Easier way to get a report of all SendAs permissions in Office 365

Another random discovery I made recently, probably been working like that for a while: the Get-RecipientPermission cmdlet, when run with no parameters, now returns a list of all objects in your organization that have been granted SendAs permissions. While it was relatively easy to get a report on this previously, now it’s as simple as running the Get-RecipientPermission and capturing the output. For example:

122116 1227 Easierwayto1 e1482323453590

Of course, you might want to tweak the output a bit, because as seen from the above screenshot it returns a bit too much data. That’s due to the fact that each mailbox has permissions to send as self (the “NT AUTHORITY\SELF” entry), and also due to the fact that for whatever reason, Microsoft decided to surface some “hidden” mailboxes in the output. A cleaner version can be obtained via:

Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"}

Here’s how it looks like in my case:

122116 1227 Easierwayto2

Note that it includes every recipient type, even Group mailboxes. If you want to include the Recipient type in the output, use something like this (thanks Microsoft for not fixing the Get-Recipient to work properly with GroupMailboxes, even after a dozen or so reports!):

Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"} | select Identity,@{n="RecipientType";e={((Get-Recipient $_.Identity -ErrorAction silentlycontinue).RecipientTypeDetails + (Get-Recipient $_.Identity -RecipientTypeDetails GroupMailbox -ErrorAction silentlycontinue).RecipientTypeDetails)}},Trustee, Access* | ft -a

Which yields the following result:

122116 1227 Easierwayto3 e1482323495222

Of course, you can also export this to CSV and work with the output 🙂

2 thoughts on “Easier way to get a report of all SendAs permissions in Office 365

  1. Bob says:

    Very useful! I have a question. Some of the permissions are setup via groups. So, if a group has permissions to the mailbox, is there a way to expand the group and list the group members as well? Thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.