Office 365 has one of the most beneficial features as delegating mailboxes. You can delegate a mailbox to another user to manage their mailboxes to ease the work balance.
While granting delegate permissions is much more direct. You may encounter difficulty in getting the mailboxes user has access to because this does not have an immediate means of working on it. And this is quite intricate to work on too! So, admins tend not to work on this side. To make it easier for admins, let me guide you through this blog to identify it!!
Identifying what are the mailboxes the user can access is a laborious process. Yet, this is not at all possible using the UI. With PowerShell, it is possible but you have to loop through commands like Get-MailboxPermission and Get-RecipientPermission and identify the users’ rights on other mailboxes. Seems like a hassle?
Fear not! We took the hassle away. To make this process easier and more effective for admins, we have prepared a script that lets you get the answer as quickly as possible.
Download Now: MailboxesUserCanAccess.ps1
- Exports mailbox rights for all users by default.
- Allows to generate mailbox rights report for a list of users through input CSV.
- List mailboxes the users have Send As/Send On Behalf/Full Access permissions.
- The script can also be executed with MFA enabled account also.
- Export report results to CSV file.
- The script is scheduler-friendly. i.e., credentials are passed as parameters, so worry not!
How to Execute the Script?
Method 1: You can use the below method to run the script with both MFA and non-MFA accounts.
Method 2: To run a script non-interactively (i.e., Scheduler-friendly), you can use the below format.
.\MailboxesUserCanAccess.ps1 -UserName email@example.com -Password XXX
List All Mailboxes User Can Access – Sample Output:
The script exports a nicely formatted CSV file with the important attributes
- User Name,
- Access Type, and
- Delegated Mailbox Name.
In the access type column, you can view the level of access they have to another mailbox. Furthermore, you can tweak the script to configure the attributes based on your needs. The output file will be stored in the current working directory.
This script supports built-in filtering parameters to quickly list all mailboxes to which a particular user has access to. Some of the use cases are listed below.
- Get a List of Mailboxes the Users has Access to
- List All Mailboxes to Which a Particular User has Access
- Get list of users with Send as Permissions
- Export Mailboxes the Users Have to Send on Behalf Permissions
- Find the Mailboxes with Full Access Permissions
- View Mailboxes access for a list of the users (Import CSV)
It will return all the mailboxes users can access in your Office 365 environment.
For an instance, it considers a user and lists all the delegated permissions( mailbox to which the user has access).
Here, it lists AdeleV’s access rights on other mailboxes. AdeleV can fully access HenriettaM’s mailbox and also has the power to send as PattiF. Likewise, it exports all the mailboxes that the user has access.
It’ll not always be necessary to get every user’s mailbox rights. To get particular users’ access to other mailboxes, run the script by specifying the –UPN of the user. It ultimately exports the access rights a user has to others.
.\MailboxesUserCanAccess.ps1 -UPN firstname.lastname@example.org
Further, to determine whether a user has a particular access right (Send As/SendOnBehalf/FullAccess) over another user. You can specify the access right as a parameter with the -UPN while running the script.
.\MailboxesUserCanAccess.ps1 -UPN email@example.com -SendAs
Send As permission is one that we need to keep a keen eye on because it looks as if the owner of the mailbox is sending the message. Though, it is sent by delegated users. Only exchange administrators can grant this permission.
Particularly if you want to identify the users with SendAs permissions. Use the parameter -SendAs to locate users with the SendAs permissions. It’ll export usernames, together with their corresponding delegated mailbox names.
The Send on Behalf Permission permits you to act on behalf of another user or group. The messages sent will be marked as ‘AdeleV Send on behalf of the Marketing group’. With Send on behalf, you can identify who initiated the message but Send as does not let you see who sent the message.
Run the script with the parameter -SendOnBehalf to get users with Send on Behalf permissions on other mailboxes.
The -FullAccess permission lets in modifying the content and read emails from another mailbox. But that doesn’t mean they can Send messages.
To get a detailed report about the users has FullAccess permissions on other mailboxes, run the script with the -FullAccess parameter to export results to a CSV file.
To identify mailbox permissions for specific users, pass an input file with the attribute User_Principal_Name enclosing the specified usernames. Consequently, it’ll export the delegated mailboxes names of the particular users.
.\MailboxesUserCanAccess.ps1 -CSV “./import.csv”
Both PowerShell and Office 365 Reports make it tough to generate clear and detailed reports on mailbox permissions. Typically, the reports are very basic.
If you’re looking for something that provides better and advanced reports plus beating the native Office 365 report, then I’ve got something to show you! I suggest taking a look at AdminDroid Office 365 reporting software. You can audit your Mailboxes to the fullest extent with AdminDroid. For example, it gives you extensive reports on mailbox access, mailbox activities, mailbox permission changes, mail flow, and everything related to mailboxes in the following areas,
- Mailbox permission summary
- Mailbox with send as permission
- Mailbox with send on behalf permission
- Mailbox with full permission
- Mailbox with read permission
- Access to other mailbox reports
Audit Mailbox Permission Changes:
- Mailbox permission changes
- Mailbox folder permission changes
- Public folder permission changes
- Send As permission changes
- Folder authorization activities
Admins Mailbox Access:
- Admin Mailboxes access to other mailboxes
- Admins Mailboxes with Send As permission
- Admins Mailboxes with Send on Behalf permission
- Admins Mailboxes with Full Access permission
Shared Mailbox Permissions:
- Shared Mailbox permission detailed report
- Shared Mailbox permission summary
Guest Mailbox Permissions:
- Guests’ mailbox permission summary
- Guest access to other mailboxes
AdminDroid provides out-of-the-box reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, and a lot more. With an easy-to-use interface of AdminDroid, you will have access to over 1500+ all-inclusive reports for Exchange Online, SharePoint Online, OneDrive for Business, and every other Office 365 service.
Free Office 365 reporting tool by AdminDroid provides reports on the organization’s groups, group membership, group membership change, users, licenses, user logins, password changes, etc. The free version contains 100+ reports and dashboards. When it comes to auditing and reporting, you can be sure, AdminDroid has you covered.
Download AdminDroid now and start experiencing the features to the fullest!
Briefly to conclude, keep tracking mailbox permissions is key to maintaining security within your organization. Thus, use this script to stay on top without giving erroneous access to another user.
Need help? Drop in your queries in the comment. We would love to solve it for you!