Generate ready-to-run Exchange Online PowerShell commands: grant Full Access / Send As, set or audit forwarding, create shared mailboxes, manage distribution groups, run message trace, set calendar permissions, transport rules, and mailbox reports.
Exchange Online PowerShell provides administrative command-line access to Microsoft Exchange Online, the cloud-based email and calendaring service in Microsoft 365. While the Exchange Admin Center (EAC) provides a web-based GUI, PowerShell enables bulk operations, automation, and access to advanced settings not available in the portal.
Exchange Online PowerShell is essential for managing mailboxes, distribution groups, mail flow rules, retention policies, and compliance features at enterprise scale. Operations that would require hours of clicking in the admin portal can be completed in seconds with the right PowerShell commands.
| Category | Example Commands | Purpose |
|---|---|---|
| Mailbox Management | Get-Mailbox, Set-Mailbox, New-Mailbox | Create, configure, and query mailboxes |
| Distribution Groups | Get-DistributionGroup, Add-DistributionGroupMember | Manage email groups and membership |
| Mail Flow Rules | Get-TransportRule, New-TransportRule | Configure mail routing and filtering rules |
| Permissions | Add-MailboxPermission, Get-MailboxFolderPermission | Manage mailbox delegation and folder access |
| Compliance | Get-RetentionPolicy, New-ComplianceSearch | Configure retention, eDiscovery, and audit policies |
| Anti-Spam | Get-HostedContentFilterPolicy | Manage spam filtering and quarantine settings |
| Mobile Devices | Get-MobileDeviceStatistics | Manage ActiveSync and mobile device policies |
Connect-ExchangeOnline from the ExchangeOnlineManagement module (v3+). This supports modern authentication, certificate-based auth, and REST-based cmdlets.-ResultSize to limit query results. Querying all mailboxes in a large tenant without limits can timeout or consume excessive resources.-WhatIf to preview what would change without making actual modifications.Disconnect-ExchangeOnline when done. Exchange Online limits the number of concurrent PowerShell sessions per tenant.First install the module with Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force. Then run Connect-ExchangeOnline -UserPrincipalName admin@contoso.com. A browser prompt handles sign-in and MFA automatically. For unattended scripts use certificate-based auth (Connect-ExchangeOnline -AppId ... -CertificateThumbprint ... -Organization ...) or app-only auth with a managed identity. Always finish with Disconnect-ExchangeOnline.
There are three distinct permissions. Use Add-MailboxPermission -Identity target@contoso.com -User jdoe@contoso.com -AccessRights FullAccess for full access (opening the mailbox). Use Add-RecipientPermission ... -AccessRights SendAs for Send As (mail appears to come from the mailbox). Use Set-Mailbox -GrantSendOnBehalfTo for Send on Behalf. The builder generates the exact command for each.
For an internal recipient use Set-Mailbox -ForwardingAddress; for an external SMTP address use -ForwardingSmtpAddress. Add -DeliverToMailboxAndForward $true to keep a copy in the original mailbox. To stop forwarding, set both -ForwardingAddress $null and -ForwardingSmtpAddress $null. Note that external auto-forwarding is often blocked by the outbound anti-spam policy.
This is a key security check. Run Get-EXOMailbox -ResultSize Unlimited and filter where ForwardingAddress or ForwardingSmtpAddress is set, then export to CSV. Also enumerate user-created inbox rules with Get-InboxRule and flag any with ForwardTo, ForwardAsAttachmentTo, or RedirectTo, since attackers commonly use these to exfiltrate mail. The Forwarding category in this tool builds the full audit script.
Create one with New-Mailbox -Shared -Name "Support" -PrimarySmtpAddress support@contoso.com, then grant members FullAccess and SendAs. To convert an existing user mailbox, run Set-Mailbox -Identity user@contoso.com -Type Shared. Shared mailboxes under 50 GB do not require a license, so remember to remove the license after converting.
Microsoft retired the original Get-MessageTrace and Get-MessageTraceDetail cmdlets. Use Get-MessageTraceV2 instead. It supports searching by sender, recipient, date range (up to 90 days), and delivery status (Failed, Delivered, Pending, Quarantined, FilteredAsSpam). The Message Trace category in this tool generates V2 commands.
View current permissions with Get-MailboxFolderPermission -Identity user@contoso.com:\Calendar. Grant new access with Add-MailboxFolderPermission and an access level such as Reviewer, Editor, or AvailabilityOnly. If the user is already listed you must use Set-MailboxFolderPermission instead of Add-, otherwise the command errors. The builder picks the correct cmdlet for you.
On servers or non-interactive desktops the Web Account Manager (WAM) broker can cause the sign-in window to hang or fail. Add the -DisableWAM switch: Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -DisableWAM. This falls back to the standard browser-based auth flow. Keeping the module updated with Update-Module ExchangeOnlineManagement also resolves many auth issues.