1

#We gather the Properties of both the mailboxes' Primary SMTP Address and Mailbox Folder permissions and store in a PSObject which we add to our Array.
$ObjProperties = @{
 'SMTPAddress' = $MB.PrimarySMTPAddress
 'MailboxFolderPerm' = $MailboxFolderPerm
 }
 $Array += New-Object PSObject -Property $ObjProperties
 }

#For our Results, we select only entries that have "FixMeetings" as a display name in all the Calendar folder permissions.
$Results = @()
 foreach ($Thing in $Array) {
 if ($Thing.MailboxFolderPerm.user.displayname -like "FixMeetings") {
 $Results += $thing
 }
 }

#Create a second counter for our results.
$Counter2 = 1
 $ResultsCount = $Results.count

#And we have Shell output the count of the results as we remove "FixMeetings" permissions from all the relevant Mailbox Folders.
foreach ($MB in $Results){
 #$String = ($MB.SMTPAddress + ":\calendar")
 write-host "$Counter2 of $ResultsCount"
 Remove-MailboxFolderPermission -Identity ($MB.SMTPAddress + ":\calendar") -User FixMeetings -Confirm:$false
 $Counter2 = $Counter2 + 1
 }

Featured image courtesy of http://www.techsoupforlibraries.org/blog/library-technology-2017-year-in-review