精通Office 365 云計(jì)算管理 Exchange Online 篇

為西林等地區(qū)用戶提供了全套網(wǎng)頁(yè)設(shè)計(jì)制作服務(wù)，及西林網(wǎng)站建設(shè)行業(yè)解決方案。主營(yíng)業(yè)務(wù)為成都網(wǎng)站建設(shè)、成都網(wǎng)站制作、西林網(wǎng)站設(shè)計(jì)，以傳統(tǒng)方式定制建設(shè)網(wǎng)站，并提供域名空間備案等一條龍服務(wù)，秉承以專業(yè)、用心的態(tài)度為用戶提供真誠(chéng)的服務(wù)。我們深信只要達(dá)到每一位用戶的要求，就會(huì)得到認(rèn)可，從而選擇與我們長(zhǎng)期合作。這樣，我們也可以走得更遠(yuǎn)！

第 1 章 開始使用 Office 365

1.1 域名管理

注冊(cè)世紀(jì)互聯(lián) office 365 時(shí)會(huì)得到一個(gè)初始的Office 365的域名： XXX.partner.onmschina.cn

管理員登錄 office 365 portal : 左側(cè)“導(dǎo)航欄”--“安裝”--"域" -- “添加域”：

https://portal.partner.microsoftOnline.cn

?

?

2. 通過(guò)PowerShell 管理OFfice 365:

2.1 安裝Azure AD Module:

Install-Module AzureAD

Install-Module Msonline

Connect-MsolService -AzureEnvironment AzureChinaCloud

Get-MsolDomain -DomainName nipc.me |fl

設(shè)置默認(rèn)域：

Set-MsolDomain -Name nipc.me -IsDefault

Get-MsolDomain

刪除域：

Remove-MsolDomain -DomainName nipc.me

如果自定義的域名在Office 365 全球版上綁定過(guò)，即使在Office 365中國(guó)版上添加完成，中國(guó)版的Exchange管理中心的“接受域”中的也會(huì)缺失這個(gè)域名，導(dǎo)致郵箱功能不正常。

?

1.2 用戶管理

創(chuàng)建用戶：

創(chuàng)建用戶的必需屬性：
DisplayName 顯示名稱

UserPrincipalName 用于登錄到Office 365服務(wù)的用戶名 eg: XXX@nipict.partner.onmschina.cn

New-MsolUser -DisplayName "Gan Zhiyan" -UserPrincipalName ganzy@nipc.me -FirstName Gan -LastName Zhiyan -UsageLocation CN -LicenseAssignment reseller-account:O365_BUSINESS_PREMIUM

?

查詢訂閱的許可證：

Get-MsolAccountSku

AccountSkuId????????????????????????????? ActiveUnits WarningUnits ConsumedUnits
------------????????????????????????????? ----------- ------------ -------------
reseller-account:O365_BUSINESS_ESSENTIALS 0?????????? 0??????????? 2???????????
reseller-account:O365_BUSINESS_PREMIUM??? 2?????????? 0??????????? 2??????????

?

批量創(chuàng)建用戶:

準(zhǔn)備一個(gè)CSV文件，其中包含相應(yīng)的屬性：DisplayName，UserPrincipalName，F(xiàn)irstName，LastName，UsageLocation，LicenseAssignment(AccountSkuId)

再通過(guò)Powershell 完成批量創(chuàng)建用戶：

Import-Csv -Path "C:\users.csv" | foreach {New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName -FirstName $_.FirstName -LastName $_.LastName -UsageLocation $_.UsageLocation -LicenseAssignment $_.AccountSkuId} | Export-Csv -Path "C:\Results.csv"

?

管理員權(quán)限角色:

Get-MsolUser | where Displayname -Like "gan*" | sort displayname | select Displayname | more

獲取管理員角色名稱和描述：

Get-MsolRole | sort name | select Name,Description

Name?????????????????????????????????????? Description??????????????????????????????????????????????????????????????????????????????????????????????????????????????????
----?????????????????????????????????????? -----------??????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Application Administrator????????????????? Can create and manage all aspects of app registrations and enterprise apps.??????????????????????????????????????????????????
Application Developer????????????????????? Can create application registrations independent of the 'Users can register applications' setting.???????????????????????????
Authentication Administrator?????????????? Allowed to view, set and reset authentication method information for any non-admin user.?????????????????????????????????????
Azure DevOps Administrator???????????????? Can manage Azure DevOps organization policy and settings.????????????????????????????????????????????????????????????????????
Azure Information Protection Administrator????? Can manage all aspects of the Azure Information Protection product.??????????????????????????????????????????????????????????
B2C IEF Keyset Administrator?????????????? Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).?????????????????????????????????
B2C IEF Policy Administrator?????????????? Can create and manage trust framework policies in the Identity Experience Framework (IEF).???????????????????????????????????
B2C User Flow Administrator??????????????? Can create and manage all aspects of user flows.?????????????????????????????????????????????????????????????????????????????
B2C User Flow Attribute Administrator????? Can create and manage the attribute schema available to all user flows.??????????????????????????????????????????????????????
Billing Administrator????????????????????? Can perform common billing related tasks like updating payment information.??????????????????????????????????????????????????
Cloud Application Administrator??????????? Can create and manage all aspects of app registrations and enterprise apps except App Proxy.?????????????????????????????????
Cloud Device Administrator???????????????? Full access to manage devices in Azure AD.???????????????????????????????????????????????????????????????????????????????????
Company Administrator????????????????????? Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.??????????????????????????????????????
Compliance Administrator?????????????????? Can read and manage compliance configuration and reports in Azure AD and Office 365.?????????????????????????????????????????
Compliance Data Administrator????????????? Creates and manages compliance content.??????????????????????????????????????????????????????????????????????????????????????
Conditional Access Administrator?????????? Can manage conditional access capabilities.??????????????????????????????????????????????????????????????????????????????????
CRM Service Administrator????????????????? Can manage all aspects of the Dynamics 365 product.??????????????????????????????????????????????????????????????????????????
Customer LockBox Access Approver?????????? Can approve Microsoft support requests to access customer organizational data.???????????????????????????????????????????????
Desktop Analytics Administrator??????????? Can access and manage Desktop management tools and services.?????????????????????????????????????????????????????????????????
Device Administrators????????????????????? Device Administrators????????????????????????????????????????????????????????????????????????????????????????????????????????
Device Join??????????????????????????????? Device Join??????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Device Managers??????????????????????????? Deprecated - Do Not Use.?????????????????????????????????????????????????????????????????????????????????????????????????????
Device Users?????????????????????????????? Device Users?????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Directory Readers????????????????????????? Can read basic directory information. Commonly used to grant directory read access to applications and guests.???????????????
Directory Synchronization Accounts???????? Only used by Azure AD Connect service.???????????????????????????????????????????????????????????????????????????????????????
Directory Writers????????????????????????? Can read and write basic directory information. For granting access to applications, not intended for users.?????????????????
Exchange Service Administrator???????????? Can manage all aspects of the Exchange product.??????????????????????????????????????????????????????????????????????????????
External Identity Provider Administrator?? Can configure identity providers for use in direct federation.???????????????????????????????????????????????????????????????
Global Reader????????????????????????????? Can read everything that a global admin can read but not update anything.????????????????????????????????????????????????????
Groups Administrator?????????????????????? Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view ...
Guest Inviter????????????????????????????? Can invite guest users independent of the 'members can invite guests' setting.???????????????????????????????????????????????
Helpdesk Administrator???????????????????? Can reset passwords for non-administrators and Helpdesk Administrators.??????????????????????????????????????????????????????
Intune Service Administrator?????????????? Can manage all aspects of the Intune product.????????????????????????????????????????????????????????????????????????????????
Kaizala Administrator????????????????????? Can manage settings for Microsoft Kaizala.???????????????????????????????????????????????????????????????????????????????????
License Administrator????????????????????? Can manage product licenses on users and groups.?????????????????????????????????????????????????????????????????????????????
Lync Service Administrator???????????????? Can manage all aspects of the Skype for Business product.????????????????????????????????????????????????????????????????????
Message Center Privacy Reader????????????? Can read security messages and updates in Office 365 Message Center only.????????????????????????????????????????????????????
Message Center Reader????????????????????? Can read messages and updates for their organization in Office 365 Message Center only.??????????????????????????????????????
Office Apps Administrator????????????????? Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect...
Partner Tier1 Support????????????????????? Do not use - not intended for general use.???????????????????????????????????????????????????????????????????????????????????
Partner Tier2 Support????????????????????? Do not use - not intended for general use.???????????????????????????????????????????????????????????????????????????????????
Password Administrator???????????????????? Can reset passwords for non-administrators and Password Administrators.??????????????????????????????????????????????????????
Power BI Service Administrator???????????? Can manage all aspects of the Power BI product.??????????????????????????????????????????????????????????????????????????????
Printer Administrator????????????????????? Can manage all aspects of printers and printer connectors.???????????????????????????????????????????????????????????????????
Printer Technician???????????????????????? Can manage all aspects of printers and printer connectors.???????????????????????????????????????????????????????????????????
Privileged Authentication Administrator??? Allowed to view, set and reset authentication method information for any user (admin or non-admin).??????????????????????????
Privileged Role Administrator????????????? Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.??????????????????????????????????
Reports Reader???????????????????????????? Can read sign-in and audit reports.??????????????????????????????????????????????????????????????????????????????????????????
Search Administrator?????????????????????? Can create and manage all aspects of Microsoft Search settings.??????????????????????????????????????????????????????????????
Search Editor????????????????????????????? Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.???????????????????????????????
Security Administrator???????????????????? Security Administrator allows ability to read and manage security configuration and reports.?????????????????????????????????
Security Operator????????????????????????? Creates and manages security events.?????????????????????????????????????????????????????????????????????????????????????????
Security Reader??????????????????????????? Can read security information and reports in Azure AD and Office 365.????????????????????????????????????????????????????????
Service Support Administrator????????????? Can read service health information and manage support tickets.??????????????????????????????????????????????????????????????
SharePoint Service Administrator?????????? Can manage all aspects of the SharePoint service.????????????????????????????????????????????????????????????????????????????
Teams Communications Administrator???????? Can manage calling and meetings features within the Microsoft Teams service.?????????????????????????????????????????????????
Teams Communications Support Engineer????? Can troubleshoot communications issues within Teams using advanced tools.????????????????????????????????????????????????????
Teams Communications Support Specialist??? Can troubleshoot communications issues within Teams using basic tools.???????????????????????????????????????????????????????
Teams Service Administrator??????????????? Can manage the Microsoft Teams service.??????????????????????????????????????????????????????????????????????????????????????
User Account Administrator???????????????? Can manage all aspects of users and groups, including resetting passwords for limited admins.????????????????????????????????
Workplace Device Join????????????????????? Workplace Device Join????????????????????????????????????????????????????????????????????????????????????????????????????????

?

為賬戶分配角色：

Add-MsolRoleMember -RoleMemberEmailAddress gan@nipc.me -RoleName "Exchange Service Administrator"

為多個(gè)用戶分配角色：

創(chuàng)建一個(gè)如下的CSV文件，包括顯示名稱DisplayName和角色名稱RoleName

DisplayName,RoleName

"Gan Zhiyan","Exchange Service Administrator"

"Joe Xiao","SharePoint Service Administrator "

"Eric Yan","Helpdesk Administrator"

接下來(lái)運(yùn)行如下命令：

Import-Csv -Path "C:\RoleAdd.csv" | foreach {Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser | Where DisplayName -eq $_.DisplayName).UserPrincipalName -RoleName $_.RoleName } | Export-Csv -Path "C:\RoleAddResults.csv"

?

注意：只能為用戶分配管理員角色，不能為組分配管理員角色。

?

1.2.2 刪除用戶：

刪除單一用戶：

Remove-MsolUser -UserPrincipalName gan@nipc.me

無(wú)需提示確認(rèn)：

Remove-MsolUser -UserPrincipalName gan@nipc.me -Force

如果是目錄同步的賬戶，刪除后下次同步還是會(huì)還原到活動(dòng)用戶中，因此，對(duì)于目錄同步的用戶，最好的辦法就是從本地刪除或者不同步這個(gè)用戶對(duì)象。

?

一次性刪除所有用戶：

$users=get-msoluser

$users | Remove-MsolUser –Force

$users=Get-MsolUser -All -ReturnDeletedUsers

$users | Remove-MsolUser -RemoveFromRecycleBin -force

?

移除用戶許可證：

Get-MsolAccountSku

Get-MsolUser -All | select UserPrincipalName,Licenses

從現(xiàn)有用戶中移除許可證，用Set-MsolUserLicense 帶參數(shù) -RemoveLicenses 多個(gè)許可證用逗號(hào)隔開。

Set-MsolUserLicense -UserPrincipalName gan@nipc.me -RemoveLicenses "reseller-account:O365_BUSINESS_PREMIUM","reseller-account:O365_BUSINESS_ESSENTIALS"

?

軟刪除和硬刪除用戶

軟刪除用戶存放在“已刪除的用戶”中，在永久刪除用戶數(shù)據(jù)前30天內(nèi)，還可以還原并分配許可，用戶仍然可以正常訪問(wèn)數(shù)據(jù)和服務(wù)。

硬刪除是用戶郵箱已經(jīng)軟刪除超過(guò)30天，并關(guān)聯(lián)的Office 365用戶已經(jīng)硬刪除。將永久刪除所有郵箱內(nèi)容，如電子郵件，聯(lián)系人和文件。

?

用以下Powershell 連接到Exchange Online:

Set-ExecutionPolicy RemoteSigned

$USerCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://partner.outlook.cn/PowerShell-LiveID/ -Credential $USerCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

獲取軟刪除郵箱的信息：

Get-Mailbox -SoftDeletedMailbox | Select-Object Name, ExchangeGuid

恢復(fù)郵箱：

New-MailboxRestoreRequest -SourceMailbox -TargetMailbox

查看恢復(fù)結(jié)果：

Get-MailboxRestoreRequest

管理用戶許可證

獲取當(dāng)前組織中的許可計(jì)劃以及每個(gè)計(jì)劃中包含的服務(wù)及順序（索引號(hào)）

(Get-MsolAccountSku | where {$_.AccountSkuid -eq 'reseller-account:O365_BUSINESS_PREMIUM' }).ServiceStatus

ServicePlan???????? ProvisioningStatus
-----------???????? ------------------
Microsoft Bookings? Success??????????
SHAREPOINTWAC?????? Success??????????
SHAREPOINTSTANDARD? Success??????????
OFFICE_BUSINESS???? Success??????????
MCOSTANDARD???????? Success??????????
EXCHANGE_S_STANDARD Success?

?

如果只想讓用戶只使用Exchange Online? 其他的服務(wù)禁用,然后再給用戶分配。

首先定義一個(gè)許可證變量，

$LO = New-MsolLicenseOptions -AccountSkuId 'reseller-account:O365_BUSINESS_PREMIUM' -DisabledPlans 'Microsoft Bookings','SHAREPOINTWAC','SHAREPOINTSTANDARD','MCOSTANDARD'
New-MsolUser -UserPrincipalName gan@nipc.me -DisplayName "Gan" -LicenseAssignment "reseller-account:O365_BUSINESS_PREMIUM" -LicenseOptions $LO -UsageLocation CN

如果是多個(gè)用戶，可創(chuàng)建一個(gè)txt 文件，每一行包含一個(gè)用戶賬號(hào)：

gan@nipc.me

eric@nipc.me

joe@nipc.me

批量操作如下：

Get-Content "C:\Accounts.txt" | foreach {Set-MsolUserLicense -UserPrincipalName $_ -LicenseOptions $LO}

?

1.2.4 Office 365 中的多重身份認(rèn)證(MFA)：

“活動(dòng)用戶” 選擇 “更多”下拉列表中的“多重身份驗(yàn)證設(shè)置”

當(dāng)用戶MFA 后，同時(shí)也需要在Exchange Online 中啟用新式驗(yàn)證。Exchange Online PowerShell:

Get-OrganizationConfig | ft -Auto Name,OAuth*

看OAuth3ClientProfileEnabled是否為Ture

如果結(jié)果為False 通過(guò)下列命令改為Ture:

Set-OrganizationConfig -OAuth3ClientProfileEnabled $true

?

第2章 Exchange Online 管理

2.1 收件人

收件人是可以傳遞或?qū)⑧]件路由到的任何已啟用郵件的對(duì)像。

每種收件人類型在Exchange Online PowerShell 的RecipientTypeDetails 屬性中具有有唯一值

2.1.1 用戶郵箱

1.創(chuàng)建用戶郵箱：

活動(dòng)用戶在分配Exchange online 許可證時(shí)自動(dòng)創(chuàng)建用戶郵箱。

2.刪除郵箱

Remove-Mailbox -Identity gan@nipc.me

永久刪除用戶郵箱，刪除后無(wú)法恢復(fù)：

Remove-MsolUser -UserPrincipalName gan@nipc.me -RemoveFromRecycleBin

?

郵箱刪除后，可以通過(guò) Get-Mailbox 來(lái)驗(yàn)證，當(dāng)返回錯(cuò)誤提示無(wú)法找到郵箱，代表已經(jīng)刪除。

郵箱刪除后，在未啟用訴訟保留或就地保留時(shí)，Exchange Online 將保留郵箱及所有內(nèi)容30天，30天后將永久刪除無(wú)法恢復(fù)。

如果郵箱是通過(guò)取消Exchange Online許可刪除的，可以在30天內(nèi)重新分配許可就可以恢復(fù)郵箱，

如果是通過(guò)“活動(dòng)用戶”進(jìn)行刪除的，則可在30天內(nèi)從“已刪除的用戶”中還原用戶來(lái)恢復(fù)郵箱。

3.管理郵件地址：

管理員可以為同一個(gè)用戶郵箱添加一個(gè)"主SMTP地址"和多個(gè)"別名"的"代理地址"(最多400個(gè))。

為用戶郵箱添加SMTP地址：

Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses @{ add= “ganzy@nip.com.cn”, “ganzhiyan@nip.com.cn” }

刪除地址：

Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses @{remove= "ganzy@nip.com.cn","ganzhiyan@nip.com.cn" }

還可以直接指定所有地址：

Set-Mailbox -Identity "Zhiyan Gan" -EmailAddresses SMTP: gan@nip.com.cn,gan@nipit.partner.onmschina.cn,ganzy@nip.com.cn

還可以從CSV 文件導(dǎo)入多個(gè)用戶郵箱批量添加e-mail 地址：

Import-Csv "C:\AddEmailAddress.csv" | foreach { Set-Mailbox -Identity $_.Mailbox -EmailAddresses @{add=$_.NewEmailAddress}}

?

4.配置用戶郵箱的郵件大小限制：

Office 365 所有訂閱，默認(rèn)情況下，用戶郵箱發(fā)送郵件限制為35MB,接收限制為36MB。

管理員可以更改收發(fā)郵件大小最大為150MB，Office 365 郵箱用戶之間，最大的收發(fā)大小為150MB的郵件，

當(dāng)Office 365與非O365郵箱收發(fā)郵件時(shí)，因存在大約33%的轉(zhuǎn)碼，所以最大可以收發(fā)大小約為112MB

更改一個(gè)郵箱用戶郵件大小限制：

Set-Mailbox -Identity "Zhiyan Gan" -MaxSendSize 150MB -MaxReceiveSize 150MB

修改所有用戶郵箱大小限制：

Get-Mailbox -RecipientTypeDetails Usermailbox -ResultSize Unlimited | Set-Mailbox -MaxSendSize 150MB -MaxReceiveSize 150MB

?

5.配置郵件轉(zhuǎn)發(fā)：

在Exchange Online管理中心：

“收件人”--“郵箱”--選擇要設(shè)置郵件轉(zhuǎn)發(fā)的郵箱，點(diǎn)擊"編輯"按鈕

“郵箱功能”--“郵件流”，點(diǎn)擊“查看詳情”

?

用戶自己配置郵件轉(zhuǎn)發(fā)：

登錄owa:https://partner.outlook.cn

點(diǎn)擊右上角“設(shè)置”按鈕--“郵件”--“賬戶”--“轉(zhuǎn)發(fā)”

如果要轉(zhuǎn)發(fā)到多個(gè)收件人，則可在OWA中創(chuàng)建收件箱規(guī)則：

“設(shè)置”--“郵件”--“自動(dòng)處理”--"收件箱和整理規(guī)則"