Partilhar via


Who is linked to whom in your spider web of mailbox permissions. Migration batch permissions analysis.

You’re going to migrate mailboxes from Exchange 2010, 2013 and/or 2016 to Office 365.  You know you have many mailbox permission threads between delegates, delegators, shared mailboxes and users.  How can you gather all those permission threads and determine who to migrate with whom to keep those permissions together?  What do you do when the script indicates a minimum batch larger than you want to migrate all together?

The Find-MailboxDelegates script on GitHub will gather your ‘spider web.’  It will analyze them into minimum batches of mailboxes that should migrate together.  When a minimum batch is too large is where the Batch-analysis spreadsheet will help.  The spreadsheet will help you see the threads between mailbox and user in that large web. Using the Find-MailboxDelegates script, you gather all 4 mailboxes permissions and have the resulting output files “find-mailboxdelgates-permissions.csv” and “find-mailboxdelegates-batches.csv.”   The batches.csv shows you have one or more migration batches that contain too many mailboxes to migrate all together.

The analysis spreadsheet can help you manage and understand what threads are between a subset of mailboxes from that large batch and those not migrating.  It doesn’t eliminate cross forest permission issues but allows you to visually see the threads and understand whose permissions will be ‘split’ for any potential migration user batch.  It also lets you see all the permission threads as they exist before migration for one mailbox or many.  New: a Migrated Mailboxes tab has been added to allow for excluding migrated mailboxes from the analysis without having to rerun the script or edit the permissions output.  

You may decide to gather potential migration batches based on ‘non-permissions’ attributes, i.e. department, site, team or building etc.  Once you have ‘potential user batch’ subsets, the spreadsheet will help you analyze the permission threads are between mailboxes and user/delegates.  Equipped with your potential batch user lists and the find-mailboxdelegate-permissions.csv file you are ready to use the spreadsheet for ‘what if’ analysis

It may be worthwhile to sort the Find-MailboxDelegates-Permissions .csv by mailbox and user.  You can also sort your proposed batch list.  Once you start moving addresses from results to potential user batch while analyzing, it's ok if you create duplicates in your user list.   It won't affect the results.  If your Find-MailboxDelegatesPermissions.csv file was edited and saved, the three original columns and header row format must remain as created by the script; no additional columns or data added.

 

Setup instructions:

When you first open the spreadsheet, you will be in the Setup for PermissionsOutput worksheet tab: Click the blue Setup button. Use the file dialog window to browse to your Find-MailboxDelegates-Permissions.csv file and click Open.

The import macro will finish in the Batch Users worksheet tab.   This is where you paste in a potential user batch list starting in Cell A3.

Note: if your permissions.csv file is larger than 200K rows, it will not correctly function.  Prior to loading into the spreadsheet, you can delete all the rows in the permissions.csv file that have ‘mailbox,none,none’ in a row. If it is still too large, you can modify the macros and named ranges in the spreadsheet to handle the file size (see below.)

 

Analysis Instructions:

Paste a proposed user batch list in column A under "Potential User Batch."  Click the green ‘Run Analysis’ button.  The results will display a list of mailbox and users that have shared permission threads that will be split cross forest if that potential batch is migrated.

You can then add/remove mailboxes from the potential batch based on the results. Then rerun the analysis to see how the permission threads changed.

The column "Who is in Batch" indicates the mailbox or user is migrating in the potential batch. ‘User in batch’ is highlighted in yellow to more easily glance at the results and see which is migrating when you have a larger list.

The green buttons allow for looking at specific permissions you gathered with the script. Filtering out the other permission types from the results. i.e. you can see only  delegation 'GrantSentOnBehalfTo' permissions even though your csv import included all 4 types.  Similarly, with 'send-as only' and 'calendar only'. When using the 'All Up' macro you will also see when both the mailbox and user/delegate are in the batch and it shows highlighted green. That indicates the permission thread is supported after the migration because both are in the batch. “All Up" shows all the permission threads, including 'full access' that is supported cross forest, regardless if they would be split or not.  New: All up still excludes the migrated mailboxes.

New: Once you migrate mailboxes, paste those addresses in the Migrated Mailboxes tab. That will allow for future potential batch analysis to exclude those migrated mailboxes from showing as split permissions as they are already in Office 365.  If you want to see all permissions including the migrated mailboxes, copy all the migrated mailbox to column B and delete all from column A.  To exclude again, copy back to column A.  

As you migrate mailboxes in batches and want to continue to analyze remaining mailboxes for permissions, you should remove the migrated users from the permissions.csv; basically, pare down to the remaining mailboxes. The easiest way is to remove them from all rows where they exist as either mailbox or user in the permissions.csv file and then import into a newly downloaded (empty) batch analysis spreadsheet. You don’t have to rerun the find-mailboxdelegates script to gather the remaining permissions. However, if you’d like to see the overall batching of the non-migrated mailboxes, you can rerun the script with the -batchusersonly parameter with the reduced find-mailboxdelegates-permissions.csv file as described in the Find-mailboxdelegates script instructions on GITHUB.

Note:  If your permissions output.csv is longer than 200,000 entries, you will have to replace “J199999” in the Setup macro to be large enough.  Also named ranges ATTALL, ATTCOMPARE and ATTDATA need rows increased.
(Special thanks to Chris Kadlick.)