Audit Mailbox Permission Changes in Office 365 using PowerShell 

Office 365 admins can configure permissions to delegate access to other mailboxes. Since mailboxes contain sensitive data, it’s required to monitor mailbox permission changes to ensure security and prevent data leakage.   


How to Audit Mailbox Permission Changes in Exchange Online:  

Mailbox permission can be granted in the following ways.  

  • Full access: Delegate can read, modify, and delete content from the delegated mailbox.  
  • Send as: Delegates can send email from the delegated mailbox, which appears to be sent by the mailbox owner.  
  • Send on behalf: Delegates can send emails from a delegated mailbox on behalf of the mailbox owner.  

To detect mailbox permission changes, you can use ‘Audit log search’ or the PowerShell cmdlet ‘Search-UnifiedAuditLog.’ Since each mailbox permission should be tracked individually, it’s challenging to perform through UI. Also, you can’t filter out send on behalf permission changes through the Audit log search. 


How to Track Mailbox Permission Changes using PowerShell: 

With PowerShell, admins can track Exchange mailbox permission changes easily. However, it’s hard to filter out send on behalf permission changes, as it comes with other property changes. Worry not! We have created a PowerShell script to monitor permission changes at ease. The script allows you to generate an audit report on all permission changes or specific permission changes. Let’s dive in!  

Known limitation: For ‘send on behalf’ permission removal, Microsoft doesn’t provide the name of the delegate whose access is removed. Instead, it will show the current delegates after the latest modification. We have handled this special case in our script. 

Also, admins can configure alert policy to get notified when admins assign mailbox permissions. 


Script Download: AuditMailboxPermissionChanges.ps1 


Script Highlights: 

  • The script uses modern authentication to retrieve audit logs.   
  • The script can be executed with an MFA enabled account too.     
  • Exports report results to CSV file.     
  • Excludes system generated permission changes by default. 
  • Helps to detect who modified mailbox permissions 
  • Tracks who granted full access, send as, send on behalf permissions separately. 
  • Allows you to generate mailbox permission changes audit report for a custom period.     
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.    
  • The script is scheduler-friendly. i.e., Credential can be passed as a parameter instead of saving inside the script. 


Sample Output: 

The exported report will contain the following attributes: Event Time, Operation, Performed By, Mailbox Name, Delegate Name, and Additional Audit Data. 

Detect who granted full access permission to a mailbox


Script Execution Methods: 

To run the script, you can choose any one of the methods below.       

Method 1: Execute script with MFA and non-MFA account         

The exported audit report contains all mailbox permission changes in the last 90 days.  


Method 2: Execute script by explicitly mentioning the credentials (Scheduler friendly).     

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 


More Use Cases of ‘Audit Mailbox Permission Changes Script’: 

Our script supports built-in filtering params to generate more granular audit reports based on your requirements. We have listed a few use cases below. 

  • Track mailbox permission changes 
  • Mailbox permission auditing for a custom period 
  • Detect who granted full access permission 
  • Detect mailboxes’ send as permission changes 
  • Find send on behalf permission changes 
  • Get monthly report on mailbox permission modification 
  • Schedule mailbox permission audit report 
  • Track mailbox delegation to external users 


Track Mailbox Permission Changes: 

The script will list all the mailbox permission changes, such as adding and removing full access permissions, send as permissions, send on behalf permissions for the last 90 days. 


Mailbox Permission Auditing for a Custom Period: 

By using –StartDate and –EndDate parameters, admins can generate mailbox permission auditing report for a custom period such as, last 7 days, 30 days, or any custom period.  

The above example retrieves all the mailbox permission changes between June 15, 2022, and June 30, 2022.   


Detect who Granted Full Access Permission: 

To detect who gave full access permission to edit, modify, delete content from others’ mailbox, you can run the script with –FullAccessOnly parameter. It will also track the full access permission removal. 

The exported report will contain the full access permission changes that happened in the past 90 days. You can also use, -StartDate and –EndDate param to generate a report for custom period. 


Monitor Mailboxes’ Send as Permission Changes: 

When a user is granted send as permission, they can send email as delegated mailbox – even without mailbox owner’s knowledge. So, it’s challenging to track send as emails. Hence, admins need to keep an eye on send as permission changes. To find who granted and removed send as permissions, run the script with –SendAsOnly switch param. 


Find Send on Behalf Permission Changes: 

‘Send on behalf’ permission changes have to be tracked in different way. Also, Microsoft doesn’t provide delegate names directly in this case. It will show all the delegates’ names who have ‘send on behalf’ permission after the latest permission change.  

Our script processes a few filters and retrieves delegate name to whom the permission was assigned. But there is no way to retrieve delegate name during send on behalf removal. 

To track send on behalf permission changes, execute the script with –SendOnBehalfOnly switch parameter. 


Schedule Mailbox Permission Audit Report: 

Since the ‘Search-UnifiedAuditLog‘ can keep an audit log for 90 days (for E3 license), you may require old data for analysis. In that case, scheduling will help you keep the audit log for a longer period. 

To automate the PowerShell script, you can use the below format in the Windows Task Scheduler.   

If the admin account has MFA, you need to disable MFA based on the Conditional Access policy to make it work.   


Get a Monthly Report on Mailbox Permission Changes: 

To get a monthly report on deleted emails, run the script as follows,  

You can also use the above format to get scheduled monthly reports. 


Track Mailbox Delegations to External Users: 

In some situations, admins need to give mailbox access to external users. So, it is a critical task to identify who delegated mailbox access to whom. To track mailbox permission changes on external users, open the report with Excel and filter the ‘Delegate Name’ column that contains “#EXT#”. 



Identifying who can access other mailboxes is one of the vital tasks in mailbox permission management. To get mailbox permissions for all the mailboxes, you can generate mailbox permission report. Alternatively, you can get a list of mailboxes a user has access to using our dedicated script. 

I hope this blog is helpful for managing mailbox permissions in Exchange Online. If you have any queries, reach us through the comment section.