What if Connect-ExchangeOnline hangs or throws a WAM error?

On servers or non-interactive desktops the Web Account Manager (WAM) broker can cause the sign-in window to hang or fail. Add the -DisableWAM switch: Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -DisableWAM. This falls back to the standard browser-based auth flow. Keeping the module updated with Update-Module ExchangeOnlineManagement also resolves many auth issues.

Home/Tools/Developer/Exchange Online PowerShell Command Builder

Exchange Online PowerShell Command Builder

Build complete, runnable Exchange Online PowerShell scripts for mailbox permissions, email forwarding, shared mailboxes, distribution groups, message trace, calendar permissions, transport rules, and reporting. Every script includes the module check, Connect-ExchangeOnline, and Disconnect preamble.

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading Exchange Online PowerShell Command Builder...

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Managing Exchange Online at Scale?

Our M365 experts automate mailbox management, security policies, and compliance configurations.

Learn About Productivity Suite Management Explore Small Business Cybersecurity

What Is Exchange Online PowerShell

Exchange Online PowerShell provides administrative command-line access to Microsoft Exchange Online, the cloud-based email and calendaring service in Microsoft 365. While the Exchange Admin Center (EAC) provides a web-based GUI, PowerShell enables bulk operations, automation, and access to advanced settings not available in the portal.

Exchange Online PowerShell is essential for managing mailboxes, distribution groups, mail flow rules, retention policies, and compliance features at enterprise scale. Operations that would require hours of clicking in the admin portal can be completed in seconds with the right PowerShell commands.

Common Command Categories

Category	Example Commands	Purpose
Mailbox Management	Get-Mailbox, Set-Mailbox, New-Mailbox	Create, configure, and query mailboxes
Distribution Groups	Get-DistributionGroup, Add-DistributionGroupMember	Manage email groups and membership
Mail Flow Rules	Get-TransportRule, New-TransportRule	Configure mail routing and filtering rules
Permissions	Add-MailboxPermission, Get-MailboxFolderPermission	Manage mailbox delegation and folder access
Compliance	Get-RetentionPolicy, New-ComplianceSearch	Configure retention, eDiscovery, and audit policies
Anti-Spam	Get-HostedContentFilterPolicy	Manage spam filtering and quarantine settings
Mobile Devices	Get-MobileDeviceStatistics	Manage ActiveSync and mobile device policies

Common Use Cases

Bulk mailbox operations: Set out-of-office messages, change mailbox quotas, or update properties for hundreds of mailboxes using CSV imports
Shared mailbox management: Create shared mailboxes, assign full access and send-as permissions, and configure auto-mapping for delegate access
Mail flow troubleshooting: Trace message delivery paths, review transport rules, and diagnose delivery failures
Compliance configuration: Set up retention policies, litigation holds, and eDiscovery searches for legal and regulatory requirements
Migration assistance: Export mailbox statistics, identify large mailboxes, and prepare user lists for migrations between Exchange environments

Best Practices

Use the EXO V3 module — Connect using Connect-ExchangeOnline from the ExchangeOnlineManagement module (v3+). This supports modern authentication, certificate-based auth, and REST-based cmdlets.
Limit result sets — Use -ResultSize to limit query results. Querying all mailboxes in a large tenant without limits can timeout or consume excessive resources.
Use -WhatIf for destructive operations — Before running Set- or Remove- commands on multiple objects, add -WhatIf to preview what would change without making actual modifications.
Implement error handling in scripts — Wrap bulk operations in try/catch blocks and log failures. A single failed mailbox operation should not halt processing of the remaining batch.
Disconnect sessions when finished — Always run Disconnect-ExchangeOnline when done. Exchange Online limits the number of concurrent PowerShell sessions per tenant.

Frequently Asked Questions

Common questions about the Exchange Online PowerShell Command Builder

First install the module with Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force. Then run Connect-ExchangeOnline -UserPrincipalName [email protected]. A browser prompt handles sign-in and MFA automatically. For unattended scripts use certificate-based auth (Connect-ExchangeOnline -AppId ... -CertificateThumbprint ... -Organization ...) or app-only auth with a managed identity. Always finish with Disconnect-ExchangeOnline.

There are three distinct permissions. Use Add-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess for full access (opening the mailbox). Use Add-RecipientPermission ... -AccessRights SendAs for Send As (mail appears to come from the mailbox). Use Set-Mailbox -GrantSendOnBehalfTo for Send on Behalf. The builder generates the exact command for each.

For an internal recipient use Set-Mailbox -ForwardingAddress; for an external SMTP address use -ForwardingSmtpAddress. Add -DeliverToMailboxAndForward $true to keep a copy in the original mailbox. To stop forwarding, set both -ForwardingAddress $null and -ForwardingSmtpAddress $null. Note that external auto-forwarding is often blocked by the outbound anti-spam policy.

This is a key security check. Run Get-EXOMailbox -ResultSize Unlimited and filter where ForwardingAddress or ForwardingSmtpAddress is set, then export to CSV. Also enumerate user-created inbox rules with Get-InboxRule and flag any with ForwardTo, ForwardAsAttachmentTo, or RedirectTo, since attackers commonly use these to exfiltrate mail. The Forwarding category in this tool builds the full audit script.

Create one with New-Mailbox -Shared -Name "Support" -PrimarySmtpAddress [email protected], then grant members FullAccess and SendAs. To convert an existing user mailbox, run Set-Mailbox -Identity [email protected] -Type Shared. Shared mailboxes under 50 GB do not require a license, so remember to remove the license after converting.

Microsoft retired the original Get-MessageTrace and Get-MessageTraceDetail cmdlets. Use Get-MessageTraceV2 instead. It supports searching by sender, recipient, date range (up to 90 days), and delivery status (Failed, Delivered, Pending, Quarantined, FilteredAsSpam). The Message Trace category in this tool generates V2 commands.

View current permissions with Get-MailboxFolderPermission -Identity [email protected]:\Calendar. Grant new access with Add-MailboxFolderPermission and an access level such as Reviewer, Editor, or AvailabilityOnly. If the user is already listed you must use Set-MailboxFolderPermission instead of Add-, otherwise the command errors. The builder picks the correct cmdlet for you.

On servers or non-interactive desktops the Web Account Manager (WAM) broker can cause the sign-in window to hang or fail. Add the -DisableWAM switch: Connect-ExchangeOnline -UserPrincipalName [email protected] -DisableWAM. This falls back to the standard browser-based auth flow. Keeping the module updated with Update-Module ExchangeOnlineManagement also resolves many auth issues.