How to export Full Access mailbox permission

You can export a list of users with Full Access permission to a licensed Microsoft 365 mailbox. This way you can see which users can open the Microsoft 365 mailbox and behave as the mailbox owner. In this article, you will learn how to export Full Access mailbox permission with Exchange Online PowerShell.

Table of contents

Connect to Exchange Online PowerShell

To be able to run PowerShell commands, you must Connect to Exchange Online PowerShell. Open Windows PowerShell as administrator, run the below cmdlet, and sign in with your admin credentials.

Connect-ExchangeOnline

Export Full Access mailbox permissions for single user

We will show you how to export the mailbox permissions for a user mailbox with PowerShell.

We want to get information about mailbox permission that other users have on a specific user mailbox. The PowerShell cmdlet that we use for displaying mailbox permissions is Get-MailboxPermission.

Export Full Access mailbox permission for single user

In our example, we want to display which users (or groups) have Full Access mailbox permission to Brenda’s mailbox.

We will use the -AutoSize parameter to reduce the space between the result columns.

Run the below PowerShell command.

Get-MailboxPermission "Brenda.Smith@m365info.com" | ft -AutoSize

See the PowerShell output result.

Identity                             User                     AccessRights                 IsInherited Deny
--------                             ----                     ------------                 ----------- ----
0f38d53f-cbe0-4844-86e9-1032a45ba31b NT AUTHORITY\SELF        {FullAccess, ReadPermission} False       False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess}                 False       False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list     {FullAccess}                 False       False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway             {FullAccess}                 False       False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess}                 False       False

The output shows the Identity of the mailbox (Brenda) you provided, and it lists the mailboxes with Full Access permission under the column User.

Technically, we got the required results, but if we look deeper into the data, there are some issues.

When we use the basic PowerShell command for displaying mailbox permission in Exchange Online, there is a lot of non-relevant information. First, we want to remove the SELF permission that each user has on his mailbox. Then, we want to remove from the displayed result the IsInherited permissions.

To clear out the unnecessary information, we will use a logic condition (Where) to exclude the Full Access mailbox permission classified as NT AUTHORITY\SELF and IsInherited.

Run the below PowerShell command example.

Get-MailboxPermission "Brenda.Smith@m365info.com" | Where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Ft Identity, User, AccessRights -AutoSize

The PowerShell output result is shown below.

Identity                             User                     AccessRights
--------                             ----                     ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list     {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway             {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess}

We can see that we successfully managed to exclude or clear out most of the non-relevant information. It shows the mailboxes with Full Access mailbox permission to Brenda’s mailbox.

Export Full Access mailbox permission for multiple users

You can also get mailbox permissions for more than one user. In our example, we want to know who has mailbox permission for Brenda Smith and Ken Walker.

In the PowerShell command, we can add each user name separated by a comma.

See the below PowerShell command syntax.

"Brenda.Smith@m365info.com","Ken.Walker@m365info.com" | ForEach {Get-MailboxPermission -Identity $_}

To remove irrelevant information in the output, we will change the above PowerShell command.

Run the PowerShell command example.

"Brenda.Smith@m365info.com","Ken.Walker@m365info.com" | ForEach { Get-MailboxPermission -Identity $_ | Where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*') } } | Select Identity, User, AccessRights

The PowerShell output results are shown below.

Identity                             User                     AccessRights
--------                             ----                     ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list     {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway             {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess}
12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Brian.Mill@m365info.com  {FullAccess}
12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Anna.Bell@m365info.com   {FullAccess}

It will list all the mailboxes with Full Access permissions under the column User for the mailboxes (Brenda Smith & Ken Walker) you provided.

Export Full Access permission user has access to

We want to export the Full Access mailbox permission a specific user has access to other users or groups.

Export Full Access mailbox permission

To get that information, we need to use the Get-Mailbox cmdlet to get a list of all the existing mailboxes. Then, we will also use the Get-MailboxPermission cmdlet and add the username.

The PowerShell command will review all the arrays of mailboxes, check on which mailboxes the user has mailbox permission, and display the results. The rest of the PowerShell command is used to improve the results displayed by the Get-MailboxPermission cmdlet.

In our example, we would like to get information about the Full Access permission the user Brenda Smith has to other mailboxes.

  1. Specify the mailbox in line number 1
  2. Run the below PowerShell command script
Get-Mailbox -Resultsize Unlimited | Get-MailboxPermission -User "Brenda.Smith@m365info.com" | ForEach-Object {
    $mailbox = Get-Mailbox $_.Identity
    $User = Get-Mailbox $_.User
    [PSCustomObject]@{
        UserId            = $User.Identity
        User              = $_.User
        Identity          = $_.Identity
        UserPrincipalName = $mailbox.UserPrincipalName
        AccessRights      = $_.AccessRights
    }
} | Format-Table UserId, User, Identity, UserPrincipalName, AccessRights

The PowerShell output shows a list of mailboxes to whom Brenda Smith has Full Access permission.

UserId                               User                      Identity                             UserPrincipalName      AccessRights
------                               ----                      --------                             -----------------      ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com 82cd0d62-e974-4892-aca6-e0387abc62be Anna.Bell@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Catch All                            Catch.All@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Info Box                             InfoBox@m365info.com   {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com 12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Ken.Walker@m365info.c… {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Projector 21                         Projector21@m365info.… {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com RoomTest8                            RoomTest8@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com c32b2b27-d809-439a-a3e3-eb7a749eeb72 Stephen.Hunter@m365in… {FullAccess}

The information of the mailbox (Brenda.Smith@m365info.com) you specified with Full Access permission is listed under the columns UserId and User. It shows a list of all the Exchange Online mailboxes under the column Identity and UserPrincipalName.

Export list of mailboxes with Full Access permission to CSV file

We want to export a list of all the users with Full Access mailbox permission to a CSV file and Out-GridView. It shows every single mailbox with Full Access mailbox permission to another licensed mailbox.

Follow the below steps to export a list of mailbox permissions to CSV:

  1. Create the temp folder and save it in the (C:) drive if you don’t have it already
  2. Type the CSVPath in line number 2
  3. Run the below PowerShell script
# Set the path for the CSV file to store the permissions
$CSVPath = "C:\temp\FullAccessPerms.csv"

try {
    # Get all the mailboxes with unlimited result size and retrieve their mailbox permissions
    $permissions = Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {
        # Filter out permissions that are inherited, belong to "NT AUTHORITY\SELF", or belong to "Discovery Management"
        ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*')
    } | ForEach-Object {
        # For each permission, get the mailbox details
        $mailbox = Get-Mailbox $_.Identity
        [PSCustomObject]@{
            UserPrincipalName    = $mailbox.UserPrincipalName
            Identity             = $mailbox.Identity
            User                 = $_.User
            AccessRights         = $_.AccessRights
            RecipientTypeDetails = $mailbox.RecipientTypeDetails
        }
    } | Select-Object Identity, UserPrincipalName, User, AccessRights, RecipientTypeDetails

    # Display the permissions in Out-GridView
    $permissions | Out-GridView -Title "Full Access mailbox permissions"

    # Export the permissions to a CSV file
    $permissions | Export-Csv -Path $CSVPath -NoTypeInformation -Encoding UTF8

    # Display a success message if the export was successful
    Write-Host "Exported permissions successfully to $CSVPath" -ForegroundColor Cyan
}
catch {
    # Display an error message if there was an exception during the export
    Write-Host "Error exporting permissions: $_" -ForegroundColor Red
}
  1. The Out-GridView appears after you run the script
Export Full Access mailbox permission Out-GridView
  1. Find the CSV file in the C:\temp folder
  2. Open the CSV file with an application like Microsoft Excel to see the results
Export Full Access mailbox permission to CSV file

That’s it!

Read more: Export Azure AD users with Microsoft Graph PowerShell »

Conclusion

You learned how to export Full Access mailbox permission with Exchange Online PowerShell. With the Get-MailboxPermission PowerShell cmdlet, you can get a list of users with Full Access permission for a single or all Microsoft 365 mailboxes.

Did you enjoy this article? You may also like Export Azure AD group members to CSV with PowerShell. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

X Twitter

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *