An admin needs to verify mailbox folder permission in Exchange Online to avoid confidential data breaches. Managing mailbox folder permission helps to find any suspicious access given to crucial mailbox folders that might cause severe security issues. Microsoft 365 admin center has no way to find folder permission levels, which makes admins put their hands in PowerShell as the only option. Let’s dive into how to get mailbox folder permissions using PowerShell to manage Exchange Online mailboxes effectively.
Verify Mailbox Folder Permissions Using PowerShell
Admins can get mailbox folder permissions using ‘Get-MailboxFolderPermission’ cmdlet in the Exchange Online PowerShell module. This cmdlet retrieves permission levels for each mailbox folder, access rights, username, and more. Verifying mailbox folder permission and mailbox folder statistics report is crucial, as both reports assist admins in managing mailbox folders efficiently.
However, tweaking the report to meet your desired results using PowerShell demands more of your time. But guess what? We have crafted a PowerShell script that generates 7+ reports to solve all your use cases and saves your time efficiently.
Script Highlights
- The script automatically verifies and installs the Exchange PowerShell module (if not installed already) upon your confirmation.
- The script can generate 7+ folder permission reports.
- Retrieves all mailbox folders and their permissions for all mailboxes.
- Shows permission for a specific folder in all mailboxes.
- Get a list of mailbox folders a user has access to.
- Retrieves all mailbox folders delegated with specific access rights.
- Provides option to exclude default and anonymous access.
- Allows to get folder permissions for all user mailboxes.
- Allows to get folder permissions for all shared mailboxes.
- Exports report results to CSV.
- The script is scheduler friendly.
- It can be executed with certificate-based authentication (CBA) too.
Download Script: GetMailboxFolderPermissionReport.ps1
Mailbox Folder Permission Report – Sample Output
The script exports all the Microsoft 365 mailboxes available in the organization with the following attributes:
- Display Name
- UPN
- Folder Name
- Folder Identity
- Mailbox Type
- Shared To
- Access Rights
Exchange Online Mailbox Folder Permission Report – Script Execution Methods
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: You can run the script with MFA and non-MFA accounts.
1 |
./GetMailboxFolderPermissionReport.ps1 |
This example enables you to export all the Exchange Online mailbox folder permission for each folder into a CSV file.
Method 2: You can explicitly pass credentials (username and password) and execute the script.
1 |
./GetMailboxFolderPermissionReport.ps1 -UserName <UPN> -Password <Password> |
You can schedule the script using task scheduler for non-MFA admin accounts.
Method 3: You can also run the script using certificate-based authentication, which is also scheduler friendly. When you want to run the script unattended, you can choose this method. To do this, you must register the app in Azure AD.
1 |
./GetMailboxFolderPermissionReport.ps1 -Organization <Domain> -ClientID <AppId> -CertificateThumbPrint <CertThumbPrint> |
You can use either a certificate issued by a recognized certificate authority (CA) or create a self-signed SSL certificate.
Find & Export Mailbox Folder Permission Report Using PowerShell
By utilizing this script, you can get tailored solutions for the below use cases:
- Retrieve folder permissions for all mailbox folders
- Get folder permissions for a specific folder in all mailboxes
- Get mailbox folder permission for a specific mailbox
- Verify folder permissions for bulk mailboxes
- Get a list of mailbox folders a user can access
- Retrieve mailbox folders delegated with specific access rights
- Get folder permission levels for all user mailboxes
- Get mailbox folder permissions for shared mailboxes
- Obtain mailbox folder permissions except default and anonymous access
1. Retrieve Folder Permissions for all Mailbox Folders
Monitoring Exchange Online mailbox permission report is necessary to analyze who has access to other mailboxes. Similarly, admins can export mailbox folder permissions in Exchange Online to get an overview of all folder & subfolder permission levels and their details.
To get mailbox folder permissions for all folders, run the script below.
1 |
./GetMailboxFolderPermissionReport.ps1 |
Admins will get folder path, access rights, and users who have access to the folder for each mailbox separately.
2. Get Folder Permissions for a Specific Folder in Exchange Online
Some mailbox folders may not require periodic monitoring compared to others. This might be the case where admins may want to monitor only the ‘Inbox’ folder permissions or view calendar permissions for all mailboxes in the organization. To achieve this, run the script by specifying the desired folder in the –SpecificFolder parameter.
1 |
./GetMailboxFolderPermissionReport.ps1 -SpecificFolder Inbox |
The above format will export Inbox folder permissions for all mailboxes in your Exchange Online environment.
3. Get Mailbox Folder Permission for a Specific Mailbox
If admins want to retrieve folder permission details for a specific confidential mailbox, run the script by specifying the respective mailbox’s UPN in the –MailboxUPN parameter.
1 |
./GetMailboxFolderPermissionReport.ps1 -MailboxUPN james@contoso.com |
The report output shows each folder’s access rights of the mailbox named ‘james’, eliminating other mailboxes in the organization.
4. Verify Folder Permissions for Bulk Mailboxes
Monitoring folder permissions for multiple mailboxes helps to check any suspicious access to critical mailbox folders in the organization. To get folder permissions for bulk mailboxes, run the script by providing the CSV file path in the –MailboxCSV parameter.
1 |
./GetMailboxFolderPermissionReport.ps1 -MailboxCSV <FilePath> |
You can replace <FilePath> with your saved CSV file path. Remember that you should create a CSV file and provide the mailbox UPNs with the column name ‘Mailboxes’ as shown below.
5. Get a List of Mailbox Folders a User Can Access
It is prominent for admins to review the Exchange Online mailboxes a user has access to check if any suspicious user has access to critical mailbox. Likewise, admins may want to check all the mailbox folders a specific user has access to. Thus, admins can easily find the list of folders to which a former employee has access and assign it to other users. To get this report, run the script with the –FoldersUserCanAccess parameter and provide the desired users’ UPN.
1 |
./GetMailboxFolderPermissionReport.ps1 -FoldersUserCanAccess alya@contoso.com |
The exported output provides the list of folders to which ‘Alya’ has delegated access as shown below.
6. Retrieve Mailbox Folders with Specific Access Rights
Admins can verify all mailbox folders and subfolders having any specific delegated access rights to ensure that only the required users are granted permission. To get mailbox folder delegated with specific access rights, pass the permission with –AccessRights parameter.
1 |
./GetMailboxFolderPermissionReport.ps1 -AccessRights Owner |
The output will show the list of folders to which users have Owner access rights. You can also check mailbox folders for various access permissions, such as owner, contributor, editor, author, reviewer, etc.
7. Get Folder Permission Levels for all User Mailboxes
Admins can get folder permission for all user mailboxes, eliminating other mailbox types for enhanced monitoring. To get permission levels for user mailbox folders, run the script with the –UserMailboxOnly parameter.
1 |
./GetMailboxFolderPermissionReport.ps1 -UserMailboxOnly |
The exported report provides all the user mailbox folders and subfolders along with their access rights.
8. Get Mailbox Folder Permission for Shared Mailboxes
Shared mailbox permission report must be monitored often and ensure only authorized users can access the shared mailboxes. Also, shared mailbox folders should be reviewed periodically to ensure security. To get the folder permission levels for all shared mailboxes, run the script with –SharedMailboxOnly param as below.
1 |
./GetMailboxFolderPermissionReport.ps1 -SharedMailboxOnly |
The output retrieves all the folders and subfolders with their access rights for each shared mailbox separately.
9. Obtain Mailbox Folder Permissions Except Default and Anonymous Access
Sometimes admin might want to focus on crucial mailbox folder permissions, avoiding unwanted noise. Default and anonymous access rights are the default set of permissions for users in the organization and external users. So, monitoring these permissions for every folder might not be useful in several cases.
To get mailbox folder permissions excluding default and anonymous access, run the script with –ExcludeDefaultAndAnonymousUsers param.
1 |
./GetMailboxFolderPermissionReport.ps1 -ExcludeDefaultAndAnonymousUsers |
You will get the results with the list of folders and subfolders along with access rights assigned to users, eliminating the default and anonymous access details.
Periodic verification of mailbox folder permissions is necessary to avoid unauthorized access to critical mailbox folders and improve security. On top of that, monitoring mailbox usage, mailbox delegate access, configuration changes, inactivity, etc., is crucial for appropriate mailbox management. Here comes the AdminDroid Exchange Online management tool! It gives end-to-end details of EXO mailboxes with precise insights to enhance your mailbox management as never before.
Hope this blog helps admins to retrieve mailbox folder permissions efficiently and enhance Exchange Online mailbox security. Drop your queries in the comment section. Happy scripting!