Microsoft recommends to set up an MFA with a Conditional Access policy when you have…
How to export Full Access mailbox permission
You can export a list of users with Full Access permission to a licensed Microsoft 365 mailbox. This way you can see which users can open the Microsoft 365 mailbox and behave as the mailbox owner. In this article, you will learn how to export Full Access mailbox permission with Exchange Online PowerShell.
Table of contents
Connect to Exchange Online PowerShell
To be able to run PowerShell commands, you must Connect to Exchange Online PowerShell. Open Windows PowerShell as administrator, run the below cmdlet, and sign in with your admin credentials.
Connect-ExchangeOnline
Export Full Access mailbox permissions for single user
We will show you how to export the mailbox permissions for a user mailbox with PowerShell.
We want to get information about mailbox permission that other users have on a specific user mailbox. The PowerShell cmdlet that we use for displaying mailbox permissions is Get-MailboxPermission.
In our example, we want to display which users (or groups) have Full Access mailbox permission to Brenda’s mailbox.
We will use the -AutoSize parameter to reduce the space between the result columns.
Run the below PowerShell command.
Get-MailboxPermission "Brenda.Smith@m365info.com" | ft -AutoSize
See the PowerShell output result.
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
0f38d53f-cbe0-4844-86e9-1032a45ba31b NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess} False False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list {FullAccess} False False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway {FullAccess} False False
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess} False False
The output shows the Identity of the mailbox (Brenda) you provided, and it lists the mailboxes with Full Access permission under the column User.
Technically, we got the required results, but if we look deeper into the data, there are some issues.
When we use the basic PowerShell command for displaying mailbox permission in Exchange Online, there is a lot of non-relevant information. First, we want to remove the SELF permission that each user has on his mailbox. Then, we want to remove from the displayed result the IsInherited permissions.
To clear out the unnecessary information, we will use a logic condition (Where) to exclude the Full Access mailbox permission classified as NT AUTHORITY\SELF and IsInherited.
Run the below PowerShell command example.
Get-MailboxPermission "Brenda.Smith@m365info.com" | Where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Ft Identity, User, AccessRights -AutoSize
The PowerShell output result is shown below.
Identity User AccessRights
-------- ---- ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess}
We can see that we successfully managed to exclude or clear out most of the non-relevant information. It shows the mailboxes with Full Access mailbox permission to Brenda’s mailbox.
Export Full Access mailbox permission for multiple users
You can also get mailbox permissions for more than one user. In our example, we want to know who has mailbox permission for Brenda Smith and Ken Walker.
In the PowerShell command, we can add each user name separated by a comma.
See the below PowerShell command syntax.
"Brenda.Smith@m365info.com","Ken.Walker@m365info.com" | ForEach {Get-MailboxPermission -Identity $_}
To remove irrelevant information in the output, we will change the above PowerShell command.
Run the PowerShell command example.
"Brenda.Smith@m365info.com","Ken.Walker@m365info.com" | ForEach { Get-MailboxPermission -Identity $_ | Where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*') } } | Select Identity, User, AccessRights
The PowerShell output results are shown below.
Identity User AccessRights
-------- ---- ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Diana.Baker@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Finance UK mail list {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Sales Norway {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Laura.Terry@m365info.com {FullAccess}
12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Brian.Mill@m365info.com {FullAccess}
12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Anna.Bell@m365info.com {FullAccess}
It will list all the mailboxes with Full Access permissions under the column User for the mailboxes (Brenda Smith & Ken Walker) you provided.
Export Full Access permission user has access to
We want to export the Full Access mailbox permission a specific user has access to other users or groups.
To get that information, we need to use the Get-Mailbox cmdlet to get a list of all the existing mailboxes. Then, we will also use the Get-MailboxPermission cmdlet and add the username.
The PowerShell command will review all the arrays of mailboxes, check on which mailboxes the user has mailbox permission, and display the results. The rest of the PowerShell command is used to improve the results displayed by the Get-MailboxPermission cmdlet.
In our example, we would like to get information about the Full Access permission the user Brenda Smith has to other mailboxes.
- Specify the mailbox in line number 1
- Run the below PowerShell command script
Get-Mailbox -Resultsize Unlimited | Get-MailboxPermission -User "Brenda.Smith@m365info.com" | ForEach-Object {
$mailbox = Get-Mailbox $_.Identity
$User = Get-Mailbox $_.User
[PSCustomObject]@{
UserId = $User.Identity
User = $_.User
Identity = $_.Identity
UserPrincipalName = $mailbox.UserPrincipalName
AccessRights = $_.AccessRights
}
} | Format-Table UserId, User, Identity, UserPrincipalName, AccessRights
The PowerShell output shows a list of mailboxes to whom Brenda Smith has Full Access permission.
UserId User Identity UserPrincipalName AccessRights
------ ---- -------- ----------------- ------------
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com 82cd0d62-e974-4892-aca6-e0387abc62be Anna.Bell@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Catch All Catch.All@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Info Box InfoBox@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com 12eefbb2-e5f4-4eec-bd18-df7ca2f1ee6b Ken.Walker@m365info.c… {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com Projector 21 Projector21@m365info.… {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com RoomTest8 RoomTest8@m365info.com {FullAccess}
0f38d53f-cbe0-4844-86e9-1032a45ba31b Brenda.Smith@m365info.com c32b2b27-d809-439a-a3e3-eb7a749eeb72 Stephen.Hunter@m365in… {FullAccess}
The information of the mailbox (Brenda.Smith@m365info.com) you specified with Full Access permission is listed under the columns UserId and User. It shows a list of all the Exchange Online mailboxes under the column Identity and UserPrincipalName.
Export list of mailboxes with Full Access permission to CSV file
We want to export a list of all the users with Full Access mailbox permission to a CSV file and Out-GridView. It shows every single mailbox with Full Access mailbox permission to another licensed mailbox.
Follow the below steps to export a list of mailbox permissions to CSV:
- Create the temp folder and save it in the (C:) drive if you don’t have it already
- Type the CSVPath in line number 2
- Run the below PowerShell script
# Set the path for the CSV file to store the permissions
$CSVPath = "C:\temp\FullAccessPerms.csv"
try {
# Get all the mailboxes with unlimited result size and retrieve their mailbox permissions
$permissions = Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {
# Filter out permissions that are inherited, belong to "NT AUTHORITY\SELF", or belong to "Discovery Management"
($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*')
} | ForEach-Object {
# For each permission, get the mailbox details
$mailbox = Get-Mailbox $_.Identity
[PSCustomObject]@{
UserPrincipalName = $mailbox.UserPrincipalName
Identity = $mailbox.Identity
User = $_.User
AccessRights = $_.AccessRights
RecipientTypeDetails = $mailbox.RecipientTypeDetails
}
} | Select-Object Identity, UserPrincipalName, User, AccessRights, RecipientTypeDetails
# Display the permissions in Out-GridView
$permissions | Out-GridView -Title "Full Access mailbox permissions"
# Export the permissions to a CSV file
$permissions | Export-Csv -Path $CSVPath -NoTypeInformation -Encoding UTF8
# Display a success message if the export was successful
Write-Host "Exported permissions successfully to $CSVPath" -ForegroundColor Cyan
}
catch {
# Display an error message if there was an exception during the export
Write-Host "Error exporting permissions: $_" -ForegroundColor Red
}
- The Out-GridView appears after you run the script
- Find the CSV file in the C:\temp folder
- Open the CSV file with an application like Microsoft Excel to see the results
That’s it!
Read more: Export Azure AD users with Microsoft Graph PowerShell »
Conclusion
You learned how to export Full Access mailbox permission with Exchange Online PowerShell. With the Get-MailboxPermission PowerShell cmdlet, you can get a list of users with Full Access permission for a single or all Microsoft 365 mailboxes.
Did you enjoy this article? You may also like Export Azure AD group members to CSV with PowerShell. Don’t forget to follow us and share this article.
This Post Has 0 Comments