Export Office 365 Mailbox Permissions Report to CSV

One of the comments I often hear from Office 365 admins is, they need to export office 365 mailbox permissions like Full access, Send-as, and Send-on-behalf. Fear not – help is here!

In Office 365 Exchange admin center, we can view Mailbox delegation permissions by clicking each mailbox. It’s not bad until you are in the situation to view permissions of multiple mailboxes. The O365 portal is not friendly to view multiple mailboxes’ permission at a time. No worries! We have PowerShell. Yes, we can use a PowerShell script to see the information we need and can have control over how the information is displayed. 

We have written a handy PowerShell script to find Office 365 users who have full access, send-as, and send-on-behalf permission, and export them to CSV file.

 

Highlights of the script:

  • The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
  • Exports output to CSV file.
  • The script can be executed with MFA enabled account.
  • You can choose to either “export permissions of all mailboxes” or pass an input file to get permissions of specific mailboxes alone.
  • Output file stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User With Access, and Admin Roles. You can include more attributes by easily modifying script.
  • Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
  • Output can be filtered based on user/all mailbox type
  • Allows you to filter permissions on admin’s mailbox. So that you can view administrative users’ mailbox permission alone.

You can download the PowerShell script from TechNet Gallery.

 

How can I execute a script with MFA?

To execute script with MFA enabled account, you need to mention -MFA switch during script execution.

To know more about how to connect exchange online PowerShell with MFA, refer our blog Connect Exchange Online PowerShell with MFA.

 

How can I filter the output?

       You can use params to filter the output as per your need.

Export Mailbox permissions for list of mailboxes in the input file

To get permissions of specific mailboxes, you can use -MBNamesFile param and  pass an input file with a display name of mailboxes.

The mailbox names CSV File must follow the format below: Display name of mailboxes separated by new line without header. 

Get Mailbox Permission From Input File

Export Mailbox Full Access Permission to CSV

        You can use -FullAccess param to export mailbox full access permission to CSV file. The script display only “explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.

 
Export Mailbox SendAs Permission to CSV

        -SendAs param used to filter output that only displays mailboxes which has send-as permission delegated and exports mailbox SendAs permission to CSV.

 
Export Mailbox SendOnBehalf Permission to CSV

     To filter output that only displays mailboxes which has send-on-behalf permission delegated, you can use -SendOnBehalf param. This will export mailbox Send-on-behalf permission to CSV file.

 
Export User Mailbox Permissions to CSV

     As an administrator, often you are in the situation to get permissions for only user mailboxes and eliminates other types like shared mailbox, room mailbox. In that case, you can use -UserMailboxOnly param to return user mailboxes alone in the results.

     Without -UserMailboxOnly param, it will list all mailbox types including shared, room and equipment mailbox.

 
Export Admin User Mailbox Permissions to CSV

    As admin accounts has elevated privileges, it may require special focus. To list Admin mailbox permissions alone, you can use -AdminOnly param.  is used to return admin role delegated mailboxes alone in the results.

•    You can use multiple filters together, to get a more granular result. For example, you can get a list of admin user mailboxes which delegated with full access permission.

 

Script execution and Output:

Pre-requisites and script execution steps available in our  O365 users’ last logon time blog.Please refer the blog.

Below is the result you should expect from this script.

Mailbox permission

 

How can I Schedule this script?

You can schedule this script in task scheduler by explicitly mentioning the credential.

To know more about scheduling Powershell script, refer our blog: Schedule PowerShell script using Task Scheduler.

I hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.