Accessing Supervisory mailboxes in Outlook

The new, improved Supervision feature in Office 365 was made available a week ago. If differs from the old version is several key areas, but the idea is the same – it gives you the ability to monitor some percentage (or all) of employee communication. Details on how to setup the feature can be found for example here: https://support.office.com/en-us/article/Configure-supervision-policies-for-your-organization-d14ae7c3-fcb0-4a03-967b-cbed861bb086

As you might know already from the documentation, the new version relies on SupervisoryReview mailboxes to store the messages for review. The actual recipient type is SupervisoryReviewPolicyMailbox, however knowing this will not help you a lot, as the mailboxes are well hidden in both the UI and PowerShell. The only method you can use to get the name of the mailbox is via the Get-SupervisoryReviewPolicyV2, for example:

Get-CSupervisoryReviewPolicyV2 | select Name,ReviewMailbox

Name ReviewMailbox
---- -------------
Supervision SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com

Now, when it comes to actually accessing the mailbox, things should be taken care of thanks to the Supervisory Review add-in that is automatically installed for users designated as Reviewers.

The add-in will make sure that the Supervisory Review mailbox is added as additional mailbox in OWA and exposes the relevant actions as well. When it comes to accessing the Supervisory mailbox in Outlook though, things are a bit trickier. Microsoft has published an article detailing how you can add the mailbox in Outlook, however if you follow the steps there you will find out that the process does not actually work.

The thing is, the steps in the article details the process of adding a mailbox as additional account in Outlook. In order to do this, you must have Full Access permissions on said mailbox, which is not the case here. Permissions on the Supervisory mailbox are granted on the Folder level, namely each Reviewer will get the “reviewer” level of permissions on the Root folder and the “Supervision” folder tree. In other words, this is what you will see via PowerShell:

Get-MailboxPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil

Get-MailboxFolderPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil

FolderName User AccessRights
---------- ---- ------------
Top of Informatio... Vasil Michev {Reviewer}

Get-MailboxFolderPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com:\Supervision" -User vasil

FolderName User AccessRights
---------- ---- ------------
Supervision Vasil Michev {Reviewer}

Yes, while the Get-Mailbox or Get-Recipient cmdlets does not recognize Supervisory Mailboxes, some other cmdlets will work just fine. This includes the Add-MailboxPermission cmdlet, which you can use to grant Full Access permissions to the mailbox (with Automapping enabled) and the Set-Mailbox cmdlet which you can use to un-hide it from the GAL:

Add-MailboxPermission "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -User vasil -AccessRights FullAccess

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
SupervisoryReview... EURPR03A001\vasil... {FullAccess} False False

Set-Mailbox "SupervisoryReview{feea04e6-3ae2-4edc-8526-7d758192d7d7}@michev.onmicrosoft.com" -HiddenFromAddressListsEnabled $false

After doing this, it’s just a matter of waiting for autodiscover refresh and you will get the mailbox added to your Outlook profile:

Now, Microsoft has acknowledged the issue and is working on providing a solution, in the meantime you can use the steps here as a workaround.

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *