Reporting Exchange Online Mailbox Permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-1230307%22%20slang%3D%22en-US%22%3EReporting%20Exchange%20Online%20Mailbox%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230307%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExchange%20Online%20makes%20it%20easy%20to%20assign%20delegated%20permissions%20for%20user%20and%20shared%20mailboxes.%20But%20permissions%20assigned%20to%20people%20might%20not%20be%20still%20necessary%2C%20so%20it%E2%80%99s%20good%20to%20do%20a%20periodic%20check.%20In%20this%20post%2C%20we%20describe%20a%20script%20to%20scan%20for%20permissions%20on%20Exchange%20Online%20user%20and%20shared%20mailboxes%20and%20highlight%20non-standard%20permissions%20in%20a%20report%20generated%20as%20a%20CSV%20file.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365itpros.com%2F2020%2F03%2F16%2Fcreating-report-exchange-online-mailbox-permissions%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365itpros.com%2F2020%2F03%2F16%2Fcreating-report-exchange-online-mailbox-permissions%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1230307%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230803%22%20slang%3D%22en-US%22%3ERe%3A%20Reporting%20Exchange%20Online%20Mailbox%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230803%22%20slang%3D%22en-US%22%3E1.%20Connect%20to%20Office%20365%20PowerShell%20by%20running%20the%20PowerShell%20ISE%20as%20Administrator%20and%20executing%20the%20following%20command%3A%3CBR%20%2F%3E%3CBR%20%2F%3ESet-ExecutionPolicy%20RemoteSigned%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Request%20Windows%20PowerShell%20credentials%20by%20running%20the%20following%20command%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%24Cred%20%3D%20Get-Credential%3CBR%20%2F%3E%3CBR%20%2F%3EEnter%20your%20account%20and%20passwordand%20then%20click%20OK.%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Create%20a%20session%20using%20the%20following%20command%2C%20modifying%20the%20%E2%80%93ConnectionUri%20parameter%20based%20on%20your%20Exchange%20Online%20location%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%24Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FPowerShell-liveid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2FPowerShell-liveid%2F%3C%2FA%3E%20-Credential%24Cred%20-Authentication%20Basic%20%E2%80%93AllowRedirection%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20Connect%20to%20Exchange%20Online%3A%3CBR%20%2F%3E%3CBR%20%2F%3EImport-PSSession%24Session%20-DisableNameChecking%3CBR%20%2F%3E%3CBR%20%2F%3E5.%20Generate%20user%20permissions%20report%2C%20do%20one%20of%20the%20following%3A%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20get%20a%20full%20summary%20of%20users%E2%80%99%20permissions%2C%20use%20the%20following%20Get-Mailbox%20command%3A%3CBR%20%2F%3EGet-Mailbox%20-resultsize%20unlimited%20%7C%20Get-MailboxPermission%20%7C%20Select%20Identity%2C%20User%2C%20Deny%2C%20AccessRights%2C%20IsInherited%7C%20Export-Csv%20-Path%20%22c%3A%5Ctemp%5Cmailboxpermissions.csv%22%20%E2%80%93NoTypeInformation%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20need%20a%20report%20on%20a%20specific%20user%2C%20use%20the%20-identity%20parameter%20instead%20of%20-resultsize%20unlimited.%3CBR%20%2F%3ETo%20filter%20users%20having%20full%20access%2C%20use%20the%20parameter%20where%20%7B(%24_.accessrights%20-contains%20%22FullAccess%22)%7D%3A%3CBR%20%2F%3EGet-Mailbox%20-resultsize%20unlimited%20%7C%20Get-MailboxPermission%7C%20where%20%7B(%24_.accessrights%20-contains%20%22Fullaccess%22)%7D%20%7C%20Select%20AccessRights%2CDeny%2CInheritanceType%2CUser%2CIdentity%2CIsInherited%20%7C%20Export-Csv%20-Path%20%22c%3A%5Ctemp%5Cfullaccess.csv%22%20-NoTypeInformation%3CBR%20%2F%3E%3CBR%20%2F%3EBy%20default%2C%20you%20will%20get%20a%20full%20list%20of%20users%2C%20including%20non-owner%20access.%20To%20get%20information%20about%20direct%20user%20permissions%20only%2C%20use%20either%20%7B(%24_.user%20-ne%20%22NT%20AUTHORITY%5CSELF%22)%7D%20or%20%7B(%24_.user%20-like%20'*%40*')%7D%3A%3CBR%20%2F%3EGet-Mailbox%20-resultsize%20unlimited%20%7C%20Get-MailboxPermission%20%7C%20Select%20Identity%2C%20User%2C%20Deny%2C%20AccessRights%2C%20IsInherited%7C%20Where%20%7B(%24_.user%20-ne%20%22NT%20AUTHORITY%5CSELF%22)%7D%7C%20Export-Csv%20-Path%20%22c%3A%5Ctemp%5CNonOwnerPermissions.csv%22%20-NoTypeInformation%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20view%20information%20about%20%E2%80%9CSend%20As%E2%80%9D%20permissions%2C%20use%20the%20Get-RecipientPermission%20cmdlet%3A%3CBR%20%2F%3EGet-Mailbox%20-resultsize%20unlimited%20%7C%20Get-RecipientPermission%7C%20where%20%7B(%24_.trustee%20-ne%20%22NT%20AUTHORITY%5CSELF%22)%7D%7Cselect%20Identity%2CTrustee%2CAccessControlType%2CAccessRights%2CIsInherited%20%7C%20Export-Csv%20-Path%20%22c%3A%5Ctemp%5Csendaspermissions.csv%22%20%E2%80%93NoTypeInformation%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20report%20on%20mailboxes%20with%20the%20%E2%80%9CSend%20on%20Behalf%E2%80%9D%20permission%2C%20use%20the%20following%20script%3A%3CBR%20%2F%3E%24GrantSendOn%3D%20Get-Mailbox-resultsize%20unlimited%7C%20where%20%7B(%24_.GrantSendOnBehalfTo%20-ne%20%22%22)%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%24Out%3Dforeach%20(%24user%20in%20%24GrantSendOn.GrantSendOnBehalfTo)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3E%24obj%3D%20New-Object%20System.Object%3CBR%20%2F%3E%3CBR%20%2F%3E%24obj%7CAdd-MemberNoteProperty%20eMail%24GrantSendOn.WindowsEmailAddress%3CBR%20%2F%3E%3CBR%20%2F%3E%24obj%7CAdd-Member%20NoteProperty%20DisplayName%20%24GrantSendOn.DisplayName%3CBR%20%2F%3E%3CBR%20%2F%3E%24obj%7CAdd-Member%20NoteProperty%20User%20%24user%3CBR%20%2F%3E%3CBR%20%2F%3E%24obj%20%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%24Out%7C%20Export-Csv%20-Path%20%22c%3A%5Ctemp%5Csendonbehalfpermissions.csv%22%20%E2%80%93NoTypeInformation%3CBR%20%2F%3E%3CBR%20%2F%3E6.%20Review%20report%3A%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20to%20Report%20Exchange%20Online%20Mailbox%20Permissions%20-%20Native%20Auditing%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E7.%20Terminate%20your%20session%20by%20using%20the%20following%20command%3A%3CBR%20%2F%3E%3CBR%20%2F%3ERemove-PSSession%24Session%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1244958%22%20slang%3D%22en-US%22%3ERe%3A%20Reporting%20Exchange%20Online%20Mailbox%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1244958%22%20slang%3D%22en-US%22%3EI%20was%20about%20to%20post%20(soon)%20my%20Get-EXOMailboxTrustee.ps1%20script.%20I%20still%20will%20very%20soon%20once%20I%20save%20the%20help%20section%20into%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20working%20now%20though%2C%20so%20will%20share%20here%20now%20for%20an%20early%20preview%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FJeremyTBradshaw%2FPowerShell%2Fblob%2Fmaster%2FGet-EXOMailboxTrustee.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FJeremyTBradshaw%2FPowerShell%2Fblob%2Fmaster%2FGet-EXOMailboxTrustee.ps1%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20one%20is%20safe%20for%20large%20environments%20as%20it%20uses%20100%25%20new%20V2%20Cmdlets.%20It's%20my%20first%20script%20that%20makes%20use%20of%20the%20new%20REST%20API%20cmdlets.%20It%20was%20much%20needed%20-%20as%20soon%20as%20V2%20came%20out%2C%20seemed%20like%20MS%20maybe%20cranked%20up%20the%20throttling%20of%20the%20original%20cmdlets%20so%20my%20earlier%20script%20(Get-MailboxTrustee.ps1)%20stopped%20being%20able%20to%20survive%20large%20environments%20almost%20overnight%20upon%20the%20V2%20preview%20initial%20release.%3C%2FLINGO-BODY%3E
Highlighted
MVP

 

Exchange Online makes it easy to assign delegated permissions for user and shared mailboxes. But permissions assigned to people might not be still necessary, so it’s good to do a periodic check. In this post, we describe a script to scan for permissions on Exchange Online user and shared mailboxes and highlight non-standard permissions in a report generated as a CSV file.

 

https://office365itpros.com/2020/03/16/creating-report-exchange-online-mailbox-permissions/

2 Replies
Highlighted
1. Connect to Office 365 PowerShell by running the PowerShell ISE as Administrator and executing the following command:

Set-ExecutionPolicy RemoteSigned

2. Request Windows PowerShell credentials by running the following command:

$Cred = Get-Credential

Enter your account and passwordand then click OK.

3. Create a session using the following command, modifying the –ConnectionUri parameter based on your Exchange Online location:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential$Cred -Authentication Basic –AllowRedirection

4. Connect to Exchange Online:

Import-PSSession$Session -DisableNameChecking

5. Generate user permissions report, do one of the following:

To get a full summary of users’ permissions, use the following Get-Mailbox command:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Export-Csv -Path "c:\temp\mailboxpermissions.csv" –NoTypeInformation

If you need a report on a specific user, use the -identity parameter instead of -resultsize unlimited.
To filter users having full access, use the parameter where {($_.accessrights -contains "FullAccess")}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission| where {($_.accessrights -contains "Fullaccess")} | Select AccessRights,Deny,InheritanceType,User,Identity,IsInherited | Export-Csv -Path "c:\temp\fullaccess.csv" -NoTypeInformation

By default, you will get a full list of users, including non-owner access. To get information about direct user permissions only, use either {($_.user -ne "NT AUTHORITY\SELF")} or {($_.user -like '*@*')}:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Where {($_.user -ne "NT AUTHORITY\SELF")}| Export-Csv -Path "c:\temp\NonOwnerPermissions.csv" -NoTypeInformation

To view information about “Send As” permissions, use the Get-RecipientPermission cmdlet:
Get-Mailbox -resultsize unlimited | Get-RecipientPermission| where {($_.trustee -ne "NT AUTHORITY\SELF")}|select Identity,Trustee,AccessControlType,AccessRights,IsInherited | Export-Csv -Path "c:\temp\sendaspermissions.csv" –NoTypeInformation

To report on mailboxes with the “Send on Behalf” permission, use the following script:
$GrantSendOn= Get-Mailbox-resultsize unlimited| where {($_.GrantSendOnBehalfTo -ne "")}

$Out=foreach ($user in $GrantSendOn.GrantSendOnBehalfTo) {

$obj= New-Object System.Object

$obj|Add-MemberNoteProperty eMail$GrantSendOn.WindowsEmailAddress

$obj|Add-Member NoteProperty DisplayName $GrantSendOn.DisplayName

$obj|Add-Member NoteProperty User $user

$obj }

$Out| Export-Csv -Path "c:\temp\sendonbehalfpermissions.csv" –NoTypeInformation

6. Review report:

How to Report Exchange Online Mailbox Permissions - Native Auditing


7. Terminate your session by using the following command:

Remove-PSSession$Session
Highlighted
I was about to post (soon) my Get-EXOMailboxTrustee.ps1 script. I still will very soon once I save the help section into it.

It's working now though, so will share here now for an early preview:

https://github.com/JeremyTBradshaw/PowerShell/blob/master/Get-EXOMailboxTrustee.ps1

This one is safe for large environments as it uses 100% new V2 Cmdlets. It's my first script that makes use of the new REST API cmdlets. It was much needed - as soon as V2 came out, seemed like MS maybe cranked up the throttling of the original cmdlets so my earlier script (Get-MailboxTrustee.ps1) stopped being able to survive large environments almost overnight upon the V2 preview initial release.