Add Exchange/Check-HybridOAuth-OnPrem.ps1

2026-03-04 15:33:03 +01:00
parent 34deac1483
commit 3e2857b3c7
1 changed files with 181 additions and 0 deletions
--- a/Exchange/Check-HybridOAuth-OnPrem.ps1
+++ b/Exchange/Check-HybridOAuth-OnPrem.ps1
@ -0,0 +1,181 @@
+# ============================================================
+# Hybrid OAuth Validatie Script - On-Premises Exchange Server
+# Draaien vanuit Exchange Management Shell als administrator
+# ============================================================
+
+# ============================================================
+# CONFIGURATIE - Pas onderstaande variabelen aan per klant
+# ============================================================
+
+# On-prem mailboxen om te testen (minimaal 1 vereist)
+$onpremMailboxes = @(
+    "user1@contoso.com",
+    "user2@contoso.com"
+)
+
+# Exchange servers om te controleren
+$servers = @("EXC01","EXC02")
+
+# Linked account (service account voor PartnerApplication)
+$linkedAccountName = "svc-exchange-hybrid"
+
+# ============================================================
+# EINDE CONFIGURATIE
+# ============================================================
+
+$testMailboxOnPrem = $onpremMailboxes[0]
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 1. OAuth Test: On-Prem -> Exchange Online" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$ewsResult = Test-OAuthConnectivity -Service EWS `
+  -TargetUri https://outlook.office365.com/ews/exchange.asmx `
+  -Mailbox $testMailboxOnPrem
+Write-Host "EWS ($testMailboxOnPrem -> cloud): $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"})
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 2. AutoDiscover OAuth Test" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$autodResult = Test-OAuthConnectivity -Service AutoD `
+  -TargetUri https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc `
+  -Mailbox $testMailboxOnPrem
+Write-Host "AutoD ($testMailboxOnPrem -> cloud): $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"})
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 3. Free/Busy test per on-prem mailbox" -ForegroundColor Cyan
+Write-Host "   (Test vanuit on-prem richting cloud)" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+foreach ($mb in $onpremMailboxes) {
+    Write-Host "$mb`: " -NoNewline
+    try {
+        $result = Get-MailboxFolderStatistics $mb -FolderScope Calendar -ErrorAction Stop | Select -First 1
+        Write-Host "Mailbox OK - Calendar folder aanwezig" -ForegroundColor Green
+    } catch {
+        Write-Host "FOUT - $($_.Exception.Message)" -ForegroundColor Red
+    }
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 4. Setting Override" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$override = Get-SettingOverride | Where-Object {$_.SectionName -eq "ExchangeOnpremAsThirdPartyAppId"}
+if ($override) {
+    Write-Host "Override: $($override.Name) - Parameters: $($override.Parameters)" -ForegroundColor Green
+} else {
+    Write-Host "ONTBREEKT - Setting Override niet gevonden!" -ForegroundColor Red
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 5. PartnerApplication + Linked Account" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$pa = Get-PartnerApplication "Exchange Online"
+Write-Host "Name:          $($pa.Name)"
+Write-Host "Enabled:       $($pa.Enabled)" -ForegroundColor $(if($pa.Enabled){"Green"}else{"Red"})
+Write-Host "LinkedAccount: $($pa.LinkedAccount)"
+try {
+    $adAccount = Get-ADUser -Filter {SamAccountName -eq $linkedAccountName} -Properties Enabled
+    if ($adAccount) {
+        Write-Host "AD Account:    Enabled=$($adAccount.Enabled)" -ForegroundColor $(if($adAccount.Enabled){"Green"}else{"Red"})
+    } else {
+        Write-Host "AD Account:    $linkedAccountName niet gevonden" -ForegroundColor Red
+    }
+} catch {
+    Write-Host "AD Account:    Kon niet worden gecontroleerd" -ForegroundColor Yellow
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 6. RBAC Role Assignments voor linked account" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$roles = @("UserApplication","ArchiveApplication","ApplicationImpersonation")
+foreach ($role in $roles) {
+    $assignment = Get-ManagementRoleAssignment -Role $role -GetEffectiveUsers |
+      Where-Object {$_.EffectiveUserName -eq $linkedAccountName}
+    if ($assignment) {
+        Write-Host "$role`: OK" -ForegroundColor Green
+    } else {
+        Write-Host "$role`: ONTBREEKT" -ForegroundColor Red
+    }
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 7. Auth Certificaat op alle servers" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
+Write-Host "Thumbprint: $thumbprint"
+foreach ($server in $servers) {
+    Write-Host "$server`: " -NoNewline
+    try {
+        Invoke-Command -ComputerName $server -ScriptBlock {
+            $my = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $using:thumbprint}
+            $root = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $using:thumbprint}
+            if ($my -and $root) {
+                Write-Host "My=OK Root=OK Expiry=$($my.NotAfter)" -ForegroundColor Green
+            } elseif ($my -and -not $root) {
+                Write-Host "My=OK Root=ONTBREEKT Expiry=$($my.NotAfter)" -ForegroundColor Red
+            } elseif (-not $my) {
+                Write-Host "My=ONTBREEKT" -ForegroundColor Red
+            }
+        } -ErrorAction Stop
+    } catch {
+        Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red
+    }
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 8. IntraOrganizationConnector" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+Get-IntraOrganizationConnector | Format-List Name, Enabled, TargetAddressDomains, DiscoveryEndpoint
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 9. OrganizationRelationship" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+Get-OrganizationRelationship | Format-List Name, Enabled, FreeBusyAccessEnabled, FreeBusyAccessLevel, DomainNames
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 10. EWS Virtual Directory - OAuth" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+Get-WebServicesVirtualDirectory | ForEach-Object {
+    Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"})
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 11. Autodiscover Virtual Directory - OAuth" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+Get-AutodiscoverVirtualDirectory | ForEach-Object {
+    Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"})
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " 12. VariantConfiguration op alle servers" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+foreach ($server in $servers) {
+    Write-Host "`n--- $server ---"
+    try {
+        $diag = Get-ExchangeDiagnosticInfo -Server $server `
+          -Process Microsoft.Exchange.Directory.TopologyService `
+          -Component VariantConfiguration `
+          -Argument Refresh
+        if ($diag.Result -match 'Updated="([^"]+)"') {
+            $updated = $matches[1]
+            if ($updated -eq "0001-01-01T00:00:00") {
+                Write-Host "Overrides Updated: NOOIT GELADEN" -ForegroundColor Red
+            } else {
+                Write-Host "Overrides Updated: $updated" -ForegroundColor Green
+            }
+        }
+        if ($diag.Result -match "EnableDedicatedExchangeHybridApp") {
+            Write-Host "EnableDedicatedExchangeHybridApp: GELADEN" -ForegroundColor Green
+        } else {
+            Write-Host "EnableDedicatedExchangeHybridApp: NIET GEVONDEN" -ForegroundColor Red
+        }
+    } catch {
+        Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red
+    }
+}
+
+Write-Host "`n============================================" -ForegroundColor Cyan
+Write-Host " SAMENVATTING" -ForegroundColor Cyan
+Write-Host "============================================" -ForegroundColor Cyan
+Write-Host "OAuth EWS (on-prem -> cloud):   $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"})
+Write-Host "OAuth AutoD (on-prem -> cloud):  $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"})
+Write-Host "`nScript voltooid." -ForegroundColor Cyan