How to remove Full Access mailbox permission

If a user with Full Access mailbox permission has left the organization, you need to revoke all their mailbox permissions. To bulk remove all mailbox permissions of a single user, it’s faster to use Exchange Online PowerShell. In this article, you will learn how to remove Full Access mailbox permission in the Exchange admin center and with PowerShell.

Table of contents

Remove Full Access mailbox permission in Exchange admin center

Your organization may have a user with Full Access permission to another mailbox. It means the user has the same rights as the mailbox owner. We will show you how to remove the mailbox permission in the Exchange admin center.

In our example, we would like to remove Full Access permission from a user (David Kent) to Amanda’s mailbox.

How to remove user Full Access mailbox permission

Remove Full Access permission in EAC by following the below steps:

  1. Sign in to Exchange admin center
  2. Click Recipients > Mailboxes
  3. Click on a specific recipient to whom you want to remove Full Access permission on their mailbox

In our example, the user with Full Access permission on their mailbox is Amanda Hansen.

Remove Full Access mailbox permissions in Exchange admin center
  1. Click the tab Delegation
  2. Go to Read and manage (Full Access)
  3. Click on Edit
Remove Full Access mailbox permissions in Exchange admin center
  1. Select the User Principal Name (David.Kent@m365info.com)
  2. Click Delete
Remove Full Access mailbox permissions in Exchange admin center
  1. Click Confirm
  1. Mailbox permissions removed

It will remove the Full Access permission on the user mailbox you selected.

Remove mailbox permissions with PowerShell

We will show you how to remove or revoke all mailbox permissions with the Remove-MailboxPermission PowerShell cdmlet.

To be able to run PowerShell commands, you must Connect to Exchange Online PowerShell. Open Windows PowerShell as administrator, run the below cmdlet, and sign in with your admin credentials.

Connect-ExchangeOnline

Remove Full Access permission from single user mailbox

You can remove all mailbox permissions from a specific user mailbox, but we will only focus on Full Access permission. Therefore, we need to specify that in the PowerShell cmdlet with the parameter -AccessRights and value FullAccess.

In our example, the user (Brenda Smith) has Full Access permission on another user’s mailbox (David.Kent@m365info.com), and we want to remove these permissions.

See the PowerShell command syntax.

Remove-MailboxPermission "Identity mailbox owner" -User "Identity" -AccessRights FullAccess

By default, you will get a PowerShell prompt with a warning message. To avoid the confirmation process, we can add the parameter -Confirm:$false.

Run the below PowerShell command.

Remove-MailboxPermission "David.Kent@m365info.com" -User "Brenda.Smith@m365info.com" -AccessRights FullAccess -Confirm:$false

Bulk remove Full Access permission from user mailboxes

You can remove the Full Access mailbox permission from a specific mailbox type, such as user mailbox. To filter all user mailboxes, we need to add the -Filter parameter in our PowerShell command.

In our example, the user Brenda.Smith@m365info.com has Full Access permission on multiple mailboxes, and we want to remove these permissions on all user mailboxes.

  • Specify the user mailbox in line number 3
  • Run the below PowerShell script
$Mailboxes = Get-Mailbox -ResultSize Unlimited -Filter { (RecipientTypeDetails -eq 'UserMailbox') }
ForEach ($member in $Mailboxes) {
    Remove-MailboxPermission $member.name -AccessRights FullAccess -User "Brenda.Smith@m365info.com" -Confirm:$false
}

You removed the Full Access permission on all user mailboxes with the user (Brenda) you provided.

Note: You can get a warning if the object ID of the user mailbox doesn’t exist in your Exchange Online.

WARNING: Can't remove the access control entry on the object "CN=0f38d53f-cbe0-4844-86e9-1032a45ba31b,OU=ms365info.onmicrosoft.com,
OU=Microsoft Exchange Hosted Organizations,DC=EURPR02A011,DC=PROD,DC=OUTLOOK,DC=COM" for account 
"S-1-5-21-701439281-3420630407-1831248095-18491696" because the ACE doesn't exist on the object.

Read the next step if you only want to remove the mailbox permissions from another specific mailbox type, such as room mailboxes.

Bulk remove Full Access permission from room mailboxes

Let’s say that you want to remove the Full Access permission of a single user on all the room mailboxes. We will use the -Filter parameter to get the room mailboxes.

In our example, the user Brenda.Smith@m365info.com has Full Access permission on multiple mailboxes, and we want to remove these permissions on all room mailboxes.

  • Specify the user mailbox in line number 3

Run the below PowerShell script.

$Mailboxes = Get-Mailbox -ResultSize Unlimited -Filter { (RecipientTypeDetails -eq 'RoomMailbox') }
ForEach ($member in $Mailboxes) {
    Remove-MailboxPermission $member.name -AccessRights FullAccess -User "Brenda.Smith@m365info.com" -Confirm:$false
}

It automatically removed the Full Access permission on all room mailboxes with the user you provided.

Bulk remove Full Access permission from all mailboxes

Sometimes, a specific user, such as a help desk team member or administrator, has Full Access mailbox permission to many mailboxes.

If we want to remove all the mailbox permissions the user has, we will first need to get a list of all the existing mailboxes. Then, we will need to check if the particular user has Full Access mailbox permission on the mailbox, and the last step will be to remove these permissions.

We use the command based on the variable that we named $Mailboxes. The variable value includes a list of all the existing mailbox types, such as user mailbox, room mailbox, etc.

  • Specify the user mailbox in line number 3

Run the below PowerShell script.

$Mailboxes = Get-Mailbox -ResultSize Unlimited
ForEach ($member in $Mailboxes) {
    Remove-MailboxPermission $member.name -AccessRights FullAccess -User "Brenda.Smith@m365info.com" -Confirm:$false
}

Note: If you have problems with AutoMapping after you remove the Full Access permission, check the article Mailbox still visible in Outlook after removing permission.

That’s it!

Read more: Remove Azure AD users with Microsoft Graph PowerShell »

Conclusion

You learned how to remove Full Access mailbox permission in Exchange admin center and with PowerShell. Both methods work excellently, but with PowerShell, you have many more options. The Remove-MailboxPermission cmdlet removes all permissions from a single or bulk all mailboxes.

Did you enjoy this article? You may also like Force delete Microsoft 365 mailbox with PowerShell. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

X Twitter

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *