Quickly list all mailboxes to which a particular user has access

​Which mailboxes a given user has access to? This question seems to get asked a lot, and people are unaware how easy the answer really is. Here it is:

  • List all mailboxes to which a particular user has Full Access permissions:
PS C:\> Get-Mailbox | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

--------             ----                 ------------
HuKu                 Vasil Michev         {FullAccess}
retail               Vasil Michev         {FullAccess}
sharednew            Vasil Michev         {FullAccess}
testplan2            Vasil Michev         {FullAccess}
WC                   Vasil Michev         {FullAccess}
  • List all shared/user/room/whatever mailboxes to which particular user has Full Access permissions:
PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

--------             ----                 ------------
HuKu                 Vasil Michev         {FullAccess}
retail               Vasil Michev         {FullAccess}
sharednew            Vasil Michev         {FullAccess}
testplan2            Vasil Michev         {FullAccess}
  • List all mailboxes to which members of a particular security group have access:
PS C:\> Get-Mailbox | Get-MailboxPermission -User secgrp

Identity             User                 AccessRights
--------             ----                 ------------
Bathroom             secgrp               {FullAccess}
  • List all mailboxes to which a user has Send As permissions:
PS C:\> Get-Mailbox | Get-RecipientPermission -Trustee vasil

Identity                            Trustee                             AccessControlType                   AccessRights
--------                            -------                             -----------------                   ------------
sharednew                           Vasil Michev                        Allow                               {SendAs}
  • List all user mailboxes to which members of a particular security group have Send As access:
PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission -Trustee secgrp

Identity                            Trustee                             AccessControlType                   AccessRights
--------                            -------                             -----------------                   ------------
HuKu                                secgrp                              Allow                               {SendAs}
  • List all mailboxes to which a particular security principal has Send on behalf of permissions:
PS C:\> Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match "vasil"}

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
Bathroom                  bathroom             amspr03mb084     49.5 GB (53,150,220,288 bytes)
WC                        WC                   dbxpr03mb096     9.5 GB (10,200,547,328 bytes)
  • List all (shared) mailboxes without any Full Access permissions other than self:
PS C:\> Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited | ? { (Get-MailboxPermission $_.UserPrincipalName | ? {$_.User -ne "NT AUTHORITY\SELF"}).Count -eq 0 }

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId
---- ----- -------- ----------------- -------------------------
retail retail EURPR03DG210-db104 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
TestAppPermissions TestAppPermi... EURPR03DG038-db069 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
  • List all mailboxes without any Send As permissions other than self:
PS C:\> Get-Mailbox -ResultSize Unlimited | ? { (Get-RecipientPermission $_.UserPrincipalName | ? {$_.Trustee -ne "NT AUTHORITY\SELF"}).Count -eq 0 }

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId
---- ----- -------- ----------------- -------------------------
retail retail EURPR03DG210-db104 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
shared2018 shared2018 EURPR03DG045-db051 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
  • List all mailboxes without any Send on behalf of permissions:
PS C:\> Get-Mailbox -ResultSize Unlimited -Filter {GrantSendOnBehalfTo -eq $null}

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId
---- ----- -------- ----------------- -------------------------
vasil vasil EURPR03DG251-db050 49.5 GB (53,150,2... xxxx-xxxx-xxxx-xxxx-xxxx
gosho gosho EURPR03DG490-db076 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx

There will be slight differences if you are running this against on-prem Exchange, but remember that you can also look at the AD attributes there (msExchDelegateListLink and msExchDelegateListBL).

133 thoughts on “Quickly list all mailboxes to which a particular user has access

  1. Brent Newland says:

    I have made use of the following:

    On-Prem Exchange:
    Get-EOPMailbox -ResultSize Unlimited -ErrorAction:SilentlyContinue | Get-EOPMailboxPermission -User $Uname | Get-EOPMailbox | Select Identity,DisplayName,UserPrincipalName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails

    Exchange Online:
    $Uemail = (Get-EXOMailbox $Uname).UserPrincipalName
    Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission -Identity $_.Identity | Where-Object {$_.User -eq $Uemail} | Get-EXOMailbox | Select Identity,DisplayName,UserPrincipalName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails

    Note: Exchange Online “Get-EXOMailboxPermission” has two serious flaws – The “-User” parameter is CASE SENSITIVE, which is stupid, and it returns an error on every mailbox the user doesn’t have permissions on (Get-MailboxPermission returns nothing under the same conditions).

    Reply
  2. Alex Gomez says:

    Hi my friend, I’m looking for a script using Exchange Online powershell module to get all the conference rooms (resources) and their permissions, booking delegates, resource delegates, hidden from global list and booking policy.
    Please be my guide. Thanks.

    Reply
  3. arj says:

    Hey Vasil, do you have solution for getting mailboxes using graph Api?

    Reply
  4. David Jones says:

    Hi Vasil,

    When a new employee takes over the role of one that has left, what is the easiest way to ensure the new employee inherits everything that has already been set up for the departed employee? For example, any shared mailboxes or resources they connect to or have rights to as well as any users they have delegate rights to, regardless of what kind (i.e. The report would contain all of this information, including the delegate mailbox and what rights they have).

    Cheers,

    David.

    Reply
  5. Andrew says:

    Hello Vasil! Great post as always!

    Do you know how one would query all Rooms and Equipment (or resources) a user is a member of? For example if you execute;

    Get-Mailbox -Filter ‘(RecipientTypeDetails -eq “RoomMailbox”)’ | Select Name,Alias

    It shows all Rooms mailbox, however when you search;

    Get-Mailbox -RecipientTypeDetails RoomMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil

    I do not get any results. Any ideas? Thank you!

    Reply
    1. Vasil Michev says:

      That format should work. If you don’t have any user named “vasil” or said user has no permissions on any of the Room mailboxes, output will be empty – that’s the expected behavior.

      Reply
      1. Newman says:

        I’m just impressed you’re still responding to comments on this seven year old article. 🙂 (Which, even today, is proving to be very helpful – thank you.)

        Reply
  6. Umar says:

    Hey Vasil.

    I want to list all Teams with no members please.

    Thx you

    Reply
  7. Al4 says:

    Hi Vasil !
    I want to List all shared mailboxes that only has delegate with PowerShell and export them as a csv document per Name, identity, alias, ProhibitSendQuota, UserPrincipalName, user, AccessRights.

    Thx you.

    Reply
  8. Kader says:

    Nice ..great job Vasil, very helpful
    Thanks for your sharing !!

    I want to export result of this command to csv file do you have any idea :
    Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox | Get-MailboxPermission

    Reply
  9. Gaurav says:

    Hello Thanks for the article,

    Do you have any idea how we can check for shared mailbox when was the particular user was added and by whom to the respective shared mailbox.

    Reply
    1. Vasil Michev says:

      Check the admin audit log/Unified audit log if using Exchange Online.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.