We all know that Office 365 allows admins to set mailbox delegation permission to access other mailboxes. One of the comments I often hear from Office 365 admins is, they need to export office 365 mailbox permissions like Full access, Send-as, and Send-on-behalf. Fear not – help is here!
In Office 365 Exchange admin center, we can view Mailbox delegation permissions by clicking each mailbox. It’s not bad until you are in the situation to view permissions of multiple mailboxes. The O365 portal is not friendly to view multiple mailboxes’ permission at a time. No worries! We have PowerShell. Yes, we can use a PowerShell script to see the information we need and can have control over how the information is displayed but we need to process multiple cmd-lets like Get-Mailbox, Get-MailboxPermission, Get-RecipientPermission, etc.
Don’t worry! We are here! We have written a handy PowerShell script to find Office 365 users who have full access, send-as, and send-on-behalf permission on other mailboxes, and export them to CSV file.
Highlights of the script:
- The script uses Modern authentication to connect to Exchange Online.
- The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
- Exports output to CSV file.
- The script can be executed with MFA enabled account too.
- The script supports certificate based authentication (CBA) too.
- You can choose to either “export permissions of all mailboxes” or pass an input file to get permissions of specific mailboxes alone.
- Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
- Output can be filtered based on user/all mailbox type
- Allows you to filter permissions on admin’s mailbox. So that you can view administrative users’ mailbox permission alone.
- Automatically installs the EXO V2 and MS Graph PowerShell modules (if not installed already) upon your confirmation.
- This script is scheduler friendly.
Download Script: GetMailboxPermission.ps1
Mailbox Permission Report – Sample Output:
Below is the result you should expect from this script. The mailbox permission report stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User With Access, and Admin Roles. You can include more attributes by easily modifying script.
Get Mailbox Permission Report – Script Execution Methods:
You can execute this script with both MFA and non-MFA accounts.
Export mailbox permission report using admin account:
To execute the script with MFA or non-MFA account, use the below format. It will prompt to enter credential twice, one is for Exchange Online PowerShell and another is for MS Graph (to retrieve admin role details).
1 |
.\GetMailboxPermission.ps1 |
The exported mailbox delegation report includes permissions like full access, send as, and send on behalf.
Export mailbox permission report using certificate:
To automate the script execution, you can use certificates for authentication. Depending on your requirements, you can choose to use a certificate authority (CA) or create a self-signed certificate, which is more cost-effective.
The script can be executed with Certificate-based Authentication(CBA) by specifying the TenantId, ClientId, and CertificateThumbprint parameters in the following format:
1 |
.\GetMailboxPermission.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> |
This format can also be used to schedule the PowerShell script as a scheduled task in the Windows Task Scheduler.
Note: You must register an app in Azure AD, before using certificate-based authentication.
How to Use Built-in Filters to Generate Custom M365 Report?
You can use the built-in filtering params to to generate more customized mailbox permissions report.
Export Mailbox permissions for list of mailboxes in the input file
To get permissions of specific mailboxes, you can use -MBNamesFile param and pass an input file with a display name of mailboxes.
1 |
.\GetMailboxPermission.ps1 -MBNamesFile C:/InputFile.csv |
The mailbox names CSV File must follow the format below: Display name of mailboxes separated by new line without header.
Export Office 365 Mailbox Delegates Report
To get all mailbox delegates, run the script as follows. This will return mailboxes that have full access, send as and send on behalf permissions delegated to other mailboxes, i.e, non-owner mailbox permission report. .
1 |
.\GetMailboxPermission.ps1 |
Export Mailbox Full Access Permission to CSV
You can use -FullAccess param to export mailbox full access permission to CSV file. The script display only “explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
1 |
.\GetMailboxPermission.ps1 -FullAccess |
Export Mailbox SendAs Permission to CSV
-SendAs param used to filter output that only displays mailboxes which has send-as permission delegated and exports mailbox SendAs permission to CSV.
1 |
.\GetMailboxPermission.ps1 -SendAs |
Export Mailbox SendOnBehalf Permission to CSV
To filter output that only displays mailboxes which has send-on-behalf permission delegated, you can use -SendOnBehalf param. This will export mailbox Send-on-behalf permission to CSV file.
1 |
.\GetMailboxPermission.ps1 -SendOnBehalf |
Export User Mailbox Permissions to CSV
As an administrator, often you are in the situation to get permissions for only user mailboxes and eliminates other types like shared mailbox, room mailbox. In that case, you can use -UserMailboxOnly param to return user mailboxes alone in the results.
1 |
.\GetMailboxPermission.ps1 -UserMailboxOnly |
Without -UserMailboxOnly param, it will list all mailbox permissions including room, equipment and shared mailbox permissions.
By the way, if you feel worried about the long PowerShell script, you can use Microsoft365DSC to export Exchange mailbox permissions in a single go!
Export Admin User Mailbox Permissions to CSV
As admin accounts has elevated privileges, it may require special focus. To list Admin mailbox permissions alone, you can use -AdminOnly param. is used to return admin role delegated mailboxes alone in the results.
1 |
.\GetMailboxPermisson.ps1 -AdminsOnly |
• You can use multiple filters together, to get a more granular result. For example, you can get a list of admin accounts delegated with full access permission.
1 |
.\GetMailboxPermission.ps1 -FullAccess -UserMailboxOnly -AdminsOnly |
Get More Detailed Mailbox Permission Report with AdminDroid:
Using PowerShell requires a significant investment of time and familiarity with PowerShell concepts to enable customization. However, AdminDroid provides a user-friendly and intuitive interface that eliminates the need for complex PowerShell cmdlets. It offers a more accessible and efficient approach to generating Exchange mailbox permission reports without requiring extensive scripting knowledge.
Mailbox permission reports include,
- Mailbox permission
- Mailbox permission summary
- Mailbox with send as permission
- Mailbox with sendonbehalf permission
- Mailbox with full permission
- Mailbox with read permission
- Users access to other mailbox report
- Guest access to other mailboxes
- Mailbox permission changes
- Mailbox permission changes
- Mailbox folder permission changes
- Public folder permission changes
- Sendas permission changes
- Folder authorization activities
AdminDroid Exchange Online reporting tool simplifies the reporting process with comprehensive and customizable reports, automation capabilities, visual representation of data, and assistance with compliance and security. Also, the tool provides Exchange online audit reports to track mailbox activities, audit configuration changes, monitor email traffic, etc.
Additionally, AdminDroid Microsoft 365 management tool provides 1800+ pre-built reports and 30+ smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
Besides, AdminDroid offers 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, Application activities, and more. The free edition provides reporting functionalities such as customization, scheduling, sending reports through email, and exporting. Download Free Office 365 reporting tool by AdminDroid and see how it helps for you.
I hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.