Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3 5/5 (1)

12 min read

This is the last article in a series of three articles that deal with the implementation and the use of the Full Access Mailbox permission in Office 365 environment.
The article includes two parts:

  • Part 1: Displaying Mailbox permissions
    In this section, we will review the basic PowerShell command for displaying mailbox permission and demonstrate a few enhancements that will help us to “clean” unnecessary information.
  • Part 2: Removing Mailbox permissions
    The logic PowerShell command syntax for “Removing mailbox permissions” is identical to the PowerShell syntax that we use for adding the mailbox permission. Despite that fact, it was important to me to review some typical scenario that relates to the operation of removing Full Access mailbox permissions.

Full Access Mailbox permission | Article Series

The Full Access Mailbox permission article series, including the following three articles:

PowerShell | Help & additional information

In case that you are a novice in the PowerShell environment, you can use the following link to get more information about the “first steps” such as: downloading the required PowerShell
software components, how to use the PowerShell console, running a PowerShell script, etc.

Read more
Link Table
PowerShell Naming Conventions & general information

If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information – o365info.com PowerShell articles

Create remote PowerShell session

Before we can use the required PowerShell commands, we need to download and install the Office 365 cmdlets + create remote PowerShell session to Office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange Online by using Remote PowerShell

How to use a PowerShell script

Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to Office 365 and Exchange Online using a script

PowerShell command and Script languish in more details

If you are new to the PowerShell world, you can read more information about PowerShell in Office 365 environment in the article: The Power of PowerShell


Part 1: Display Mailbox permissions

When we use the basic PowerShell command for displaying mailbox permission in Office 365 (Exchange Online) environment, we deal with issues:

  1. Non relevant information
    The result that will be displayed will include additional details about the permission that the particular user has on his mailbox and additional information about built-in system group that has permission on each of the user mailboxes.
  2. The username format
    When we display information about a mailbox permission, the information about the user name displayed by using the AD username. In Office 365 (Exchange Online) environment, the user display name is different from the standard user display name or the mailbox alias. The result is sometimes hard to read or understand because it’s not so easy to understand the “strange AD user names” versus the convention that we know such as referencing a user by his display name or alias names.

Using the default display for displaying mailbox permissions

The PowerShell cmdlets that we use for displaying mailbox permissions is:
Get-MailboxPermission

For example: to display the Full Access mailbox permission that users (or a group) have in John Mailbox, we can use the PowerShell command:

Get-MailboxPermission John

The output displayed in the following screenshot.

Default display of mailbox permissions

Technically, we got the required results, but if we look deeper in the result that shown on the PowerShell console, we could recognize some “issues”:

The user column

Under the header named User, we can see information about many “objects” such as a built-in system group that has Full Access permission to John mailbox and other users. The information about the “objects” that have mailbox permissions is not very clear because of three reasons:

Additionally, the default display includes a column such as: as: IsInherited and Deny (number 2). Most of the time this information is also on- relevant.

Optimize the results of the Displayed Mailbox permissions

Step 1 – clear unnecessary column

In the first step, we will remove non-relevant column by using the FL (file list) parameter. The FL option enables us to specify the exact column (by specifying the column header name). In our example, we would like to display only the following columns: Identity, user, AccessRights

PowerShell command syntax:

In the screenshot we can see that now the “user” column displayed more clearly, but we still have some issues: there is a lot of non-relevant information such as the information about the built-in systems groups that have Full Access permission son John’s mailbox and additionally, the information about the user who have Full Access permission such as the admin account displayed by using the Active Directory username that includes a combination of the username and numbers.

Default display of mailbox permissions-01

Step 2 – clear unnecessary information about built-in groups and SELF

To be able to display only the “explicitly assigned permissions” to a mailbox, we will need to filter out or remove non- relevant data.
The first detail that we want to remove is the “SELF” permission that each user has on his mailbox. The second type of permissions that we want to remove from the displayed result described as: “IsInherited “permissions.

To clear out the non-necessary information, we will use a logic condition (by using the PowerShell command – Where) the exclude out full mailbox permission that classified as: NT AUTHORITY\SELF and IsInherited

PowerShell command syntax:

In the following screenshot, we can see that we successfully manage to exclude or clear out most of the non-relevant information. We can clearly see now that two users have Full Access mailbox permission to John’s mailbox.

Default display of mailbox permissions-02

Step 3 – Using calculated properties

In the next step, we will complete the required task. Our mission now is to enable more readable user name in the User column.
We will replace the Active Directory username convention by using the property: “name”.
Additionally, we will change the column header name from the existing name: User to the friendlier column header.

For this purpose, we will create a new column header called: “Users who have Full Access.” The content of the new column will include the user name that has Full Access mailbox permissions to John’s mailbox but, instead the standard username conventions, we “pull out” the “name” property (or identifier) for each of the users who have permissions.

PowerShell command syntax:

In the following screenshot, we can see the results.

Using calculated properties

The output that displayed in the PowerShell console is more understandable. We can see that the output includes a “new column header” named: Users who have Full Access, and we can see the user name that has mailbox permission to John’s mailbox.

But there is still additional improvement that we can use. In the screenshot, we can see that there is a “significant space” between the columns. In case that the PowerShell screen is not wide enough we could “lose” some information. So is there any option to reduce the space between the columns? And the answer is: “Yes” (go to the next step)

Step 4 – Using AutoSize option

In this step, we will use the AutoSize parameter for diminishing the space between the result columns.

PowerShell command syntax:

In the following screenshot, we can see the results.

Using AutoSize option

Step 5 – Filter out only Full Access mailbox permissions

As mentioned before, the term “Mailbox permissions” include a variety of different types of permissions. The most common person is Full Access but sometimes there is an implementation of a different kind of mailbox permissions.

When we use the PowerShell cmdlets: Get-MailboxPermission , the results will include all the available mailbox permissions that users have for the mailbox.

In case that we want to display only Full Access mailbox permission, we can filter out the results by using the Where parameter

($_.AccessRights -like “*FullAccess*”)

PowerShell command syntax:

Additional scenarios for displaying mailbox permissions

In the former section, we review a scenario in which we would like to get information about a mailbox permission that other users have on a specific user. In the following section, we will review additional scenarios that relate to the task of displaying mailbox permissions.

Display list of mailboxes that a user has Full Access permissions.

In the former section, we review a scenario in which we would like to get information about a mailbox permission that other users have on a specific user.

In the following scenario, we would like to get information about a permission that a particular user has on other or additional mailboxes.

For example, we would like to get information about the mailboxes that the user Administrator has Full Access mailbox permission.

Full Access mailbox permission

To accomplish this task, in the first part of the PowerShell, we use the command

Get-Mailbox for getting all lists of all the existing mailboxes. In the second part, we use the command: Get-MailboxPermission and add the username. The PowerShell command will review all the arrays of mailboxes, check on which mailboxes the admin user has mailbox permission and displays the results. The rest of the PowerShell command used for improving the results that will be displayed by the

Get-MailboxPermission command.

PowerShell command syntax:

Display a list of recipient’s that have Full Access permission on other recipient’s

In the following scenario, we will like to get a list of all the users who another user has a mailbox permission to their mailbox.

PowerShell command syntax:

Display permission for more the one mailbox

The task: we would like to get information about a user who has mailbox permissions to more than one user. In our example, we would like to know who have mailbox permission to the John + Alice’s mailbox. We can add each of the user names separated by a comma.

PowerShell command syntax:

To improve the look of the displayed result we will enhance the basic PowerShell command for removing non relevant information.

PowerShell command syntax:


Part 2: Remove Mailbox permissions

In the last section we will review the way that we have for removing mailbox permissions. The PowerShell command that we use for removing or revoking mailbox permissions is:
Remove-MailboxPermission.

Remove Mailbox permissions scenarios.

Scenario 1 – Remove mailbox permission form a user mailbox

Let’s start with a basic example: we want to remove the Full Access mailbox permissions that Alice have on John mailbox

PowerShell command syntax:

By default, the PowerShell cmdlets for removing mailbox permission will display a warning message: “Are you sure you want to perform this action?”

In case that we are running a script that creates a bulk task such as removing a mailbox permission that many users have on a particular mailbox the “confirmation process” could be enough Exhausting.

To be able to avoid fr0m the confirmation process, we can add the parameter: Confirm:$False

PowerShell command syntax:

Scenario 2 – Remove mailbox permission from a collection of mailboxes

This scenario could be used when a specific user such as help desk team member or administrator has a Full Access mailbox permission to many mailboxes.
In case that we want to remove the mailbox permission that user has we will need first to get a list of all the existing mailboxes. Then we will need to check the particular user have a Full Access mailbox permission on the mailbox, and the last step will be – remove these permissions.

PowerShell command syntax:

The command that we use based on the variable that we named: $Mailboxes. The variable value includes a list of all the existing mailbox type such as: user mailbox, room mailbox and so on.

In case that we need to remove the Full mailbox permission form a specific mailbox type, we can add the filter option to the variable.

Scenario 3: Remove Full Access permissions only form user mailboxes (Filter user mailboxes)

PowerShell command syntax:

Scenario 4: Remove Full Access permissions only form Room mailboxes (Filter Room mailboxes)

PowerShell command syntax:

Tail end

So, now you are PowerShell mailbox permission specialist!
I hope that you enjoy reading the article, and it was useful for you.
I would like to thanks, Shay Levy (Co-Founder, PowerShellMagazine.com) that help me a lot with the PowerShell command syntax and, to the additional contributor that prefer to stay anonymous.

May the power of the PowerShell be with you!

Now it’s Your Turn!
It is important for us to know your opinion on this article


Summary
Article Name
Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3
Description
This is the last article in a series of three articles that deal with the implementation and the use of the Full Access Mailbox permission in Office 365 environment. The article includes two parts:Part 1: Displaying Mailbox permissions In this section, we will review the basic PowerShell command for displaying mailbox permission and demonstrate a few enhancements that will help us to “clean” unnecessary information. Part 2: Removing Mailbox permissions The logic PowerShell command syntax for “Removing mailbox permissions” is identical to the PowerShell syntax that we use for adding the mailbox permission. Despite that fact, it was important to me to review some typical scenario that relates to the operation of removing Full Access mailbox permissions.
Author
Publisher Name
o365info.com
Publisher Logo
Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

3 Responses to “Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3”

  1. GREAT article!

    I have one question:
    Is it possible to grant full access to one user, but only for the mailbox. The user who’s having full access are not interested in contacts, notes and To do’s???

    Pretty big issue right now.

  2. How do I export a list of all the mailboxes which shows whether a) they have license, b) are shared, c) auto-mapping is enabled or disabled?

Leave a Reply

Your email address will not be published. Required fields are marked *