diff --git a/Exchange/Check-HybridOAuth-OnPrem.ps1 b/Exchange/Check-HybridOAuth-OnPrem.ps1 new file mode 100644 index 0000000..515322d --- /dev/null +++ b/Exchange/Check-HybridOAuth-OnPrem.ps1 @@ -0,0 +1,181 @@ +# ============================================================ +# Hybrid OAuth Validatie Script - On-Premises Exchange Server +# Draaien vanuit Exchange Management Shell als administrator +# ============================================================ + +# ============================================================ +# CONFIGURATIE - Pas onderstaande variabelen aan per klant +# ============================================================ + +# On-prem mailboxen om te testen (minimaal 1 vereist) +$onpremMailboxes = @( + "user1@contoso.com", + "user2@contoso.com" +) + +# Exchange servers om te controleren +$servers = @("EXC01","EXC02") + +# Linked account (service account voor PartnerApplication) +$linkedAccountName = "svc-exchange-hybrid" + +# ============================================================ +# EINDE CONFIGURATIE +# ============================================================ + +$testMailboxOnPrem = $onpremMailboxes[0] + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 1. OAuth Test: On-Prem -> Exchange Online" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$ewsResult = Test-OAuthConnectivity -Service EWS ` + -TargetUri https://outlook.office365.com/ews/exchange.asmx ` + -Mailbox $testMailboxOnPrem +Write-Host "EWS ($testMailboxOnPrem -> cloud): $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"}) + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 2. AutoDiscover OAuth Test" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$autodResult = Test-OAuthConnectivity -Service AutoD ` + -TargetUri https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc ` + -Mailbox $testMailboxOnPrem +Write-Host "AutoD ($testMailboxOnPrem -> cloud): $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"}) + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 3. Free/Busy test per on-prem mailbox" -ForegroundColor Cyan +Write-Host " (Test vanuit on-prem richting cloud)" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +foreach ($mb in $onpremMailboxes) { + Write-Host "$mb`: " -NoNewline + try { + $result = Get-MailboxFolderStatistics $mb -FolderScope Calendar -ErrorAction Stop | Select -First 1 + Write-Host "Mailbox OK - Calendar folder aanwezig" -ForegroundColor Green + } catch { + Write-Host "FOUT - $($_.Exception.Message)" -ForegroundColor Red + } +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 4. Setting Override" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$override = Get-SettingOverride | Where-Object {$_.SectionName -eq "ExchangeOnpremAsThirdPartyAppId"} +if ($override) { + Write-Host "Override: $($override.Name) - Parameters: $($override.Parameters)" -ForegroundColor Green +} else { + Write-Host "ONTBREEKT - Setting Override niet gevonden!" -ForegroundColor Red +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 5. PartnerApplication + Linked Account" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$pa = Get-PartnerApplication "Exchange Online" +Write-Host "Name: $($pa.Name)" +Write-Host "Enabled: $($pa.Enabled)" -ForegroundColor $(if($pa.Enabled){"Green"}else{"Red"}) +Write-Host "LinkedAccount: $($pa.LinkedAccount)" +try { + $adAccount = Get-ADUser -Filter {SamAccountName -eq $linkedAccountName} -Properties Enabled + if ($adAccount) { + Write-Host "AD Account: Enabled=$($adAccount.Enabled)" -ForegroundColor $(if($adAccount.Enabled){"Green"}else{"Red"}) + } else { + Write-Host "AD Account: $linkedAccountName niet gevonden" -ForegroundColor Red + } +} catch { + Write-Host "AD Account: Kon niet worden gecontroleerd" -ForegroundColor Yellow +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 6. RBAC Role Assignments voor linked account" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$roles = @("UserApplication","ArchiveApplication","ApplicationImpersonation") +foreach ($role in $roles) { + $assignment = Get-ManagementRoleAssignment -Role $role -GetEffectiveUsers | + Where-Object {$_.EffectiveUserName -eq $linkedAccountName} + if ($assignment) { + Write-Host "$role`: OK" -ForegroundColor Green + } else { + Write-Host "$role`: ONTBREEKT" -ForegroundColor Red + } +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 7. Auth Certificaat op alle servers" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint +Write-Host "Thumbprint: $thumbprint" +foreach ($server in $servers) { + Write-Host "$server`: " -NoNewline + try { + Invoke-Command -ComputerName $server -ScriptBlock { + $my = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $using:thumbprint} + $root = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $using:thumbprint} + if ($my -and $root) { + Write-Host "My=OK Root=OK Expiry=$($my.NotAfter)" -ForegroundColor Green + } elseif ($my -and -not $root) { + Write-Host "My=OK Root=ONTBREEKT Expiry=$($my.NotAfter)" -ForegroundColor Red + } elseif (-not $my) { + Write-Host "My=ONTBREEKT" -ForegroundColor Red + } + } -ErrorAction Stop + } catch { + Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red + } +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 8. IntraOrganizationConnector" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Get-IntraOrganizationConnector | Format-List Name, Enabled, TargetAddressDomains, DiscoveryEndpoint + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 9. OrganizationRelationship" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Get-OrganizationRelationship | Format-List Name, Enabled, FreeBusyAccessEnabled, FreeBusyAccessLevel, DomainNames + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 10. EWS Virtual Directory - OAuth" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Get-WebServicesVirtualDirectory | ForEach-Object { + Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"}) +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 11. Autodiscover Virtual Directory - OAuth" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Get-AutodiscoverVirtualDirectory | ForEach-Object { + Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"}) +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " 12. VariantConfiguration op alle servers" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +foreach ($server in $servers) { + Write-Host "`n--- $server ---" + try { + $diag = Get-ExchangeDiagnosticInfo -Server $server ` + -Process Microsoft.Exchange.Directory.TopologyService ` + -Component VariantConfiguration ` + -Argument Refresh + if ($diag.Result -match 'Updated="([^"]+)"') { + $updated = $matches[1] + if ($updated -eq "0001-01-01T00:00:00") { + Write-Host "Overrides Updated: NOOIT GELADEN" -ForegroundColor Red + } else { + Write-Host "Overrides Updated: $updated" -ForegroundColor Green + } + } + if ($diag.Result -match "EnableDedicatedExchangeHybridApp") { + Write-Host "EnableDedicatedExchangeHybridApp: GELADEN" -ForegroundColor Green + } else { + Write-Host "EnableDedicatedExchangeHybridApp: NIET GEVONDEN" -ForegroundColor Red + } + } catch { + Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red + } +} + +Write-Host "`n============================================" -ForegroundColor Cyan +Write-Host " SAMENVATTING" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Write-Host "OAuth EWS (on-prem -> cloud): $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"}) +Write-Host "OAuth AutoD (on-prem -> cloud): $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"}) +Write-Host "`nScript voltooid." -ForegroundColor Cyan \ No newline at end of file