Export Office 365 Mailbox Permission Report to CSV

We all know that Office 365 allows admins to set mailbox delegation permission to access other mailboxes. One of the comments I often hear from Office 365 admins is, they need to export office 365 mailbox permissions like Full access, Send-as, and Send-on-behalf. Fear not – help is here!

In Office 365 Exchange admin center, we can view Mailbox delegation permissions by clicking each mailbox. It’s not bad until you are in the situation to view permissions of multiple mailboxes. The O365 portal is not friendly to view multiple mailboxes’ permission at a time. No worries! We have PowerShell. Yes, we can use a PowerShell script to see the information we need and can have control over how the information is displayed but we need to process multiple cmd-lets like Get-Mailbox, Get-MailboxPermission, Get-RecipientPermission, etc.

Don’t worry! We are here! We have written a handy PowerShell script to find Office 365 users who have full access, send-as, and send-on-behalf permission on other mailboxes, and export them to CSV file.

• You can choose to either “export permissions of all mailboxes” or pass an input file to get permissions of specific mailboxes alone.
• Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
• Output can be filtered based on user/all mailbox type
• The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
• Exports output to CSV file.
• The script can be executed with MFA enabled account too.
• The script supports certificate based authentication (CBA) too.
• Allows you to filter permissions on admins mailboxes. So that you can view who can access privileged users’ mailboxes.
• Automatically installs the EXO and MS Graph PowerShell modules (if not installed already) upon your confirmation.
• This script is scheduler friendly.

Download Script: GetMailboxPermission.ps1

The mailbox permission report stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User With Access, and Admin Roles. You can include more attributes by easily modifying script.

You can execute this script with both MFA and non-MFA accounts.

To execute the script with MFA or non-MFA account, use the below format. It will prompt to enter credential twice, one is for Exchange Online PowerShell and another is for MS Graph (to retrieve admin role details).

The exported mailbox delegation report includes permissions like full access, send as, and send on behalf.

This format can also be used to schedule the PowerShell script as a scheduled task in the Windows Task Scheduler.

Note: To use certificate-based authentication, you must register an app in Entra ID.

You can use the built-in filtering params to to generate more customized mailbox permissions report.

To get delegates details of specific mailboxes, you can use -MBNamesFile param and pass a CSV file as an input.

The mailbox names CSV File must follow the format below: Display name of mailboxes separated by new line without header.

You can use -FullAccess param to export mailbox full access permission to CSV file. The script display only “explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.

-SendAs param is used to view mailboxes which has send-as permission delegated and exports mailbox SendAs permission to CSV.

To filter output that only displays mailboxes which has send-on-behalf permission delegated, you can use -SendOnBehalf param. This will export mailboxes and their delegates with Send-on-behalf permission.

As an administrator, often you are in the situation to get permissions for only user mailboxes and eliminates other types like shared mailbox, room mailbox. In that case, you can use -UserMailboxOnly param to return user mailboxes alone in the results.

Without -UserMailboxOnly param, it will list all mailbox permissions including room, equipment and shared mailbox permissions.

By the way, if you feel worried about the long PowerShell script, you can use Microsoft365DSC to export Exchange mailbox permissions in a single go!

As admin accounts has elevated privileges, it may require special focus. To list who can access admin mailboxes you can use -AdminsOnly param.

• You can use multiple filters together, to get a more granular result. For example, you can get a list of admin accounts delegated with full access permission.

Using PowerShell requires a significant investment of time and familiarity with PowerShell concepts to enable customization. However, AdminDroid provides a user-friendly and intuitive interface that eliminates the need for complex PowerShell cmdlets. It offers a more accessible and efficient approach to generating Exchange mailbox permission reports without requiring extensive scripting knowledge.

Mailbox permission reports include,

• Mailbox permission
  • Mailbox permission summary
  • Mailbox with send as permission
  • Mailbox with sendonbehalf permission
  • Mailbox with full permission
  • Mailbox with read permission
  • Users access to other mailbox report
  • Guest access to other mailboxes
• Mailbox permission changes
  • Mailbox permission changes
  • Mailbox folder permission changes
  • Public folder permission changes
  • Sendas permission changes
  • Folder authorization activities

AdminDroid Exchange Online reporting tool simplifies the reporting process with comprehensive and customizable reports, automation capabilities, visual representation of data, and assistance with compliance and security. Also, the tool provides Exchange online audit reports to track mailbox activities, audit configuration changes, monitor email traffic, etc.

Additionally, AdminDroid Microsoft 365 management tool provides 1900+ pre-built reports and 30+ smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.

Besides, AdminDroid offers 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, Application activities, and more. The free edition provides reporting functionalities such as customization, scheduling, sending reports through email, and exporting. Download Free Office 365 reporting tool by AdminDroid and see how it helps for you.

I hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.