Verify Username and Email Address

[seadoggie01]

What I'm trying to do seems deceptively simple; I have a user's OPID (aka username?) and email address from my organization and I want to verify that they resolve to the same person.

Currently, I can use Outlook (365 MSO Version 2411) to search via either an OPID or email address and they resolve. This is done with the help of _OL_ItemRecipientCheck that internally calls Outlook.Session.CreateRecipient(). This works great, except that Microsoft is pushing new Outlook (a more web-based version) and my company pushes updates fast. So I'm trying to find a new way to verify the data before I have to manually check accounts.

For a while now, I've been able to verify that OPIDs are valid by querying ActiveDirectory - which I have at least limited access to. I've found the mail and EmailAddress fields, but they're not always accurate. It also doesn't help that everyone at my company has three email addresses: OPID@<DC>.net, FullName@Company.com, and FullName@OldCompanyName.org
And it doesn't seem like these fields are updated regularly, like if someone changes their name.

I also tried querying the Exchange server in Powershell using Get-EXOMailbox. This works for some users, but for others it returns an error like:

Quote

Error while querying REST service. HttpStatusCode=404 ErrorMessage={"error":{"code":"NotFound","message":"Error executing request. The operation couldn't be performed because object 'FullName@Company.com' couldn't be found on 'url-1.url-2.PROD.OUTLOOK.COM'." [...]

This seems to only be the case for users who aren't in my state, which makes me think that there are multiple Exchange servers. This would make sense because of how my company is structured, but I know very little about how Exchange or ActiveDirectory work or are set up for my company. I've been thinking that querying Exchange servers would be mostly likely to have all valid email addresses, but I'm not sure how to go about determining if there are multiple and how query them if there are.

Of course, if I'm going down the wrong rabbit hole here and there's some other way to validate, I'm all ears (pun intended)

[SOLVE-SMART]

Hi @seadoggie01 👋 ,

does your company uses MS 365? In case yes, you could use the Microsoft Graph API to combine Exchange and AD.
A quick research puts out such Powershell code snippet/commandlet.

$headers = @{
    Authorization = "Bearer $accessToken"
}

Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users?$filter=mail eq 'FullName@Company.com'" -Headers $headers

Another way could be using LDAP (if set up and access is granted). Something like:

$ldap = [ADSI]"LDAP://your.domain.com"
$searcher = New-Object DirectoryServices.DirectorySearcher($ldap)
$searcher.Filter = "(&(objectClass=user)(mail=FullName@Company.com))"
$result = $searcher.FindOne()

if ($result) { "User found" } else { "Not found" }

⚠ These are just ideas, not fully developed solutions.

Best regards
Sven

[seadoggie01]

We do have MS 365 and Graph API is exactly what I was looking for, it seems. I found Get-MgUser (Microsoft.Graph.Users) | Microsoft Learn from a few searches and that's working in PowerShell. (This also lead me in to a weird rabbit hole of exploring MS Entra and possibly solving an unrelated problem.) I'll post back here when I have something that's a more complete answer to this.

[Subz]

You should use UPN (User Principal Name), as Azure/Entra doesn't recognise samAccountName attribute.  if using Get-Mailbox you can request PrimarySmtpAddress or as mentioned use Get-MgUser -UserId 'UPN' | Select-Object DisplayName, Mail which should also show the PrimarySmtpAddress.

[seadoggie01]

My final code looks something like this:

Get-MgUser -Filter "UserPrincipalName eq '<UserName>@<DN>.net'" -Property "proxyAddresses" | Select-Object -ExpandProperty ProxyAddresses

This returns a list of (mostly) email addresses. The one prefixed with a capitalized SMTP is the primary email and others with lowercased smtp are proxy emails. My results have other protocols that I'll ignore (prefixed with things other than SMTP).

The proxyAddresses and other user properties are documented here: user resource type - Microsoft Graph v1.0 | Microsoft Learn

Thank you Solve-Smart and Subz for pointing me in the right direction!