Manage Send As Permissions using PowerShell – Office 365 5/5 (2)

The current article dedicated to the subject of performing a management task that relates to the Send As permission using PowerShell.

The Send As permission enables recipient X to send an E-mail message using the identity of a recipient Y.
Technically speaking, this method can describe as “impersonation.”

In Office 365 based environment, we can perform administrative tasks that relate to assigning or removing the Send As permission, via Exchange Online graphical admin portal or, by using PowerShell command.

Why do our users need to have Send As permission to another user?

In Exchange based environment, there are many possible scenarios, in which our users need to “hide” their identity and present themselves using the identity of another recipient.

A classic scenario could be – the personal assistant and the manager. A scene in which the personal assistant sends E-mail to another recipient, using the identity of his manager.

Another scenario could be a scenario in which help desk employees, send response E-mail to a support ticket using the identity of the “Help Desk” E-mail address instead of his “real identity.”

A couple of details worth mentioning About Send As permissions

  1. A recipient X cannot “give” by himself; the Send As permission to another recipient. The “authority” that can assign the Send As permission is, the Exchange administrator.
  2. A recipient who has an Alias in addition to his primary E-mail address, cannot send E-mail using his Alias (Send As) because, how funny it sounds; we cannot assign the Send As permission to the recipient Alias. In this case, the only solution will create a distribution group that uses the E-mail address of the “Alias” and assigns the recipient Send As permission on the distribution group.
  3. We can use the Exchange Online graphical admin portal to assign Send As permission on almost all the recipient types, except a contact recipient.
  4. At the current time, we cannot use the Exchange Online graphical admin portal for display and export information about an existing Send As permission.

Send As permission and the “trustee” concept

The “Send As permission”, based upon a concept on which recipient X “agree” to enable recipient Y, to send E-mail using his identity (his E-mail address).

User “Y” which gets the Send As permission defines as a “trustee.”

For example-

  • Suzan is John’s personal assistant.
  • We want to enable Suzan to send E-mail using the John E-mail address.
  • To accomplish this requirement, we will grant Suzan the Send As permission on John’s
  • Suzan will be described as the “trustee” of John.

Send As permissions logic -The Trustee concept

Manage Send As permissions using PowerShell in Office 365 based environment

In the next section, we will review a variety of scenarios that relates to the task of managing Send As permissions using PowerShell in Office 365 based environment.

I have grouped the different Send As permissions scenarios using the following classification:

  1. Management tasks that relate to – Assign \Grant Send As Permissions .
  2. Management tasks that relate to – Display \View information about Send As permissions .
  3. Management tasks that relate to – Remove \Revoke existing Send As Permissions.
In case that you are a newbie in the PowerShell world, in the bottom of the article, I add some links to PowerShell introduction’s articles.

Expand and collapse Section 1#3 | Assign Send As Permissions

Assigning or granting the Send As Permissions, is implemented by using the PowerShell
cmdlet – Add-RecipientPermission

Scenario 1.1 – Assign Send As Permissions to user X on user Y Mailbox.

Scenario description

  • Suzan is John personal assistant.
  • We would like to assign Send As permissions to Suzan (the Trustee) on John’s mailbox so, she will be able to send an E-mail message using the John E-mail address.

Implementation

We will use the PowerShell command “Add-RecipientPermission

PowerShell command syntax

PowerShell command example

Scenario 1.2 – Assign Send As Permissions to user X on all users Mailbox’s (Bulk Mode)

Scenario description

  • We would like to grant the Send As Permissions to a user named John.
  • The Send As permission will be assigned to a list of recipients.
  • The Send As permission will be assigned separately, for each recipient on the list.
  • The “recipient list”, will be defined as – all the existing Exchange Online recipients who classified as – users with a mailbox.

Implementation

Step 1: we will define a filter that will scan all the existing Exchange Online recipients and “pull out” only the Exchange recipient who defined as users with mailboxes.

The filter syntax that we use is-

Where {$_.RecipientTypeDetails -eq “UserMailbox”}

Step 2: we will define a variable named $UserMailboxes, that will serve as a “container” for the output from a PowerShell filter that will fetch the required recipient list.

Step 3: we will pipe the information stored in the $UserMailboxes variable, to a second PowerShell command, which will assign the required Send As permissions to John (the Trustee) for each of the recipients the appears in the filtered list.

Using the confirm parameter

When we assign or remove Send As Permissions, the PowerShell command is configured to ask by default for approval, for any assignment or removal of Send As Permissions. In case that we want to avoid the need to approve the operation and let the command run freely without the need for approval, we can add the parameter -Confirm:$False

PowerShell command syntax

PowerShell command example

Scenario 1.3 – Assign Send As Permissions to user X on all the Exchange Online recipient type (Bulk Mode)

Scenario description

  • We would like to grant the Send As Permissions to a user named John.
  • The Send As permission will be assigned to a list of recipients.
  • The Send As permission will be assigned separately, for each recipient on the list.
  • Versus the former example, this time, we would like to grant John the Send As Permissions, on all the existing Exchange Online recipients, type such as – mailboxes, room mailbox, public folders and so on.
General information – the term “recipient,” relates to any mail-enabled entity. The most common example for a recipient is a user with a mailbox but, there are many other types of Exchange recipient, such as – room mailbox, shared mailbox, mail contact, Public Folder and so on.

Implementation

Step 1- we will use the PowerShell command Get-Recipient , for “storing information” about all the Exchange Online recipients.

Step 2- we will pipe the information to the second PowerShell command.
The second PowerShell command will use the recipient list, and grant the Send As permissions to John for each of the recipients in the list (the recipients list from the previous PowerShell command).

PowerShell command syntax

PowerShell command example

Scenario 1.4 – Assign Send As Permissions to user X on multiple users by using a user list saved to a CSV file.

Scenario description

  • We would like to grant the Send As Permissions to a user named John.
  • The Send As permission will be assigned to a list of recipients.
  • The Send As permission will be assigned separately, for each recipient on the list.
  • The “recipient list”, will be defined as a – recipient list that is stored in a CSV (comma separated value) file.

Implementation

To be able to work with the information that stored as a CSV file, we will use the following procedure:

Step 1 – working with a CSV file

  • We will prepare in advanced, a CSV file that will contain our recipient list. (You can download a sample of the CSV file).
  • CSV file name – in our scenario, we will name the CSV file – csv.
    CSV file location – the CSV file, will be saved to a folder named Temp in C: drive.
  • The information about the recipient list will be created “under” a column header
    named – alias

Technically speaking, a CSV file can contain multiple columns.

In the following screenshot, we can see an example of the CSV file content.

Import information from a CSV file using PowerShell

When using the option of CSV file, we will need to define a header name, for each of the existing columns.
Notice that although our CSV file contains multiple columns, we need to address only a particular column that stores our recipient list. The column header name of our specific column is – alias.

Regarding the column header name, technically we can choose any name whom we want.
The best practice is to define a simple column header name, using a single word, no spaces, etc.

Step 2 – we will use the PowerShell command that will import the information from the CSV file, into a temporary store in the RAM.

Step 3 – we will define a variable named $UserList, that will contain the output from a PowerShell command that imports the information from the CSV file.

Step 4 – using the PowerShell Foreach Loop operator

We will use the PowerShell Foreach Loop operator, for scanning (looping through) the information that was fetched from the CSV file (the information that is stored in the $UserList variable).

We will instruct the PowerShell Add-RecipientPermission command, to grant John; the send As permission separately, for each recipient’s name who appears “under” the alias column header.

When using the Foreach Loop operator, we need to define a variable that will serve as a “container”, for each recipient who appears on the list.

This variable will store the “first name” in the list, and after we finish the task of assigning John the required Send as permission, the recipient name will be “deleted” from the “variable store.”
Then the “next name” in the recipient list will be populated in the “variable storage”.

In our specific scenario, the variable that we use for referencing a “single recipient” from the recipient
list is – $user

We will “attach” to the $user variable the “alias” property from the CSV file.
For example – $user.alias

In this way, the $user variable will contain in the “first time”, the first recipient name who appears “under” the alias column header.
The next time, the $user variable, will contain the second recipient name who appears “under” the alias column header and so on, until the end of the recipient list.

PowerShell command syntax

PowerShell command example

Scenario 1.5 – Assign Send As Permissions to user X on multiple users by using Filter parameter | Filter by users the belong to a specific department.

Scenario description

  • We would like to grant the Send As Permissions to a user named John.
  • The Send As permission will be assigned to a list of recipients.
  • The Send As permission will be assigned separately, for each recipient on the list.
  • The “recipient list”, will be defined as – all the Exchange Online users who work in the marketing

Implementation

To be able to implement this requirement, we use a PowerShell command that consists of two parts:

Step 1 – filter a list of recipients

We will use the PowerShell cmdlets – Get-Recipient, for getting a list of all the existing Exchange Online recipients.

We will use the –Filter parameter to filter from the list only a specific recipient whom their department is marketing (we will use a PowerShell command that will “filter out” only Exchange Online recipient whom their department is equal to marketing).

An example of the filter syntax in our scenario is-

Get-Recipient -Filter {(Department -eq “department”)}

Step 2 – we will pipe the output from the first command to an additional PowerShell command, which will grant the Send As permission to John, for each of the recipients named who appears on the list.

PowerShell command syntax

PowerShell command example

Assign Send As Permissions | Working with Groups

The subject of assigning permission while working with an “Exchange mail group” is a little tricky.

Scenario 1 – is a scenario, in which we want to grant to Send As permission to a specific mail group on a particular recipient.

Scenario 2 – is a scenario, in which we want to give to Send As permission to a specific recipient for each of the members who “belong” to a particular mail-enabled group.

Let’s start with the fact, that there are two major types of mail groups:

  1. Security group
  2. Destitution group

The common denominator is, that both of these mail groups, serve for the purpose of ‘grouping” mail recipients.

The difference between the two groups above is:

  • A security group, as the name implies, consider as a “security object.”
    The meaning is that we can grant a security group permission on “other objects.”
  • A distribution group doesn’t consider as a “security object.”
    The meaning is that we cannot grant distribution group permission on “other objects.”

Scenario 1.6 – Assign Send As Permissions to each member of a distribution group to a specific user

Scenario description

  • We would like to grant the Send As permissions, to each of the recipients who belongs to a distribution group named – marketing.
  • We want to assign the Send As permissions on a recipient’s mailbox named – John

Implementation

As mentioned, we cannot directly grant Send As permissions to a distribution group on “other objects.”

The good news is that we can bypass the obstacle by use a little trick.

The trick that we use will “extract” each of the members of a particular distribution group, and will assign the Send As permission for each of the members separately.

Note – notice that this “trick”, will not apply to a new member in the marketing distribution group, that will be added to the group after we execute the PowerShell command.

Step 1 – we will use the PowerShell command Get-DistributionGroupMember, that will get the list of members in a specific distribution group (the marketing distribution group in our scenario).

Step 2 – we will use a variable named $Members who will “contain” the output, from a PowerShell command, that will “fetch” all the members in the marketing distribution group.

Step 3 – using the PowerShell Foreach Loop operator

We will use the PowerShell Foreach Loop operator, for scanning (looping through) the list of the distribution group members.

In our scenario, the Trustee identity will be replaced a couple of times for each of the members in the marketing distribution group.

A single member of the marketing distribution group (the Trustee) will define by the following combination of variable + property.

In our example, the variable is $Member and the property is – name.

The combination will look like – $Member.name

The PowerShell – Add-RecipientPermission , will “loop” through the member list and will assign each of the members the Send As permission on John’s mailbox.

PowerShell command syntax

PowerShell command example

Scenario description

  • We would like to grant the Send As Permissions to a user named John.
  • The Send As permission will be assigned to a list of recipients.
  • The Send As permission will be assigned separately, for each recipient on the list.
  • The “recipient list”, will be defined as – all the members of a distribution group named – marketing.

Implementation

Note – notice we will need to use the same “extract trick” because, we don’t want to grant John permission to the distribution group, but instead, grant the Send As permission for each of the group members separately.

Step 1 – we will use the PowerShell command Get-DistributionGroupMember, that will get the list of members in a specific distribution group (the marketing distribution group in our scenario).

Step 2 – we will use a variable named $Members who will “contain” the output, from a PowerShell command, that will “fetch” all the members in the marketing distribution group.

Step 3 – using the PowerShell Foreach Loop operator

We will use the PowerShell Foreach Loop operator, for scanning (looping through) the list of the distribution group members.

In this case, the Trustee is John.
We want to assign John; the Send as permission for each of the distribution group members.

The way that we relate to each element of the array (each of the group members) is, by using the variable with a combination of the property – name in the following way – $Member.name

PowerShell command syntax

PowerShell command example

Expand and collapse Section 2#3 | Display information about Send As permissions

Assigning or granting the Send As Permissions, is implemented by using the PowerShell
cmdlet Get-RecipientPermission

By default, the information from the Get-RecipientPermission command will be displayed on the PowerShell console window.

In some scenarios, we need to save this information to a file. Later on, we will review how to export the information from the PowerShell command – Get-RecipientPermission to a file.

Scenario 2.1 – Display information about recipients who have “Send As” permission on a specific user Mailbox.

Scenario description
In the following scenario, our goal is to:

  • Display information about the recipient who has the Send As permission on John’s mailbox.

Implementation

We will demonstrate how to use the “simple version” of the PowerShell command, and also; we will provide a more “sophisticated PowerShell command” that will help us to remove an unnecessary information from the PowerShell command output.

PowerShell command syntax

PowerShell command example

In the following screenshot, we can see that we can see a list of recipients that have Send as permission to John’s mailbox, in addition, we can see
a “strange recipient” named – nt authority\self

The is the permission that John has for the purpose of sending email using his Email address(yes, I know it sounds strange).

Get-RecipientPermission and - nt authority self

If we want to display more “clean” output without the information about the permission that the user has to his mailbox, we can use a PowerShell syntax that will remove this no useful information.

PowerShell command example

Scenario 2.2 – Display information about All the recipients who have “Send As” permission on any user Mailbox.

Scenario description

In the following scenario, our goal is:

  • Display information about all if our organization recipients, who have the Send As permission on other recipient mailboxes.

Implementation

Step 1- we will use the PowerShell command Get-Recipient, for “storing information” about all the Exchange Online recipients.

Step 2- we will pipe the information to the second PowerShell command, which will display on the screen, the Send As permissions that each recipient has on other recipients’ mailboxes.

PowerShell command example

Scenario 2.3 – Display information on the Send As permission that a specific recipient has on “other recipient”.

Scenario description

  • John has Send As permission on many organization recipients. We need to get a clear information about who are these recipients.

Implementation

Step 1- we will use the PowerShell command Get-Recipient, for “storing information” about all the Exchange Online recipients.

Step 2- we will pipe the information to the second PowerShell command, which will display on the screen, the recipient that John has Send As permissions on their mailboxes.

PowerShell command syntax

PowerShell command example

Export information to file using PowerShell export commands

Export information to file

In some scenario, we need to save output that we get from a particular PowerShell in a file for later use such as a report or even as a “source” for other \ additional PowerShell command.

Technically speaking, PowerShell enables us to export PowerShell command output using four different file formats:

  1. TXT
  2. CSV
  3. HTML
  4. XML

In the following section, I would like to demonstrate the way that we use for exporting infrastructure to TXT file + CSV file format.

Scenario 2.4 – Export information about Send As permission to TXT file.

Scenario description

  • John has Send As permission on many organization recipients. We need to export the information about John Send As permission to a TXT file.

Implementation

The PowerShell parameter that we use for exporting information to a text file is – Out-File

We will need to provide the required path in which the text file created.
In our scenario, we wish to create a text file that will store in C: drive in a folder named – Temp.

In case that your Office 365 tenet uses characters set that include additional characters to the standard English characters, is recommended to add, an additional PowerShell
“format parameter” named – “Encoding UTF8,” which will enable PowerShell, to export non-English characters.

PowerShell command example

Scenario 2.5 – Export information about Send As permission to CSV file.

Scenario description

  • John has Send As permission on many organization recipients. We need to export the information about John Send As permission to a CSV file.

Implementation

The PowerShell parameter that we use for exporting information to a text file is Export-CSV

We will need to provide the required path in which the text file created.
In our scenario, we wish to create a text file that will store in C: drive in a folder named – Temp.

When exporting information to a CSV file, a parameter that is recommended to
add is “-NoTypeInformation

The purpose of this parameter is to omit the type information from the CSV file.
By default, the first line of the CSV file contains “#TYPE” followed by the fully-qualified name of the object type.

PowerShell command example

Expand and collapse Section 3#3 | Remove Send As Permissions

Removing \revoking the Send As Permissions, is implemented by using the PowerShell
cmdlet Remove-RecipientPermission

Scenario 3.1 – Remove Send As Permissions that user X has on user Y Mailbox.

Scenario description

  • Suzan has Send As permissions on John’s mailbox
  • We would like to remove Suzan Send As permissions from John’s mailbox

Implementation

We will use the Remove-RecipientPermission PowerShell command.

PowerShell command syntax

PowerShell command example

Scenario 3.2 – Remove from all the recipients, the Send As Permissions that user X has.

Scenario description

  • John has Send As permissions on many Exchange Online recipients.
  • We would like to remove John Send As permissions from all the existing Exchange Online recipients.

Implementation

Step 1- we will use the PowerShell command Get-Recipient, for “storing information” about all the Exchange Online recipients.

Step 2- we will pipe the information to the second PowerShell command.
The second PowerShell command will check if John has Send As permission on a particular recipient, and if he has, the PowerShell command will remove these permissions.

PowerShell command example

Scenario 3.3 – Remove from all of the recipients, the Send As Permissions that user X has, using a user list saved to a CSV file.

Scenario description

  • John has Send As permissions on many Exchange Online recipients.
  • We would like to remove John Send As permissions from all the existing Exchange Online recipients.
  • The “recipient list,” will be defined as – recipient list that is stored in a CSV file.

Implementation

Step 1 – working with a CSV file

  • We will prepare in advanced, a CSV file that will contain our recipient list. (You can download a sample of the CSV file).
  • CSV file name – in our scenario, we will name the CSV file – csv.
    CSV file location – the CSV file, will be saved to a folder named Temp in C: drive.
  • The information about the recipient list will be created “under” a column header
    named – alias

Import information from a CSV file using PowerShell

Step 2 – we will use the PowerShell command that will import the information from the CSV file, into a temporary store in the RAM.

Step 3 – we will define a variable named $UserList, that will contain the output from a PowerShell command that imports the information from the CSV file.

Step 4 – using the PowerShell Foreach Loop operator

PowerShell command example

Scenario 3.4 – Remove from all the recipients, the Send As Permissions that user X has, using the Filter parameter | Filter by users the belong to a specific department.

Scenario description

  • John has Send As Permissions to all the recipients who work in the marketing
  • We would like to remove John Send As permissions from these recipients.

Implementation

To be able to implement this requirement, we use a PowerShell command that consists of two parts:

Step 1 – we will use a PowerShell command that will a filter out only Exchange Online recipient whom their department is equal to marketing.

Step 2 – we will pipe the output to an additional PowerShell command, that will remove the
Send As permission that John has for each of the recipients who appears on the list.

PowerShell command example

Scenario 3.5 – Remove the Send As Permissions that user X has, from each member in a distribution group.

Scenario description

  • Each of the distribution group members named – marketing has Send As Permissions on John’s
  • We want to remove the Send As Permissions of each distribution group members from John’s

Implementation

PowerShell command example

Scenario 3.6 – Assign Send As permissions to user X, for each member of a Distribution group.

Scenario description

  • John has Send As Permissions for a recipient the “belong” to a distribution group named –
  • We want to Remove John Send As Permissions for each distribution group member of the marketing distribution group.

Implementation

PowerShell command example

PowerShell | Help & additional information

In case that you are a novice in the PowerShell environment, you can use the following links to get more information about the “first steps” such as: downloading the required PowerShell
software components, how to use the PowerShell console, running a PowerShell script, etc.

Read more
Link Table
PowerShell Naming Conventions & general information

If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information – o365info.com PowerShell articles

Create remote PowerShell session

Before we can use the required PowerShell commands, we need to download and install the Office 365 cmdlets + create remote PowerShell session to Office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange Online by using Remote PowerShell

How to use a PowerShell script

Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to Office 365 and Exchange Online using a script

PowerShell command and Script languish in more details

If you are new to the PowerShell world, you can read more information about PowerShell in Office 365 environment in the article: The Power of PowerShell

PowerShell command syntax – Office 365 | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article

Summary
Article Name
Manage Send As Permissions using PowerShell – Office 365
Description
The Send As permission enables recipient X to send an E-mail message using the identity of a recipient Y. Technically speaking, this method can be described as “impersonation.”In Office 365 based environment, we can perform administrative tasks that relate to assigning or removing the Send As permission, via Exchange Online graphical admin portal or, by using PowerShell command.
Author
Publisher Name
o365info.com
Publisher Logo
Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *