Removing automapping and resetting default mailbox permissions in Exchange Online

Corrupted mailbox permissions and automapping settings are not that uncommon scenario and many Exchange admins have run into it. In the on-prem world, apart from re-examining the settings or re-applying the permissions, one can perform additional troubleshooting by playing with the relevant AD attributes directly. For the case of automapping, those are the msExchDelegateListLink and the msExchDelegateListBL attributes, as explained for example in this article.

In the Exchange Online world however, we don’t have access to the underlying AD infrastructure and we cannot even see the values of these attributes, let alone change them. So in case something was wrong with them, our only option was to escalate a case to Microsoft so that a support engineer can make any changes necessary. Last year however, life was made a bit easier, with Microsoft introducing support for the ClearAutoMapping parameter for Remove-MailboxPermission. The parameter basically purges any entries present in the msExchDelegateListLink attribute, which in turn should also remove the corresponding entry under the user’s msExchDelegateListBL backlink attribute. Usage of the cmdlet is very easy, you simply need to provide the identity of the mailbox for which to clear the automapping entries:

PS C:\> Remove-MailboxPermission shared –ClearAutoMapping
Confirm
Are you sure you want to perform this action?
Clear automatic mapping delegation entries for mailbox "shared". Users granted FullAccess permission to this mailbox will no longer have the mailbox mapped automatically.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):

Note that the cmdlet will not change any of the permissions on said mailbox, all it does is to clear msExchDelegateListLink. So for example if we have a mailbox with several users with Full Access, running the cmdlet will result in this:

PS C:\> Get-MailboxPermission shared | ft -AutoSize

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
shared user1@domain.com {FullAccess} False False
shared user2@domain.com {FullAccess} False False

PS C:\> Remove-MailboxPermission shared -ClearAutoMapping -Confirm:$false
PS C:\> Get-MailboxPermission shared | ft –AutoSize

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
shared user1@domain.com {FullAccess} False False
shared user2@domain.com {FullAccess} False False

If you actually want to quickly remove any permissions as well, you can take advantage of another newly introduced parameter, the ResetDefault one. Using it will remove any mailbox level permissions applied in the mailbox and the corresponding automapping settings. Send As, Send on Behalf of, folder level permissions are not affected by the cmdlet. Here’s an example on how to use it:

PS C:\> Get-MailboxPermission WC

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
WC NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
WC NT AUTHORITY\SELF {FullAccess, ExternalAccount, ReadPermission} False False
WC user1@domain.com {FullAccess} False False
WC user2@domain.com {ReadPermission} False False
WC EURPRD03\Administ... {FullAccess} True True
WC EURPRD03\Domain A... {FullAccess} True True
…

PS C:\> Remove-MailboxPermission WC –ResetDefault
Confirm
Are you sure you want to perform this action?
Reset default mailbox permissions for mailbox "WC". All delegated permission will be removed.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):

PS C:\> Get-MailboxPermission WC

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
WC NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
WC EURPRD03\Administ... {FullAccess} True True
WC EURPRD03\Domain A... {FullAccess} True True
…

In effect, only the default permissions remain active. So keep those two useful parameters in mind next time you run into some issue with mailbox level permissions or automapping.

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *