GrantSendOnBehalfTo Permissions Cache

No extra graph calls needed, not tested with a large tenant, (about 200 mailbox permissions works fine)

Author: Zacgoose

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Mailbox Permissions/Push-GetMailboxPermissionsBatch.ps1

@@ -13,6 +13,7 @@ function Push-GetMailboxPermissionsBatch {
 
     $TenantFilter = $Item.TenantFilter
     $Mailboxes = $Item.Mailboxes
+    $MailboxData = @($Item.MailboxData)
     $BatchNumber = $Item.BatchNumber
     $TotalBatches = $Item.TotalBatches
 
@@ -85,10 +86,31 @@ function Push-GetMailboxPermissionsBatch {
             $MailboxPermissions['Get-RecipientPermission'] = $NormalizedRecipientPerms
         }
 
+        $MailboxIdentityLookup = @{}
+        foreach ($MappedMailbox in ($MailboxData | Where-Object { $_.Id -and $_.UPN })) {
+            $MailboxIdentityLookup[[string]$MappedMailbox.Id] = [string]$MappedMailbox.UPN
+        }
+
+        # Normalize SendOnBehalf permissions from passed mailbox metadata
+        $NormalizedSendOnBehalfPerms = foreach ($Mailbox in ($MailboxData | Where-Object { $_.GrantSendOnBehalfTo -and ($Mailboxes -contains $_.UPN) })) {
+            foreach ($Delegate in (@($Mailbox.GrantSendOnBehalfTo) | Where-Object { $_ -and $MailboxIdentityLookup.ContainsKey([string]$_) })) {
+                [PSCustomObject]@{
+                    id           = [guid]::NewGuid().ToString()
+                    Identity     = $Mailbox.UPN
+                    User         = $MailboxIdentityLookup[[string]$Delegate]
+                    AccessRights = @('SendOnBehalf')
+                    IsInherited  = $false
+                    Deny         = $false
+                }
+            }
+        }
+        $MailboxPermissions['Get-Mailbox'] = @($NormalizedSendOnBehalfPerms)
+
         $MailboxPermCount = if ($MailboxPermissions['Get-MailboxPermission']) { $MailboxPermissions['Get-MailboxPermission'].Count } else { 0 }
         $RecipientPermCount = if ($MailboxPermissions['Get-RecipientPermission']) { $MailboxPermissions['Get-RecipientPermission'].Count } else { 0 }
+        $SendOnBehalfPermCount = if ($MailboxPermissions['Get-Mailbox']) { $MailboxPermissions['Get-Mailbox'].Count } else { 0 }
 
-        Write-Information "Completed batch $BatchNumber of $TotalBatches - processed $($Mailboxes.Count) mailboxes: $MailboxPermCount mailbox permissions, $RecipientPermCount recipient permissions"
+        Write-Information "Completed batch $BatchNumber of $TotalBatches - processed $($Mailboxes.Count) mailboxes: $MailboxPermCount mailbox permissions, $RecipientPermCount recipient permissions, $SendOnBehalfPermCount send-on-behalf permissions"
 
         # Return results to be aggregated by post-execution function
         return $MailboxPermissions

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Mailbox Permissions/Push-StoreMailboxPermissions.ps1

@@ -28,6 +28,7 @@ function Push-StoreMailboxPermissions {
         # Aggregate results by command type from all batches
         $AllMailboxPermissions = [System.Collections.Generic.List[object]]::new()
         $AllRecipientPermissions = [System.Collections.Generic.List[object]]::new()
+        $AllSendOnBehalfPermissions = [System.Collections.Generic.List[object]]::new()
         $AllCalendarPermissions = [System.Collections.Generic.List[object]]::new()
 
         foreach ($BatchResult in $Results) {
@@ -50,6 +51,11 @@ function Push-StoreMailboxPermissions {
                     Write-Information "Adding $($ActualResult['Get-RecipientPermission'].Count) recipient permissions"
                     $AllRecipientPermissions.AddRange($ActualResult['Get-RecipientPermission'])
                 }
+                if ($ActualResult['Get-Mailbox']) {
+                    $SendOnBehalfRows = @($ActualResult['Get-Mailbox'])
+                    Write-Information "Adding $($SendOnBehalfRows.Count) send-on-behalf permissions"
+                    $AllSendOnBehalfPermissions.AddRange($SendOnBehalfRows)
+                }
                 if ($ActualResult['Get-MailboxFolderPermission']) {
                     Write-Information "Adding $($ActualResult['Get-MailboxFolderPermission'].Count) calendar permissions"
                     $AllCalendarPermissions.AddRange($ActualResult['Get-MailboxFolderPermission'])
@@ -63,8 +69,9 @@ function Push-StoreMailboxPermissions {
         $AllPermissions = [System.Collections.Generic.List[object]]::new()
         $AllPermissions.AddRange($AllMailboxPermissions)
         $AllPermissions.AddRange($AllRecipientPermissions)
+        $AllPermissions.AddRange($AllSendOnBehalfPermissions)
 
-        Write-Information "Aggregated $($AllPermissions.Count) total permissions ($($AllMailboxPermissions.Count) mailbox + $($AllRecipientPermissions.Count) recipient)"
+        Write-Information "Aggregated $($AllPermissions.Count) total permissions ($($AllMailboxPermissions.Count) mailbox + $($AllRecipientPermissions.Count) recipient + $($AllSendOnBehalfPermissions.Count) send-on-behalf)"
         Write-Information "Aggregated $($AllCalendarPermissions.Count) calendar permissions"
 
         # Store all permissions together as MailboxPermissions

Modules/CIPPCore/Public/Set-CIPPDBCacheMailboxes.ps1

@@ -26,7 +26,7 @@ function Set-CIPPDBCacheMailboxes {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching mailboxes' -sev Debug
 
         # Get mailboxes with select properties
-        $Select = 'id,ExchangeGuid,ArchiveGuid,UserPrincipalName,DisplayName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails,EmailAddresses,WhenSoftDeleted,IsInactiveMailbox,ForwardingSmtpAddress,DeliverToMailboxAndForward,ForwardingAddress,HiddenFromAddressListsEnabled,ExternalDirectoryObjectId,MessageCopyForSendOnBehalfEnabled,MessageCopyForSentAsEnabled'
+        $Select = 'id,ExchangeGuid,ArchiveGuid,UserPrincipalName,DisplayName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails,EmailAddresses,WhenSoftDeleted,IsInactiveMailbox,ForwardingSmtpAddress,DeliverToMailboxAndForward,ForwardingAddress,HiddenFromAddressListsEnabled,ExternalDirectoryObjectId,MessageCopyForSendOnBehalfEnabled,MessageCopyForSentAsEnabled,GrantSendOnBehalfTo'
         $ExoRequest = @{
             tenantid  = $TenantFilter
             cmdlet    = 'Get-Mailbox'
@@ -51,7 +51,8 @@ function Set-CIPPDBCacheMailboxes {
                     HiddenFromAddressListsEnabled,
                     ExternalDirectoryObjectId,
                     MessageCopyForSendOnBehalfEnabled,
-                    MessageCopyForSentAsEnabled))
+                    MessageCopyForSentAsEnabled,
+                    GrantSendOnBehalfTo))
         }
 
         $Mailboxes | Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Mailboxes' -AddCount
@@ -79,6 +80,7 @@ function Set-CIPPDBCacheMailboxes {
                 # Separate batches for permissions and rules
                 $PermissionBatches = [System.Collections.Generic.List[object]]::new()
                 $RuleBatches = [System.Collections.Generic.List[object]]::new()
+                $AllMailboxData = @($Mailboxes | Select-Object id, UPN, GrantSendOnBehalfTo)
 
                 for ($i = 0; $i -lt $Mailboxes.Count; $i += $BatchSize) {
                     $BatchMailboxes = $Mailboxes[$i..[Math]::Min($i + $BatchSize - 1, $Mailboxes.Count - 1)]
@@ -92,6 +94,7 @@ function Set-CIPPDBCacheMailboxes {
                                 QueueName    = "Mailbox Permissions Batch $BatchNumber/$TotalBatches - $TenantFilter"
                                 TenantFilter = $TenantFilter
                                 Mailboxes    = $BatchMailboxUPNs
+                                MailboxData  = $AllMailboxData
                                 BatchNumber  = $BatchNumber
                                 TotalBatches = $TotalBatches
                             })