ASD OWA Mailbox Configuration Check

ASD OWA Mailbox Policy Settings Check (asd-owamail-get.ps1)

Overview

asd-owamail-get.ps1 audits Exchange Online OWA (Outlook on the Web) mailbox policy settings against an ASD Blueprint baseline. It loads a JSON definition (default fetched from GitHub) where each top‑level property represents an OWA mailbox policy name and its child properties are the required setting values. The script compares tenant values, reports PASS/FAIL per setting, exports optional CSV, and always produces a styled HTML compliance report.

Key Features

• Automatic download of latest baseline JSON (unless a custom path/URL supplied)
• Schema validation of baseline
• Comparison of every setting in each baseline policy
• Identification of missing policies (all their settings marked FAIL)
• HTML report with colored summary metrics (Total / Passed / Failed / Compliance)
• Optional CSV export for downstream processing
• Detailed logging mode for troubleshooting

Prerequisites

Requirement	Notes
PowerShell 5.1+ / 7.x	Recommended: latest version
Module: ExchangeOnlineManagement	Install if missing: Install-Module ExchangeOnlineManagement -Scope CurrentUser
Permissions	Global Reader, Exchange Administrator, View-Only Organization Management, or equivalent read rights
Internet access	Needed when using default GitHub baseline URL

Baseline JSON Schema

Example (truncated):

{
  "OwaMailboxPolicy-Default": {
    "InstantMessagingEnabled": true,
    "TextMessagingEnabled": true,
    "ActiveSyncIntegrationEnabled": false,
    "ContactsEnabled": true,
    "OfflineAccessEnabled": "Always"
  }
}

Rules:

• Root object: each property name = OWA mailbox policy name (Get-OwaMailboxPolicy | Select Name).
• Property value: object with setting name/value pairs (bool, string, number).
• A missing tenant policy causes all its required settings to FAIL.

Parameters

Parameter	Type	Description	Default
-BaselinePath	String	Path or URL to baseline JSON.	GitHub URL to owamail.json
-ExportToCSV	Switch	Export results to CSV.	Not exported
-CSVPath	String	Custom CSV file path.	Auto: parent directory with timestamp
-DetailedLogging	Switch	Enable verbose logging to file.	Disabled
-LogPath	String	Custom log file path.	Auto if logging enabled

Output Artifacts

Artifact	Location (default)	Notes
HTML report	Parent directory (asd-owamail-get-<timestamp>.html)	Opens automatically; contains summary + table
CSV (optional)	Parent directory or -CSVPath	Columns: Policy, Setting, CurrentValue, RequiredValue, Status
Log (optional)	Parent directory or -LogPath	Detailed steps, errors, comparisons

Execution Flow

1. Parse parameters & establish output paths.
2. Load baseline JSON (GitHub URL or local file).
3. Validate baseline schema.
4. Ensure ExchangeOnlineManagement module is available & import.
5. Connect to Exchange Online (reuse existing session if present).
6. Verify permissions by calling Get-OrganizationConfig.
7. Retrieve OWA mailbox policies via Get-OwaMailboxPolicy.
8. For each baseline policy & setting: read current value, compare to required value.
9. Accumulate results, compute totals & compliance percentage.
10. Print console summary; optionally export CSV.
11. Generate HTML report (always) and attempt to open it.
12. Write log entries when logging enabled.

Comparison Logic

• Boolean & string comparisons are case-insensitive for strings.
• If required value is null, any current value passes.
• If setting missing on tenant policy, treated as Not set and fails (unless required is null).
• Policy absent in tenant: all its baseline settings fail.

Examples

Basic run:

./asd-owamail-get.ps1

Run with CSV export:

./asd-owamail-get.ps1 -ExportToCSV

Custom baseline & CSV path:

./asd-owamail-get.ps1 -BaselinePath "C:\Config\owamail-prod.json" -ExportToCSV -CSVPath "C:\Reports\owapolicy.csv"

Enable detailed logging:

./asd-owamail-get.ps1 -DetailedLogging

Custom log file:

./asd-owamail-get.ps1 -DetailedLogging -LogPath "C:\Logs\owapolicy.log"

HTML Report Overview

Sections:

• Header: Title + generation timestamp
• Summary: Total checks, Passed, Failed, Compliance (colored values)
• Table: Per-setting PASS/FAIL with current vs required values
• Overall status banner: COMPLIANT or NON-COMPLIANT

Troubleshooting

Issue	Cause	Resolution
Module not found	ExchangeOnlineManagement missing	Install module; reopen PowerShell
Auth prompt appears repeatedly	Stale session / cached token issue	Close all PowerShell windows, re-run script
Policies missing	Baseline includes policy not deployed	Create policy or adjust baseline
All settings FAIL	Wrong policy names or insufficient permissions	Verify names via Get-OwaMailboxPolicy; ensure required role
HTML not opening	Start-Process blocked or path issue	Manually open the HTML file from explorer
Non-colored summary	Cached old HTML	Hard refresh or delete old report; re-run script

Extending the Script

• Add remediation recommendation column (e.g. required value explanation).
• Parameter to filter specific policies (-Policies).
• JSON metadata section (e.g. version, author, baseline date) displayed in report.
• Switch for plain text output (for CI pipelines).

Security Considerations

• Read-only operations: Script does not modify tenant configuration.
• Ensure baseline JSON is sourced from trusted repository (default GitHub URL).
• Review log file contents before sharing (may include internal policy names).

Exit Codes

Code	Meaning
0	Success (report generated)
1	Fatal error (baseline load, connection, permission, or unexpected exception)

Maintenance

• Periodically update baseline JSON to reflect new ASD recommendations.
• Version tag inside script ($scriptVersion) should be incremented on functional changes.
• Validate after Exchange Online schema updates (run and check for new/missing properties).

Related Scripts

• asd-mailflow-get.ps1 – Mail flow settings compliance (similar report style)

License / Attribution

Created by CIAOPS. Refer to project repository for licensing or contribution guidelines.

---

Generated documentation for operational clarity and onboarding.