This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 67%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
How to find out if an AzureAD user is shared mailbox from within AzureAD?
Are there any fields that can query from within Azure AD alone? particularly for use for user-provisioning.
I know about using MSOnline, Exchange Online powershell, etc. I want to try to be able to do it directly within Azure AD, as this is for user-provisioning side.
Thanks
To get an authoritative answer on this, you need to query Exchange Online, not Azure AD. Best you could do with Azure AD is check the value of the CloudExchangeRecipientDisplayType and/or MSExchRecipientTypeDetails attributes, however those can sometimes be out of sync. So I'd really recommend using good old Get-Mailbox/Get-Recipient instead.
Even those flags CloudExchange* and MSExch* appears to be only accessible from MSOnline powershell cmdlet vs the AzureAD powershell cmdlet. this seems to suggest that AzureAD side of things do not even hold these "imported/synced" information. Is my observation correct?
On the side of querying against Exchange Online with Get-Mailbox and Get-Recipient type of cmds, I want to ask about performance when dealing with a lot of users/mailboxes. Since testing with a lot of these type of accounts is extremely costly, so we can only test with a small subset (like those 25 accounts afforded by Exchange Developer program). Since AzureAD/User-provisioning/SCIM is not able to help out with this and we have to do a "full scan" for shared mailbox identities and recipients/permissions, is there any information on doing it optimally?
That's indeed a concern in large environment, my recommendation would be to stick to the MSOnline module as in most cases it does show this info, and is quite more faster/reliable than the Exchange cmdlets. Nowadays, you can also use the REST-based ExO PowerShell cmdlets: https://learn.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps
I want to ask if there are any other ways besides PowerShell cmdlets. The reason is that these set of cmdlets are not compatible with Linux / PowerShell Core, and restricts us to only Windows VM.
I have investigated both EWS Managed API and Graph API. Both means are not able to do what we need to do for the sake of user-provisioning (as Azure AD User provisioning lacks this "capability"/shared-mailbox that's actually a Microsoft creation). Do you know of any other means?
There aren't. Exchange Remote PowerShell works just fine on PS Core, and the new V2 module should have support for it soon. In the meantime, you can use Azure Cloud Shell for devices that don't run PS natively.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 32%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI3%3C/text%3E%3C/svg%3E)
Hey, is there meanwhile a possibility? I'm trying to create a dyn sec group, but I have to exclude shared mailboxes. Any suggestions?