Easier way to get a report of all SendAs permissions in Office 365

Another random discovery I made recently, probably been working like that for a while: the Get-RecipientPermission cmdlet, when run with no parameters, now returns a list of all objects in your organization that have been granted SendAs permissions. While it was relatively easy to get a report on this previously, now it’s as simple as running the Get-RecipientPermission and capturing the output. For example:

Of course, you might want to tweak the output a bit, because as seen from the above screenshot it returns a bit too much data. That’s due to the fact that each mailbox has permissions to send as self (the “NT AUTHORITY\SELF” entry), and also due to the fact that for whatever reason, Microsoft decided to surface some “hidden” mailboxes in the output. A cleaner version can be obtained via:

Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"}

Here’s how it looks like in my case:

Note that it includes every recipient type, even Group mailboxes. If you want to include the Recipient type in the output, use something like this (thanks Microsoft for not fixing the Get-Recipient to work properly with GroupMailboxes, even after a dozen or so reports!):

Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"} | select Identity,@{n="RecipientType";e={((Get-Recipient $_.Identity -ErrorAction silentlycontinue).RecipientTypeDetails + (Get-Recipient $_.Identity -RecipientTypeDetails GroupMailbox -ErrorAction silentlycontinue).RecipientTypeDetails)}},Trustee, Access* | ft -a

Which yields the following result:

Of course, you can also export this to CSV and work with the output 🙂

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *