EXOMailboxPermission: Ignore SendAs permissions during export

[malauter]

Pull Request (PR) description

SendAs permissions are not supported by *-MailboxPermission cmdlets. For some reason (see issue), there could be cases where SendAs is included during Get-MailboxPermission. We must ignore this, since we cannot set these permissions.

This Pull Request (PR) fixes the following issues

• Fixes EXOMailboxPermission: System.Management.Automation.ParameterBindingValidationException: Cannot validate argument on parameter 'AccessRights'. The argument "SendAs" does not belong to the set "ChangeOwner,ChangePermission,DeleteItem,ExternalAccount,FullAccess,ReadPermission" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again. ---> System.Management.Automation.ValidationMetadataException: The argument "SendAs" does not belong to the set "ChangeOwner,ChangePermission,DeleteItem,ExternalAccount,FullAccess,ReadPermission" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again. #3942

[NikCharlebois]

Should we also handle the case where the config specifies this setting and print out a warning in the Set-TargetResource? @malauter

[malauter]

Should we also handle the case where the config specifies this setting and print out a warning in the Set-TargetResource? @malauter

I don't think so. SendAs is not part of the validate set of the AccessRights attribute and it is configured with another cmdlet/DSC resource. It looks like that there are only some specific cases where the Get cmdlet returns some SendAs perms for the owner of the mailbox. So, I think it is enough to ignore this during the export.

[salbeck-sit]

As indicated by @malauter, SendAs is managed as a user-permission and not a mailbox-permission, see https://learn.microsoft.com/en-us/powershell/module/exchange/add-recipientpermission?view=exchange-ps
It should still be possible to assign SendAs permissions to a mailbox and Export should reflect it.

[malauter]

As indicated by @malauter, SendAs is managed as a user-permission and not a mailbox-permission, see https://learn.microsoft.com/en-us/powershell/module/exchange/add-recipientpermission?view=exchange-ps It should still be possible to assign SendAs permissions to a mailbox and Export should reflect it.

It should be of course possible, but not in this resource. This resource covers mailbox permissions only. We would need another resource for the users permissions. From my point of view, it is a bug of the Get-MailboxPermission cmdlet, that it returns sometimes also user permissions. This PR is designed to handle this bug only.

[salbeck-sit]

The existing DSC-resource could include SendAs-permissions where they pertain to mailboxes since the purpose of DSC is to abstract away the means of implementation.
Get-/Add-RecipientPermission has a wider scope but I agree that if such a DSC-resource is created then the integrity of the settings may fall apart. I'll play around with it for a bit and see what I can make of it.