Export Office 365 Mailbox Permissions Report to CSV

We all know that Office 365 allows admins to set mailbox delegation permission to access other mailboxes. One of the comments I often hear from Office 365 admins is, they need to export office 365 mailbox permissions like Full access, Send-as, and Send-on-behalf. Fear not – help is here!

In Office 365 Exchange admin center, we can view Mailbox delegation permissions by clicking each mailbox. It’s not bad until you are in the situation to view permissions of multiple mailboxes. The O365 portal is not friendly to view multiple mailboxes’ permission at a time. No worries! We have PowerShell. Yes, we can use a PowerShell script to see the information we need and can have control over how the information is displayed but we need to process multiple cmd-lets like Get-Mailbox, Get-MailboxPermission, Get-RecipientPermission, etc.

Don’t worry! We are here! We have written a handy PowerShell script to find Office 365 users who have full access, send-as, and send-on-behalf permission on other mailboxes, and export them to CSV file.

 

Highlights of the script:

  • The script uses Modern authentication to connect to Exchange Online.
  • The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
  • Exports output to CSV file.
  • The script can be executed with MFA enabled account.
  • You can choose to either “export permissions of all mailboxes” or pass an input file to get permissions of specific mailboxes alone.
  • Output file stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User With Access, and Admin Roles. You can include more attributes by easily modifying script.
  • Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
  • Output can be filtered based on user/all mailbox type
  • Allows you to filter permissions on admin’s mailbox. So that you can view administrative users’ mailbox permission alone.
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation. 
  • This script is scheduler friendly. I.e., credentials can be passed as a parameter instead of saving inside the script. 

 

Download Script: GetMailboxPermission.ps1

 

Script execution and Output:

Below is the result you should expect from this script.

Mailbox permission

 

How can I execute a script?

You can execute this script with both MFA and non-MFA accounts.

Export non-owner mailbox permission report with MFA enabled account:

To execute the script with MFA enabled account, use the below format. It will prompt to enter credential twice, one is for Exchange Online PowerShell and another is for Azure AD.

 

Export mailbox permission report with non-MFA account:
To execute script with non-MFA enabled account, you need to mention -NoMFA switch during script execution. It will prompt credential popup once.

 

 

How can I filter the output?

You can use params to filter the output as per your need.

Export Mailbox permissions for list of mailboxes in the input file

To get permissions of specific mailboxes, you can use -MBNamesFile param and  pass an input file with a display name of mailboxes.

The mailbox names CSV File must follow the format below: Display name of mailboxes separated by new line without header. 

Get Mailbox Permission From Input File

Export Office 365 Mailbox Delegates Report

To get all mailbox delegates, run the script as follows. This will return mailboxes that have full access, send as and send on behalf permissions delegated to other mailboxes, i.e, non-owner mailbox permission report. .

 

Export Mailbox Full Access Permission to CSV

        You can use -FullAccess param to export mailbox full access permission to CSV file. The script display only “explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.

 
Export Mailbox SendAs Permission to CSV

        -SendAs param used to filter output that only displays mailboxes which has send-as permission delegated and exports mailbox SendAs permission to CSV.

 
Export Mailbox SendOnBehalf Permission to CSV

     To filter output that only displays mailboxes which has send-on-behalf permission delegated, you can use -SendOnBehalf param. This will export mailbox Send-on-behalf permission to CSV file.

 
Export User Mailbox Permissions to CSV

     As an administrator, often you are in the situation to get permissions for only user mailboxes and eliminates other types like shared mailbox, room mailbox. In that case, you can use -UserMailboxOnly param to return user mailboxes alone in the results.

     Without -UserMailboxOnly param, it will list all mailbox permissions including room, equipment and shared mailbox permissions

 
Export Admin User Mailbox Permissions to CSV

    As admin accounts has elevated privileges, it may require special focus. To list Admin mailbox permissions alone, you can use -AdminOnly param.  is used to return admin role delegated mailboxes alone in the results.

•    You can use multiple filters together, to get a more granular result. For example, you can get a list of admin user mailboxes which delegated with full access permission.

 

How can I Schedule this script?

You can schedule non-owner mailbox permission script in task scheduler by explicitly mentioning the credential.

To know more about scheduling Powershell script, refer our blog: Schedule PowerShell script using Task Scheduler.

 

Get More Detailed Mailbox Permission Report:

If you want to get detailed mailbox permission report on

  • Mailbox permission
    • Mailbox permission summary
    • Mailbox with send as permission
    • Mailbox with sendonbehalf permission
    • Mailbox with full permission
    • Mailbox with read permission
    • Access to other mailbox report
  • Mailbox permission changes
    • Mailbox permission changes
    • Mailbox folder permission changes
    • Public folder permission changes
    • Sendas permission changes
    • Folder authorization activities

you can take a look at AdminDroid Microsoft 365 reporting and auditing tool.

Additionally, AdminDroid provides 1500+ pre-built reports and 20 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.

AdminDroid Office 365 auditing toolAdminDroid Office 365 auditing reporting tool

 

Besides, AdminDroid offers 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting. Download Free Office 365 reporting tool by AdminDroid and see how it helps for you.

I hope this post was helpful. If you modify the script and use it for other use cases, then please leave your idea in the comment section and help more admins.