Export Shared Mailbox Permission Report to CSV using PowerShell

Shared Mailbox allows a group of users to view and send emails from a common email address. I.e., any member of the shared mailbox can respond to an email that sent to a shared mailbox. And any response sent by its members appears as it sent from the shared mailbox rather than the individual person.

Shared Mailbox is useful for help and support, reception desk, or any function that is shared by multiple people.

Since Shared Mailbox has no owner, it doesn’t have its own password. So, users cannot access it directly. You need to add users as members to access the Shared Mailbox. A member can access Shared Mailbox by log in to his mailbox.

Member can ‘send as’ or ‘send on behalf of’ the Shared Mailbox based on the permission given by the administrator.

To get Shared Mailbox members, you need to find users’ permission on Shared Mailbox. A user with full access permission on Shared mailbox considered as its member. Apart from that Shared Mailbox can have delegates. Shared mailbox delegates can be retrieved using following rights: Send As and Send on Behalf.

1. Full Access – Allows the delegate to open, view and modify Shared Mailbox content but doesn’t allow to send email.
2. Send As – Allows the delegate to send email as Shared Mailbox. In this case, the recipient has no indication about that the mail was sent by delegate.
3. Send on Behalf – Allows delegate to send email on belhaf of shared maiilbox. The recipient can identify the delegate by seeing e-mail’s from address (<Delegate> on behalf of <Shared Mailbox>).

You can get Shared Mailbox permissions from Exchange Admin Center (EAC), but it’s per mailbox based. To be more scalable, you can get the permissions through PowerShell. The user rights of a Shared Mailbox are retrieved from PowerShell cmdlets Get-Mailbox, Get-MailboxPermission, and Get-RecipientPermission.

Microsoft does not have a good report to show which users have full access, send as, and send on behalf permission on Shared Mailbox. So, we built the following PowerShell script to fetch you a nicely formatted Shared Mailbox permissions report. And this script supports more advanced filtering options too.

Download Script: GetSharedMailboxPermission.ps1

Script Highlights:

• The script display only “Explicitly assigned permissions” to mailboxes which means it will ignore “SELF” permission that each user on his mailbox and inherited permission.
• Exports output to CSV file.
• The script can be executed with MFA enabled account also.
• You can choose to either “export permissions of all mailboxes” or pass an input file to get permissions of specific mailboxes alone.
• Allows you to filter output using your desired permissions like Send-as, Send-on-behalf or Full access.
• This script is scheduler friendly. I.e., credentials can be passed as a parameter instead of saving inside the script

To execute the script with MFA enabled account or non-MFA account, use the below format.

Sample Output:

The exported report stores the most required attributes like Display Name, User Principal Name, Primary SMTP Address, Email Aliases, Access Type, and User with Access.

The output will look similar to the below screenshot.

You can use params/switches to get a more granular report.

• Export Permissions for single/list of Shared Mailboxes
• Export Shared Mailbox full access permission
• List Shared Mailbox send as permission
• Export Shared Mailbox send on behalf permission to CSV
• Export Shared mailbox members to CSV
• Schedule Shared Mailbox permission report

You can use –MBNamesFile param to export permissions of a Shared Mailbox from the input list called “SharedMB.txt”.

To get permissions of specific mailboxes, pass an input file with a Display Name/ Alias/ Distinguished Name/ Canonical DN/ Email Address or GUID of Shared Mailboxes.

./GetSharedMailboxPermissions.ps1 -MBNamesFile C:/SharedMB.txt

The mailbox names CSV File must follow the format below: Identity of mailboxes separated by new line without header.

If the input file has non-shared mailbox, then it will show error. you can refer our previous blog to export all mailbox permissions report.

You can use -FullAccess switch param to export mailbox full access permission to CSV file. The script displays only “explicitly assigned permissions” to mailboxes, which means it will ignore inherited permission.

-SendAs param used to filter output that only displays mailboxes, which has send-as permission delegated.

To export Shared Mailbox members who have send on behalf permission, execute the script with –SendOnBehalf switch param.

To export all Shared Mailboxes with its members, run the script as follows. The output lists all members with their permissions on Shared Mailbox.

By default, this PowerShell script supports multiple advanced filtering options. You can use one or more filters during execution time.

The above output lists users who have full access and send as permission on Shared Mailboxes.

Since this script is scheduler-friendly, you can schedule script in Windows Task Scheduler by explicitly mentioning the credential.

If you want to get more detailed shared mailbox reports based on

• Shared Mailbox info
  • List all shared mailboxes
  • Shared mailbox members
  • Recently created shared mailboxes
• Shared Mailbox size over time
• Shared Mailbox permission
  • Shared mailbox permission details
  • Shared mailbox permission summary report
• Shared Mailbox with rules
  • Shared mailbox with inbox rules
  • Shared mailbox with forwarding
  • Shared mailbox inbox rules with forwarding
• Hold details
  • Shared mailboxes with retention hold
  • Shared mailboxes with in-place hold
  • Shared mailboxes with litigation hold

• Shared Mailbox analytics
  • 20+ reports on Shared mailbox email analytics

you can take a look at AdminDroid Microsoft 365 reporting tool. Additionally, AdminDroid offers 1600+ pre-built reports on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, etc. For your Office 365 reporting and auditing needs,

Each report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.

Besides, AdminDroid Offers over 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. You can do customization, scheduling, and exporting. You can download Free Office 365 reporting tool by AdminDroid and see how it helps you.

I hope this blog is helpful to you. If you need more attributes or enhancements, please mention them in the comment section. We will help you to edit this script.