Get-MailboxPermission cmdlet now returns UPN as the user info

A small, but very important change has been pushed to the EO servers. Namely, the output of the Get-MailboxPermission cmdlet now includes the UPN of the user, instead of the display name. Here’s an example:

PS C:\> Get-MailboxPermission wc

Identity             User                 AccessRights
--------             ----                 ------------
WC                   NT AUTHORITY\SELF    {FullAccess, ReadPermission}
WC                   NT AUTHORITY\SELF    {FullAccess, ExternalAccount, ReadPermission}
WC                   vasil@michev.info    {FullAccess}
WC                   huku@michev.info     {ReadPermission}

While the change itself is minor, it does help a lot. Especially in large organizations with thousands of users, or in countries where it’s common for people to have the same name. The display name is simply not suitable for identifying the user, and UPN makes much more sense.

Up until now, we had to do additional verifications in order to make sure we have the correct principal, as displayName is simply not unique. For example, one of the scripts I use was getting all recipients that match said display name, and for each of those matches performs additional checks against the mailbox, making use of the -User parameter (for example: Get-MailboxPermission wc -User vasil). And in some cases, even that was not enough (say if you have 5 ‘John Smiths’ with permissions on the said object). So yes, this simple change definitely makes a difference. Unfortunately, the GUI tools still return the display name, but hopefully that will change in the near future.

I’m certain the change will make it’s way to on-prem as well!

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *