Managing mailbox delegations in Exchange Online is an essential task, especially when dealing with Full Access and Send As mailbox permissions. Granting Full Access mailbox permission allows users to read, write, and delete emails the same as the mailbox owner. These permissions are useful in various scenarios—whether it’s granting an assistant access to a manager’s inbox or temporarily managing someone’s email while they are away.
Given that users with Full Access permissions can manage mailboxes as mailbox owners, it’s also important to revoke these permissions when they are no longer needed. This blog will walk through the steps of removing Full Access mailbox permissions in Exchange Online.
Remove Full Access Mailbox Permissions in Exchange Online
You can use any of the following methods to delete delegate permission in a mailbox.
- Remove Full Access mailbox permission in Exchange admin center
- Remove Full Access mailbox permission using PowerShell
Tip: You can use the PowerShell script to view an in-depth report on users with Full Access permissions, helping you identify and remove any unnecessary access swiftly.
Remove Full Access Mailbox Permission in Exchange Admin Center
If you are more comfortable with a graphical interface, you can use Exchange admin center to revoke Full Access permission in a mailbox.
- Sign in to the Exchange admin center.
- In the Recipients section, choose Mailboxes.
- Find and select the mailbox from which you want to remove permissions.
- Go to Delegation tab and click on Edit under Read and manage (Full Access) option.
- Select the mailbox you want to remove and click Delete.
After confirmation, the Full Access delegate permission will be removed for the specified user.
Remove Full Access Mailbox Permission Using PowerShell
To achieve better control and execute bulk operations, admins can utilize PowerShell for a fast and adaptable way to remove Full Access mailbox permissions.
Below are the actions available for removing mailbox permissions using PowerShell:
- Remove full access permission on a mailbox
- Remove full access permission on multiple mailboxes
- Remove multiple user’s full access permission on a mailbox
- Revoke a user’s full access rights on all mailboxes
Before proceeding with the above operations, connect to the Exchange Online PowerShell.
Remove Full Access Permission on a Mailbox
Once connected, you can use the Remove-MailboxPermission cmdlet to delete delegate Full Access permission from a specific mailbox:
|
1 |
Remove-MailboxPermission <Mailbox owner> -User <Identity> -AccessRights FullAccess |
For example,
|
1 |
Remove-MailboxPermission ben@contoso.com -User harvey@contoso.com -AccessRights FullAccess |
After executing the above cmdlet and confirming the action, Harvey’s Full Access to Ben’s mailbox will be revoked.
Remove Full Access Permission on Multiple Mailboxes
When an organization undergoes a restructuring process, employees may be moved to different projects. Instead of manually removing permissions for each mailbox, you can automate the process to quickly revoke Full Access for users who are no longer part of the project. This approach is efficient and reduces the risk of missing any mailbox.
|
1 2 3 4 5 |
$mailboxes = Get-Content -Path "C:\path\to\Mailboxes.txt" $userToRemove = “harvey@contoso.com” foreach ($mailbox in $mailboxes) { Remove-MailboxPermission -Identity $mailbox -User $userToRemove -AccessRights FullAccess -Confirm:$false } |
A text file must be prepared with the list of mailboxes, and the path to this file should be updated in the script. Ensure you replace –Path with the actual path to your mailbox list and user’s UPN you wish to remove.
After running this script, Harvey’s Full Access permissions will be revoked from all listed mailboxes.
Remove Multiple User’s Full Access Permission on a Mailbox
In scenarios where a user changes roles or departments, it may be necessary to revoke Full Access permissions for several users from a specific mailbox. This script allows admins to efficiently remove access for multiple users at once.
|
1 2 3 4 5 |
$mailbox = "ben@contoso.com" $usersToRemove = Get-Content -Path "C:\path\to\UsersToRemove.txt" foreach ($userToRemove in $usersToRemove) { Remove-MailboxPermission -Identity $mailbox -User $userToRemove -AccessRights FullAccess -Confirm:$false } |
A text file must be prepared with the list of users to be removed, and the path to this file should be updated in the script. Don’t forget to update the –Path parameter and the actual username.
After executing this script, the specified users will have their Full Access permissions removed from Ben’s mailbox.
Revoke a User’s Full Access Rights on All Mailboxes
In large organizations, service accounts are often granted Full Access to multiple mailboxes for collaborative work or administrative tasks. When a user leaves the company, or no longer needs access, it’s important to remove delegate permissions quickly to keep the mailboxes secure.
This PowerShell script helps bulk remove Full Access permissions for a specific user from all user and shared mailboxes in the organization:
|
1 2 3 4 |
$userToRemove = "harvey@contoso.com" Get-Mailbox -ResultSize Unlimited | ForEach-Object { Remove-MailboxPermission -Identity $_.PrimarySmtpAddress -User $userToRemove -AccessRights FullAccess -Confirm:$false } |
This script will automatically revoke all Full Access permissions for harvey@contoso.com on every mailbox in the organization. While executing this script, don’t forget to update the username.
Tip: Once the Full Access permission is removed, confirm the changes by tracking mailbox permission changes in the Exchange Online audit.
I hope this blog helped you gain information on how to revoke Full Access permission from Microsoft 365 mailboxes. Feel free to reach out to us through the comments section if you have any queries.
