Skip to main content

O365 - EWS - Extension Online Powershell v2

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the EWS Extension Online Powershell v2 integration to get information about mailboxes and users in your organization. This integration was integrated and tested with version v2 of EWS Extension Online Powershell v2

Note: This integration does not replace the O365 - EWS - Extension integration, but an additional EWS extension integration which utilizes the EXO v2 module.

Configure EWS Extension Online Powershell v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for EWS Extension Online Powershell v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Exchange Online URLTrue
    CertificateA pfx certificate encoded in Base64.True
    The organization used in app-only authentication.True
    The application ID from the Azure portalTrue
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ews-mailbox-list#


Displays mailbox objects and attributes, populate property pages, or supplies mailbox information to other tasks.

Base Command#

ews-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
property_setsA comma-separated list of property sets to fetch. These property sets will supplement the outputs of this integration. Default is "Minimum". Available properties are: "All", "Minimum", "AddressList", "Archive", "Audit", "Delivery", "Hold", "Moderation", "Move", "Policy", "PublicFolder", "Quota", "Resource", "Retention", "SCL", "SoftDelete", "StatisticsSeed".Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Mailbox.EmailAddressesStringEmail addresses of the mailbox.
EWS.Mailbox.AuditBypassEnabledBooleanWhether audit bypass is enabled.
EWS.Mailbox.DistinguishedNameStringDistinguished name of the mailbox.
EWS.Mailbox.ExchangeObjectIdStringExchange object ID of the mailbox.
EWS.Mailbox.ExchangeVersionStringExchange version of the mailbox.
EWS.Mailbox.GuidStringGUID of the mailbox.
EWS.Mailbox.IdStringID of the mailbox.
EWS.Mailbox.IdentityStringIdentity of the mailbox.
EWS.Mailbox.IsValidBooleanWhether the mailbox is valid.
EWS.Mailbox.NameStringName of the mailbox.
EWS.Mailbox.ObjectCategoryStringObject category of the mailbox.
EWS.Mailbox.ObjectClassStringObject class of the mailbox.
EWS.Mailbox.ObjectIdStringObject ID of the of the mailbox.
EWS.Mailbox.ObjectStateStringObject state of the mailbox.
EWS.Mailbox.OrganizationIdStringOrganization ID of the mailbox.
EWS.Mailbox.OriginatingServerStringOriginating server of the mailbox.
EWS.Mailbox.PSComputerNameStringPowerShell computer name of the mailbox.
EWS.Mailbox.PSShowComputerNameBooleanPowerShell show computer name of the mailbox.
EWS.Mailbox.RunspaceIdStringRun space ID of the mailbox.
EWS.Mailbox.WhenChangedDateLocal time of when the mailbox was last changed.
EWS.Mailbox.WhenChangedUTCDateUTC time of when the mailbox was last changed.
EWS.Mailbox.WhenCreatedDateLocal time of when the mailbox was created.
EWS.Mailbox.WhenCreatedUTCDateUTC time of when the mailbox was created.

Command Example#

!ews-mailbox-list limit=1

Context Example#

{
"EWS": {
"Mailbox": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Id": "user",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox",
"UserPrincipalName": "user@example.com"
}
}
}

Human Readable Output#

Results of ews-mailbox-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdGuidIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetailsUserPrincipalName
"user""User User""CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user""user""user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""UserMailbox""UserMailbox""user@example.com"

ews-cas-mailbox-list#


Displays Client Access settings that are configured on mailboxes.

Base Command#

ews-cas-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.CASMailbox.ActiveSyncEnabledBooleanWhether active sync is enabled.
EWS.CASMailbox.DisplayNameStringThe display name of the mailbox.
EWS.CASMailbox.ECPEnabledBooleanWhether the Exchange Control Panel (ECP) is enabled.
EWS.CASMailbox.EmailAddressesStringThe email addresses retrieved.
EWS.CASMailbox.EwsEnabledBooleanWhether the Exchange Web Services (EWS) is enabled.
EWS.CASMailbox.ExchangeVersionStringExchange version of the client access server mailbox.
EWS.CASMailbox.ExternalDirectoryObjectIdStringExternal directory object ID of the client access server mailbox.
EWS.CASMailbox.GuidStringThe GUID of the client access server mailbox.
EWS.CASMailbox.IdentityStringIdentity of the client access server mailbox.
EWS.CASMailbox.ImapEnabledBooleanWhether the Internet Message Access Protocol (IMAP) is enabled.
EWS.CASMailbox.MAPIEnabledBooleanWhether the Messaging Application Programming Interface is enabled.
EWS.CASMailbox.NameStringName of the client access server mailbox.
EWS.CASMailbox.OWAEnabledBooleanWhether Outlook on the web (OWA) is enabled.
EWS.CASMailbox.OrganizationIdStringOrganization ID
EWS.CASMailbox.PopEnabledBooleanWhether Post Office Protocol (POP) is enabled.
EWS.CASMailbox.PrimarySmtpAddressStringPrimary SMTP address.
EWS.CASMailbox.ServerLegacyDNStringServer legacy distinguished name (DN).

Command Example#

!ews-cas-mailbox-list limit=1

Context Example#

{
"EWS": {
"CASMailbox": {
"ActiveSyncEnabled": true,
"DisplayName": "User User",
"ECPEnabled": true,
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"EwsEnabled": true,
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Identity": "user",
"ImapEnabled": true,
"MAPIEnabled": true,
"Name": "user",
"OWAEnabled": true,
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PopEnabled": true,
"PrimarySmtpAddress": "user@example.com",
"ServerLegacyDN": "/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383"
}
}
}

Human Readable Output#

Results of ews-cas-mailbox-list#

ActiveSyncEnabledDisplayNameECPEnabledEmailAddressesEwsEnabledExchangeVersionExternalDirectoryObjectIdGuidIdentityImapEnabledMAPIEnabledNameOrganizationIdOWAEnabledPopEnabledPrimarySmtpAddressServerLegacyDN
true"User User"true["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]true"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user"truetrue"user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration"truetrue"user@example.com""/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383

ews-mailbox-permission-list#


Retrieves permissions on a mailbox.

Base Command#

ews-mailbox-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Required

Context Output#

PathTypeDescription
EWS.MailboxPermission.IdentityStringThe specified identity of the mailbox.
EWS.MailboxPermission.Permission.AccessRightsStringAccess rights of the mailbox.
EWS.MailboxPermission.Permission.Deny.IsPresentBooleanWhether permission is denied.
EWS.MailboxPermission.Permission.IdentityStringThe permission identity.
EWS.MailboxPermission.Permission.InheritanceTypeStringPermission inheritance type.
EWS.MailboxPermission.Permission.IsInheritedBooleanWhether permission is inherited.
EWS.MailboxPermission.Permission.UserStringThe permission of the user.

Command Example#

!ews-mailbox-permission-list identity=user

Context Example#

{
"EWS": {
"MailboxPermission": {
"Identity": "user",
"Permission": {
"AccessRights": [
"FullAccess",
"ReadPermission"
],
"Deny": {
"IsPresent": false
},
"Identity": "user",
"InheritanceType": "All",
"IsInherited": false,
"User": "NT AUTHORITY\\SELF"
}
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-permission-list#


Displays information about SendAs permissions that are configured for users.

Base Command#

ews-recipient-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.RecipientPermission.AccessControlTypeStringAccess control type of the recipient permission.
EWS.RecipientPermission.AccessRightsNumberAccess rights of the recipient permission.
EWS.RecipientPermission.IdentityStringIdentity of the recipient permission.
EWS.RecipientPermission.InheritanceTypeStringInheritance type of the recipient permission.
EWS.RecipientPermission.IsInheritedBooleanWhether the recipient permission is inherited.
EWS.RecipientPermission.TrusteeStringTrustee of the recipient permission.

Command Example#

!ews-recipient-permission-list identity=<Guid>

Context Example#

{
"EWS": {
"RecipientPermission": {
"AccessControlType": "Allow",
"AccessRights": [
1
],
"Identity": "user",
"InheritanceType": "None",
"IsInherited": false,
"Trustee": "NT AUTHORITY\\SELF"
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-list#


Displays existing recipient objects in your organization. This command returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).

Base Command#

ews-recipient-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Recipient.AliasStringRecipient alias.
EWS.Recipient.DisplayNameStringRecipient display name.
EWS.Recipient.DistinguishedNameStringRecipient distinguished name.
EWS.Recipient.EmailAddressesStringRecipient email addresses.
EWS.Recipient.ExchangeVersionStringRecipient exchange version.
EWS.Recipient.ExternalDirectoryObjectIdStringRecipient external directory object ID.
EWS.Recipient.IdentityStringRecipient identity.
EWS.Recipient.NameStringRecipient name.
EWS.Recipient.OrganizationIdStringRecipient organization ID.
EWS.Recipient.PrimarySmtpAddressStringRecipient primary SMTP address.
EWS.Recipient.RecipientTypeStringRecipient type.
EWS.Recipient.RecipientTypeDetailsStringRecipient type details.

Command Example#

!ews-recipient-list identity=<ExternalDirectoryObjectId>

Context Example#

{
"EWS": {
"Recipient": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox"
}
}
}

Human Readable Output#

Results of ews-recipient-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetails
"user""user""CN=user_Identity,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_SP00@SPO_SP01","SMTP:user@example.com"]"0.10 (14.0.100)""Identity""user_Identity""user_Identity""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""MailUniversalDistributionGroup""GroupMailbox"