Forum Discussion
Reporting Exchange Online Mailbox Permissions
Exchange Online makes it easy to assign delegated permissions for user and shared mailboxes. But permissions assigned to people might not be still necessary, so it’s good to do a periodic check. ...
1. Connect to Office 365 PowerShell by running the PowerShell ISE as Administrator and executing the following command:
Set-ExecutionPolicy RemoteSigned
2. Request Windows PowerShell credentials by running the following command:
$Cred = Get-Credential
Enter your account and passwordand then click OK.
3. Create a session using the following command, modifying the –ConnectionUri parameter based on your Exchange Online location:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential$Cred -Authentication Basic –AllowRedirection
4. Connect to Exchange Online:
Import-PSSession$Session -DisableNameChecking
5. Generate user permissions report, do one of the following:
To get a full summary of users’ permissions, use the following Get-Mailbox command:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Export-Csv -Path "c:\temp\mailboxpermissions.csv" –NoTypeInformation
If you need a report on a specific user, use the -identity parameter instead of -resultsize unlimited.
To filter users having full access, use the parameter where {($_.accessrights -contains "FullAccess")}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission| where {($_.accessrights -contains "Fullaccess")} | Select AccessRights,Deny,InheritanceType,User,Identity,IsInherited | Export-Csv -Path "c:\temp\fullaccess.csv" -NoTypeInformation
By default, you will get a full list of users, including non-owner access. To get information about direct user permissions only, use either {($_.user -ne "NT AUTHORITY\SELF")} or {($_.user -like '*@*')}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Where {($_.user -ne "NT AUTHORITY\SELF")}| Export-Csv -Path "c:\temp\NonOwnerPermissions.csv" -NoTypeInformation
To view information about “Send As” permissions, use the Get-RecipientPermission cmdlet:
Get-Mailbox -resultsize unlimited | Get-RecipientPermission| where {($_.trustee -ne "NT AUTHORITY\SELF")}|select Identity,Trustee,AccessControlType,AccessRights,IsInherited | Export-Csv -Path "c:\temp\sendaspermissions.csv" –NoTypeInformation
To report on mailboxes with the “Send on Behalf” permission, use the following script:
$GrantSendOn= Get-Mailbox-resultsize unlimited| where {($_.GrantSendOnBehalfTo -ne "")}
$Out=foreach ($user in $GrantSendOn.GrantSendOnBehalfTo) {
$obj= New-Object System.Object
$obj|Add-MemberNoteProperty eMail$GrantSendOn.WindowsEmailAddress
$obj|Add-Member NoteProperty DisplayName $GrantSendOn.DisplayName
$obj|Add-Member NoteProperty User $user
$obj }
$Out| Export-Csv -Path "c:\temp\sendonbehalfpermissions.csv" –NoTypeInformation
6. Review report:
How to Report Exchange Online Mailbox Permissions - Native Auditing
7. Terminate your session by using the following command:
Remove-PSSession$Session
Set-ExecutionPolicy RemoteSigned
2. Request Windows PowerShell credentials by running the following command:
$Cred = Get-Credential
Enter your account and passwordand then click OK.
3. Create a session using the following command, modifying the –ConnectionUri parameter based on your Exchange Online location:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential$Cred -Authentication Basic –AllowRedirection
4. Connect to Exchange Online:
Import-PSSession$Session -DisableNameChecking
5. Generate user permissions report, do one of the following:
To get a full summary of users’ permissions, use the following Get-Mailbox command:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Export-Csv -Path "c:\temp\mailboxpermissions.csv" –NoTypeInformation
If you need a report on a specific user, use the -identity parameter instead of -resultsize unlimited.
To filter users having full access, use the parameter where {($_.accessrights -contains "FullAccess")}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission| where {($_.accessrights -contains "Fullaccess")} | Select AccessRights,Deny,InheritanceType,User,Identity,IsInherited | Export-Csv -Path "c:\temp\fullaccess.csv" -NoTypeInformation
By default, you will get a full list of users, including non-owner access. To get information about direct user permissions only, use either {($_.user -ne "NT AUTHORITY\SELF")} or {($_.user -like '*@*')}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Where {($_.user -ne "NT AUTHORITY\SELF")}| Export-Csv -Path "c:\temp\NonOwnerPermissions.csv" -NoTypeInformation
To view information about “Send As” permissions, use the Get-RecipientPermission cmdlet:
Get-Mailbox -resultsize unlimited | Get-RecipientPermission| where {($_.trustee -ne "NT AUTHORITY\SELF")}|select Identity,Trustee,AccessControlType,AccessRights,IsInherited | Export-Csv -Path "c:\temp\sendaspermissions.csv" –NoTypeInformation
To report on mailboxes with the “Send on Behalf” permission, use the following script:
$GrantSendOn= Get-Mailbox-resultsize unlimited| where {($_.GrantSendOnBehalfTo -ne "")}
$Out=foreach ($user in $GrantSendOn.GrantSendOnBehalfTo) {
$obj= New-Object System.Object
$obj|Add-MemberNoteProperty eMail$GrantSendOn.WindowsEmailAddress
$obj|Add-Member NoteProperty DisplayName $GrantSendOn.DisplayName
$obj|Add-Member NoteProperty User $user
$obj }
$Out| Export-Csv -Path "c:\temp\sendonbehalfpermissions.csv" –NoTypeInformation
6. Review report:
How to Report Exchange Online Mailbox Permissions - Native Auditing
7. Terminate your session by using the following command:
Remove-PSSession$Session
