Auxiliary Force Technology

Setup Dynamics CRM E-mail Router with Office 365

Setting up the Dynamics CRM E-mail Router can be a bit tricky considering access rights to the Office 365 accounts. The long story short is that one account must be designated as the account through which all E-mail will pass. This means that account must have something called “Send As” privileges to the other Office 365 E-mail accounts. You can also use an access type called “Send On Behalf Of” but the difference lies in what the recipient sees:

If “Send As” is the method then the recipient just sees a normal E-mail address: user@company.com

If the “Send On Behalf Of” is the method then the recipient sees the routing account with a message that it is sent on behalf of: emailrouter@company.com “Sent on Behalf of: user@company.com”

As such, most people prefer to use the “Send As” option. This is how you setup a routing account with “Send As” privileges.

1.) Start by checking your account’s Execution Policy. If it is not “RemoteSigned” set it to “RemoteSigned.”

PS C:\WINDOWS\system32> Get-ExecutionPolicy
Restricted

PS C:\WINDOWS\system32> Set-ExecutionPolicy RemoteSigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”): a

PS C:\WINDOWS\system32> Get-ExecutionPolicy
RemoteSigned

 

 

2.) Make sure Windows Remote Management has “Auth – Basic” set to “true” by starting Windows Remote Management, getting the auth, then stopping Windows Remote Management.

PS C:\WINDOWS\system32> net start winrm

The Windows Remote Management (WS-Management) service is starting.
The Windows Remote Management (WS-Management) service was started successfully.

PS C:\WINDOWS\system32> winrm get winrm/config/client/auth

Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false

PS C:\WINDOWS\system32> net stop winrm

The Windows Remote Management (WS-Management) service is stopping.
The Windows Remote Management (WS-Management) service was stopped successfully.

 

 

3.) If REPEATING THIS PROCESS IN THE FUTURE, START HERE IF STEPS 1 AND 2 HAVE ALREADY BEEN DONE ONCE.

 

 

4.) Remotely login to the Office 365 account to start a session.
PS C:\WINDOWS\system32> $LiveCred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

PS C:\WINDOWS\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook
.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

WARNING: Your connection has been redirected to the following URI:
“https://ps.outlook.com/PowerShell-LiveID?PSVersion=5.0.10586.63 ”

PS C:\WINDOWS\system32> Import-PSSession $Session

WARNING: The names of some imported commands from the module ‘tmp_mnalbtf0.dvq’ include unapproved verbs that might
make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the
Verbose parameter. For a list of approved verbs, type Get-Verb.

ModuleType Version Name ExportedCommands
———- ——- —- —————-
Script 1.0 tmp_mnalbtf0.dvq {Add-AvailabilityAddressSpace, Add-DistributionGroupMember…

 

 

5.) Add FULL ACCESS to ALL User mailboxes for “admin@contoso.com” (replace address below in red with your ACTUAL Administrator/router E-mail account).

PS C:\WINDOWS\system32> Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User admin@contoso.com -AccessRights fullaccess -InheritanceType all

OR

Add FULL ACCESS to one user’s mailbox for “admin@contoso.com” (replace address below in red with with your ACTUAL user and Administrator E-mail account of user name).

Add-MailboxPermission -Identity "user@contoso.com" -User admin@contoso.com -AccessRights FullAccess -InheritanceType All

OR

Add “admin@contoso.com” to the “Administrator” and “Organization Management” groups for a single user.

PS C:\WINDOWS\system32> Get-MailboxPermission user@contoso.com | FT User, AccessRights, Deny –AutoSize

User AccessRights Deny
—- ———— —-
NAMPRD08\Administrator {FullAccess} True
NAMPRD08\Organization Management {FullAccess} True
NAMPRD08\Administrator {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False
NAMPRD08\Organization Management {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False

PS C:\WINDOWS\system32> Add-MailboxPermission admin@contoso.com -User “Administrator” -AccessRights FullAccess -InheritanceType All

PS C:\WINDOWS\system32> Add-MailboxPermission admin@contoso.com -User “Organization Management” -AccessRights FullAccess -InheritanceType All

 

 

6.) Check to see if the account has “Send As” permission to the User. If not, add the permission.

PS C:\WINDOWS\system32> Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'null sid')}

Identity Trustee AccessControlType AccessRights Inherited
——– ——- —————– ———— ———
(Target) (Admin) Allow {SendAs} False

PS C:\WINDOWS\system32> Add-RecipientPermission user@contoso.com -AccessRights SendAs -Trustee admin@contoso.com

Confirm
Are you sure you want to perform this action?
Adding recipient permission ‘SendAs’ for user or group ‘admin@contoso.com’ on recipient ‘user@contoso.com’.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”): y

Identity Trustee AccessControlType AccessRights Inherited
——– ——- —————– ———— ———
user admin Allow {SendAs} False


Posted

in

by

Tags: