Export Office 365 Mailbox Permissions Report to CSV

One of the comments I often hear from Office 365 admins is, they need to export office 365 mailbox permissions like Full access, Send-as, and Send-on-behalf. Fear not – help is here!

In Office 365 Exchange admin center, we can view Mailbox delegation permissions by clicking each mailbox. It’s not bad until you are in the situation to view permissions of multiple mailboxes. The O365 portal is not friendly to view multiple mailboxes’ permission at a time. No worries! We have PowerShell. Yes, we can use a PowerShell script to see the information we need and can have control over how the information is displayed. 

We have written a handy PowerShell script to find Office 365 users who have full access, send-as, and send-on-behalf permission, and export them to CSV file.

 

Highlights of the script:

  • The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
  • Exports output to CSV file.
  • The script can be executed with MFA enabled account.
  • Output file stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User With Access, and Admin Roles. You can include more attributes by easily modifying script.
  • Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
  • Output can be filtered based on user/all mailbox type
  • Allows you to filter permissions on admin’s mailbox. So that you can view administrative users’ mailbox permission alone.

You can download the PowerShell script from TechNet Gallery.

 

How can I execute a script with MFA?

To execute script with MFA enabled account, you need to mention -MFA switch during script execution.

To know more about how to connect exchange online PowerShell with MFA, refer our blog Connect Exchange Online PowerShell with MFA.

 

How can I filter the output?

       You can use params to filter the output as per your need.

-FullAccess

        You can use -FullAccess param to filter output that only displays mailboxes which has full access permission delegated.

-SendAs

        This param used to filter output that only displays mailboxes which has send-as permission delegated.

-SendOnBehalf

     This param used to filter output that only displays mailboxes which has send-on-behalf permission delegated.

-UserMailboxOnly

     The -UserMailboxOnly param is used to return user mailboxes alone in the results.

     Without -UserMailboxOnly param, it will list all mailbox types including shared, room and equipment mailbox.

-AdminOnly

    The -AdminOnly param is used to return admin role delegated mailboxes alone in the results.

•    You can use multiple filters together, to get a more granular result. For example, you can get a list of user mailboxes with admin role and its delegated full access permission.

 

Script execution and Output:

Pre-requisites and script execution steps available in our  O365 users’ last logon time blog.Please refer the blog.

Below is the result you should expect from this script.

Mailbox permission

 

How can I Schedule this script?

You can schedule this script in task scheduler by explicitly mentioning the credential.

You can expect a separate blog regarding how to schedule a PowerShell script soon.

I hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.