Another random discovery I made recently, probably been working like that for a while: the Get-RecipientPermission cmdlet, when run with no parameters, now returns a list of all objects in your organization that have been granted SendAs permissions. While it was relatively easy to get a report on this previously, now it’s as simple as running the Get-RecipientPermission and capturing the output. For example:
Of course, you might want to tweak the output a bit, because as seen from the above screenshot it returns a bit too much data. That’s due to the fact that each mailbox has permissions to send as self (the “NT AUTHORITY\SELF” entry), and also due to the fact that for whatever reason, Microsoft decided to surface some “hidden” mailboxes in the output. A cleaner version can be obtained via:
Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"}
Here’s how it looks like in my case:
Note that it includes every recipient type, even Group mailboxes. If you want to include the Recipient type in the output, use something like this (thanks Microsoft for not fixing the Get-Recipient to work properly with GroupMailboxes, even after a dozen or so reports!):
Get-RecipientPermission | ? {$_.Trustee -ne "NT AUTHORITY\SELF" -and $_.Trustee -ne "NULL SID"} | select Identity,@{n="RecipientType";e={((Get-Recipient $_.Identity -ErrorAction silentlycontinue).RecipientTypeDetails + (Get-Recipient $_.Identity -RecipientTypeDetails GroupMailbox -ErrorAction silentlycontinue).RecipientTypeDetails)}},Trustee, Access* | ft -a
Which yields the following result:
Of course, you can also export this to CSV and work with the output 🙂
Very useful! I have a question. Some of the permissions are setup via groups. So, if a group has permissions to the mailbox, is there a way to expand the group and list the group members as well? Thanks.
There’s always a way, but the samples here are simple one-liners, and you will need a full-blown script for that. Here’s one that can expand group membership recursively: https://practical365.com/blog/how-to-inventory-membership-of-exchange-groups-recursively/