Connect To PowerShell First

We have a couple of customers that want to maintain distribution groups of external contacts that can be used company wide.

The way to do this as an Exchange admin is to create a Mail Contact for an external user first, and then add that mail contact to a distribution group. This can be quite an involved process, and you may not want to have users traversing the Exchange Admin Center to complete this sort of task.

To make this easier, we’ve put together a power shell script that you can download here.

Assign the minimum permissions

Any Global administrator will be able to run this powershell script, though if you want to give a user the ability to execute the commands, you’ll need to assign them to the appropriate role groups. These are Recipient Management and Organization Management. Keep in mind, even though these are the minimum permissions required to run this Powershell script, they still enable the relevant user to do pretty much everything within Exchange. For a full list of the permissions granted, see these links:

To give a user the correct permissions, connect to Exchange Online via Powershell as a global administrator and run the following commands. Replace [email protected] with the identity of the relevant user.

Add-RoleGroupMember "Recipient Management" -Member [email protected]
Add-RoleGroupMember "Organization Management" -Member [email protected]

Running the PowerShell Script

Once the user has been granted access they can run the powershell script under their own credentials.

  1. Download the script here. 
  2. Rename it with a file extension of .ps1 eg. DistributionGroups.ps1
    Rename Distribution Groups To DistributionGroups.ps1
  3. Run the script by right clicking the file and choosing Run in PowershellRight Click to Run With Powershell
  4. Press 1, then Enter to connect to Exchange Online. Press Enter again once the commandlets have downloaded.Connect To PowerShell First
  5. Follow the menu items within the PowerShell script to perform the following actions:
  • Add Mail Contacts to distribution groups
  • Get a list of distribution groups
  • Create a distribution group
  • Get a list of distribution group members
  • Remove a contact from all distribution groups
Exchange Online

Exchange Online

One of the conditions of setting up an Exchange Account on a mobile phone or tablet is that the Exchange administrator has control over that device’s security features. If you’re new to administering Exchange, the level of control that you get over these connected devices may surprise you.

Here’s a few things that you can do.

  • Enable/Disable the camera
  • Enable/Disable WIFI
  • Enable/Disable Internet Tethering
  • Enable/Disable the device’s web browser
  • Enable/Disable personal, POP or IMAP email accounts
  • Enable/Disable the use of storage cards
  • Enable/Disable text messaging
  • Require a password on the device
  • Require a password after a defined period of inactivity

To get this working, there are two main steps.

  1. Create a Mobile Device Mailbox Policy
  2. Apply the Mobile Device Mailbox Policy to the relevant users

How to create your Mobile Device Mailbox Policy

  1. Open PowerShell on your computer
  2. Connect to Exchange Online via PowerShell. Follow our quick guide to get this set up.
  3. Build your New-MobileDeviceMailboxPolicy cmdlet, or use one of our samples below. For more information, refer to the documentation at
  4. Paste and Run your New-MobileDeviceMailboxPolicy cmdlet. For example:
    New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false

How to assign your mobile device mailbox policy to users

To assign the new policy to users, use the Set-CASMailbox cmdlet. See this link for the complete documentation:

To use this cmdlet, ensure you are connected to Exchange Online via Powershell

Assign the Policy to all users

Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -ActiveSyncMailboxPolicy "Your Policy Name"

Assign the policy to a specific user

Set-CASMailbox -Identity [email protected] -ActiveSyncMailboxPolicy "Your Policy Name"

Confirm that your policy was added correctly

To make sure your policy was applied successfully run this:

Get-CASMailbox -identity [email protected] | fl *

You should see the policy name next to ActiveSyncMailboxPolicy:Applied Mobile Device Policy

A few minutes after running the policy, you should see it take effect on the relevant devices:

Disable Camera Via Office 365

Camera Disabled Via Office 365

Revert back to the default policy

You can revert back to the default policy by running the following:

Set-CASMailbox -identity el[email protected] -ActiveSyncMailboxPolicy "Default"

Sample Policies

Use these sample policies or create your own. These sample policies only use one parameter eg. -AllowCamera $false, though you can add as many parameters to a policy as you like. See this link for the complete list of available parameters:

Disable a mobile device’s camera

New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false

Disable a mobile device’s WIFI

New-MobileDeviceMailboxPolicy -Name "No WIFI Policy" -AllowWifi $false

Disable Internet tethering on a mobile device

New-MobileDeviceMailboxPolicy -Name "No Tethering Policy" -AllowInternetSharing $false

Disable the web browser on a mobile device

New-MobileDeviceMailboxPolicy -Name "No Browser Policy" -AllowBrowser $false