skip to Main Content

Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3

This is the last article in a series of three articles that deal with the implementation and the use of the Full Access Mailbox permission in Office 365 environment.

The article includes two parts:

  1. Displaying Mailbox permissions
    In this section, we will review the basic PowerShell command for displaying mailbox permission and demonstrate a few enhancements that will help us to “clean” unnecessary information.
  1. Removing Mailbox permissions
    The logic PowerShell command syntax for “Removing mailbox permissions” is identical to the PowerShell syntax that we use for adding the mailbox permission. Despite that fact, it was important to me to review some typical scenario that relates to the operation of removing Full Access mailbox permissions.

Full Access Mailbox permission | Article Series

The Full Access Mailbox permission article series includes the following three articles:

  1. Full Access Mailbox permission – Part 1/3
  2. Full Access Mailbox permission – Part 2/3
  3. Full Access Mailbox permission – Part 3/3 (this article)

Part 1. Display Mailbox permissions

When we use the basic PowerShell command for displaying mailbox permission in Office 365 (Exchange Online) environment, we deal with issues:

  1. Non-relevant information
    The result that will be displayed will include additional details about the permission that the particular user has on his mailbox and additional information about built-in system group that has permission on each of the user mailboxes.
  2. The username format
    When we display information about a mailbox permission, the information about the user name displayed by using the AD username. In Office 365 (Exchange Online) environment, the user display name is different from the standard user display name or the mailbox alias. The result is sometimes hard to read or understand because it’s not so easy to understand the “strange AD user names” versus the convention that we know such as referencing a user by his display name or alias names.

Using the default display for displaying mailbox permissions

The PowerShell cmdlet that we use for displaying mailbox permissions is Get-MailboxPermission.

For example: To display the Full Access mailbox permission that users (or a group) have in John’s mailbox, we can use the PowerShell command:

Get-MailboxPermission "John"

The output is displayed in the below screenshot.

Default display of mailbox permissions

Technically, we got the required results, but if we look deeper into the result shown on the PowerShell console, we could recognize some “issues”:

The user column

Under the header named User, we can see information about many “objects”, such as a built-in system group with Full Access permission to John’s mailbox and other users. The information about the “objects” that have mailbox permissions is not very clear because of four reasons:

  1. The user column is not wide enough, and for that reason, a significant portion of the user name is “wiped out”.
  2. The information on the object that has mailbox permission includes much non-relevant information about built-in system group, information about the pension that the user has on his mailbox, etc.
  3. The user’s name who has mailbox permission is displayed by using the Active Directory username. In Office 365 environment, the Active Directory username is different from the standard user alias or display name.
  4. The prefix for the username is the server name (non-useful information).

Additionally, the default display includes a column such as IsInherited and Deny (number 2). Most of the time, this information is also non-relevant.

Optimize the results of the Displayed Mailbox permissions

Step 1 – Clear unnecessary column

In the first step, we will remove the non-relevant column by using the FL (file list) parameter. The FL option lets us specify the exact column (by specifying the column header name). In our example, we would like to display only the columns Identity, User, AccessRights.

PowerShell command syntax:

Get-MailboxPermission "John" | FT Identity,User,AccessRights

In the screenshot, we can see that the “user” column is displayed more clearly, but we still have some issues: there is a lot of non-relevant information, such as the information about the built-in systems groups that have Full Access permission on John’s mailbox and additionally the information about the user who has Full Access permission such as the admin account displayed by using the Active Directory username that includes a combination of the username and numbers.

Default display of mailbox permissions-01

Step 2 – Clear unnecessary information about built-in groups and SELF

To be able to display only the “explicitly assigned permissions” to a mailbox, we will need to filter out or remove non-relevant data.

The first detail that we want to remove is the “SELF” permission that each user has on his mailbox. The second type of permissions that we want to remove from the displayed result described as: “IsInherited “permissions.

To clear out the non-necessary information, we will use a logic condition (by using the PowerShell command – Where) to exclude the Full Access mailbox permission classified as NT AUTHORITY\SELF and IsInherited.

PowerShell command syntax:

Get-MailboxPermission "John" | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } | FL Identity,User,AccessRights

In the following screenshot, we can see that we successfully manage to exclude or clear out most of the non-relevant information. We can see now that two users have Full Access mailbox permission to John’s mailbox.

Default display of mailbox permissions-02

Step 3 – Using calculated properties

In the next step, we will complete the required task. Our mission now is to enable more readable user name in the User column.

We will replace the Active Directory username convention by using the property Name. Additionally, we will change the column header name from the existing name User to a friendlier column header.

For this purpose, we will create a new column header called “Users that have Full Access“. The content of the new column will include the user name that has Full Access mailbox permissions to John’s mailbox. But instead of the standard username conventions, we “pull out” the “name” property (or identifier) for each of the users who have permissions.

PowerShell command syntax:

Get-MailboxPermission "John" | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } | FT Identity, @{name="Users that have Full Access ";expression={(Get-User $_.User).Name}},AccessRights

In the following screenshot, we can see the results.

Using calculated properties

The output displayed in the PowerShell console is more understandable. We can see that the output includes a “new column header” named Users that have Full Access, and we can see the user name that has mailbox permission to John’s mailbox.

But there is still additional improvement that we can use. In the screenshot, we can see that there is a “significant space” between the columns. If the PowerShell screen is not wide enough, we could “lose” some information.

So is there any option to reduce the space between the columns? And the answer is Yes. Let’s look into that in the next step.

Step 4 – Using AutoSize option

In this step, we will use the AutoSize parameter to diminish the space between the result columns.

PowerShell command syntax:

Get-MailboxPermission "John" | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } | FT Identity, @{name="Users that have Full Access ";expression={(Get-User $_.User).Name}},AccessRights -AutoSize

In the following screenshot, we can see the results.

Using AutoSize option

Step 5 – Filter out only Full Access mailbox permissions

As mentioned before, the term “Mailbox permissions” include a variety of different types of permissions. The most common person is Full Access, but sometimes there is an implementation of a different kind of mailbox permissions.

When we use the PowerShell cmdlets Get-MailboxPermission, the results will include all the available mailbox permissions that users have for the mailbox.

In case we want to display only Full Access mailbox permission, we can filter out the results by using the Where parameter:

($_.AccessRights -like "*FullAccess*")

PowerShell command syntax:

Get-MailboxPermission "John" | Where { ($_.AccessRights -like "*FullAccess*") -and ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Select Identity, @{name="User";expression={(Get-User $_.User).Name}},AccessRights

Display list of mailboxes that a user has Full Access permissions

In the previous section, we review a scenario in which we would like to get information about mailbox permission that other users have on a specific user.

In the following scenario, we would like to get information about permission that a particular user has on other or additional mailboxes.

For example, we would like to get information about which mailboxes the user Administrator has Full Access mailbox permission.

Full Access mailbox permission

To accomplish this task, in the first part of the PowerShell, we use the Get-Mailbox cmdlet to get a list of all the existing mailboxes. In the second part, we use the Get-MailboxPermission cmdlet and add the username. The PowerShell command will review all the arrays of mailboxes, check on which mailboxes the admin user has mailbox permission and display the results. The rest of the PowerShell command is used to improve the results displayed by the Get-MailboxPermission cmdlet.

PowerShell command syntax:

Get-Mailbox | Get-MailboxPermission -User "Admin" | Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

Display a list of recipients that have Full Access permission on other recipients

In the following scenario, we like to get a list of all the users whose another user has mailbox permission to their mailbox.

PowerShell command syntax:

$a = Get-Mailbox 
$a | Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*') } | Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

Display permission for more the one mailbox

We want to get information about a user who has mailbox permissions to more than one user. In our example, we would like to know who has mailbox permission to John + Alice’s mailbox. We can add each of the user names separated by a comma.

PowerShell command syntax:

"John","Alice" | ForEach {Get-MailboxPermission -Identity $_}

To improve the look of the displayed result, we will enhance the basic PowerShell command for removing non-relevant information.

PowerShell command syntax:

"John", "Alice" | ForEach { Get-MailboxPermission -Identity $_ | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*') } } | Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

Part 2. Remove Mailbox permissions

In the last section, we will review the way that we have for removing mailbox permissions. The PowerShell cdmlet we use for removing or revoking mailbox permissions is Remove-MailboxPermission.

Scenario 1 – Remove mailbox permission from a user mailbox

Let’s start with a basic example: we want to remove the Full Access mailbox permissions that Alice have on John mailbox.

PowerShell command syntax:

Remove-MailboxPermission "John" -User "Suzan" -AccessRights FullAccess

By default, the PowerShell cmdlets for removing mailbox permission will display a warning message: “Are you sure you want to perform this action?”

In case we run a script that creates a bulk task, such as removing a mailbox permission that many users have on a particular mailbox, the “confirmation process” could be exhausting enough.

To be able to avoid the confirmation process, we can add the parameter Confirm:$False.

PowerShell command syntax:

Remove-MailboxPermission "John" -User "Suzan" -AccessRights FullAccess -Confirm:$False

Scenario 2 – Remove mailbox permission from a collection of mailboxes

This scenario could be used when a specific user, such as a help desk team member or administrator, has Full Access mailbox permission to many mailboxes.

In case we want to remove the mailbox permission that the user has, we will need first to get a list of all the existing mailboxes. Then we will need to check if the particular user has Full Access mailbox permission on the mailbox, and the last step will be – to remove these permissions.

PowerShell command syntax:

$Mailboxes = Get-Mailbox 
ForEach ($member in $Mailboxes) {
    Remove-MailboxPermission $member.name -AccessRights FullAccess -user "Admin"
}

We use the command based on the variable that we named $Mailboxes. The variable value includes a list of all the existing mailbox types, such as user mailbox, room mailbox, etc.

In case we need to remove the Full mailbox permission from a specific mailbox type, we can add the filter option to the variable.

Scenario 3 – Remove Full Access permissions only from user mailboxes (Filter user mailboxes)

PowerShell command syntax:

$Mailboxes = Get-Mailbox -ResultSize unlimited -Filter { (RecipientTypeDetails -eq 'UserMailbox')
    ForEach ($member in $Mailboxes) {
        Remove-MailboxPermission $member.name -AccessRights FullAccess -user "Admin"
    }

Scenario 4 – Remove Full Access permissions only from Room mailboxes (Filter Room mailboxes)

PowerShell command syntax:

$Mailboxes = Get-Mailbox -ResultSize unlimited -Filter { (RecipientTypeDetails -eq 'RoomMailbox')
    ForEach ($member in $Mailboxes) {
        Remove-MailboxPermission $member.name -AccessRights FullAccess -user "Admin"
    }
The o365info Team

The o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 3 Comments

  1. How do I export a list of all the mailboxes which shows whether a) they have license, b) are shared, c) auto-mapping is enabled or disabled?

  2. GREAT article!

    I have one question:
    Is it possible to grant full access to one user, but only for the mailbox. The user who’s having full access are not interested in contacts, notes and To do’s???

    Pretty big issue right now.

Leave a Reply

Your email address will not be published. Required fields are marked *