When auditing mailbox permissions in an Exchange Server organization or Microsoft 365 tenant (Exchange Online), the administrator needs to find all the mailboxes that a particular user has access to. In this article, we will take a look at some PowerShell scripts to get a list of mailboxes (and particular Outlook folder) a specific user has access permissions to.
List All Exchange or Microsoft 365 Mailboxes a User Can Access to.
Use the Get-MailboxPermission cmdlet to get a list of permissions assigned to a mailbox.
Open a PowerShell console and connect remotely to your on-premises Exchange Server or Microsoft 365 (Exchange Online).
The command below displays a list of users having permission to access the specified mailbox:
get-mailboxpermission -identity t.muller@site.onmicrosoft.com |ft -AutoSize
In this example, you can see that Grady and Henrietta have assigned the Full Access permissions to the specified mailbox. The permissions are assigned manually (not inherited), since IsInherited = False.
You can display a full report on the permissions assigned to mailboxes and show it in a convenient Out-GridView table:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Out-GridView
Using the following PowerShell command, you can find and list mailboxes in your Exchange organization or tenant that a specific user has Full Access permissions to:
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User Henrietta | ft User,Identity,AccessRights
In this example, we have found that a user has been assigned Full Access to three mailboxes (the Identity column).
In Microsoft 365, you can use the new Exchange Online PowerShell v2 (EXO V2) module cmdlets to get this list:
Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission -Identity $_.Identity | Where-Object {$_.User -eq "Henrietta@site.onmicrosoft.com"}You can use filters by the mailbox type. It will make your search faster. To do it, add the –RecipientTypeDetails option to the Get-EXOMailbox or Get-Mailbox command and specify the mailbox type you want to search for:
- DiscoveryMailbox
- EquipmentMailbox
- GroupMailbox
- LegacyMailbox
- LinkedMailbox
- LinkedRoomMailbox
- RoomMailbox
- SchedulingMailbox
- SharedMailbox
- TeamMailbox
- UserMailbox
For example:
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox| Get-MailboxPermission -User "Henrietta" | ft User,Identity,AccessRights
To find mailboxes a user has SendAs permissions on:
Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission -Trustee Henrietta
You can also find mailboxes with Send on behalf permissions enabled:
Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match "Henrietta"}
You can use Exchange audit logging and Azure sign-in logs to get information about user activities in other users’ mailboxes.
How to List Mailbox Folders a User Can Access to on Exchange/Microsoft 365?
In addition to assigning permissions to the entire Exchange (Microsoft 365) mailbox, you can grant access to a specific mailbox folder. For example, only to the Inbox or Calendar folder. When auditing user permissions, sometimes you have to find not only mailboxes with FullAccess permissions but also specific folders in users’ mailboxes that other users have access to.
You can get a list of folders in the specified mailbox by using the Get-MailboxFolderStatistics cmdlet. Then you can use the Get-MailboxFolderPermission to list folder permissions.
The following PowerShell script checks all mailboxes in your organization and lists the folders (including subfolders) a user has access to.
In Exchange organizations with a large number of mailboxes, the script may work slowly. It is recommended to pre-filter the list of mailboxes or check it in parts. The size of the mailbox and the number of folders in them also affect script performance when you get information about a folder using Get-MailboxFolderStatistics.
$user_find_permissions= "*Henrietta Fischer*"
$allpermissions = @()
$MBXs= Get-Mailbox -ResultSize Unlimited
Foreach ($MBX in $MBXs){
$MBXfolders=Get-MailboxFolderStatistics $MBX.PrimarySmtpAddress |select Name
Foreach ($MBXfolder in $MBXfolders){
try {
$folder=$MBX.PrimarySmtpAddress + ":\" + $MBXfolder.name
$folderpermessions= Get-MailboxFolderPermission -Identity $folder -ErrorAction Stop | where {($_.user -like $user_find_permissions)}
$allpermissions += $folderpermessions
}
catch {
Continue
}
}
}
$allpermissions | select Identity, FolderName, User,AccessRights
This PowerShell script will list all folders in other users’ mailboxes a particular user has access to. The mailbox name (Identity), FolderName, and assigned folder permissions (Editor, Reviewer, etc.) are displayed.
You can use the Search-Mailbox or New-ComplianceSearch cmdlets to search and delete specific email messages in user mailboxes.Also, you can use the new Get-EXOMailbox, Get-EXOMailboxFolderPermission, and Get-EXOMailboxFolderStatistics cmdlets in the EXOv2 module for Microsoft 365.