Which mailboxes a given user has access to? This question seems to get asked a lot, and people are unaware how easy the answer really is. Here it is:
-
List all mailboxes to which a particular user has Full Access permissions:
PS C:\> Get-Mailbox | Get-MailboxPermission -User vasil Identity User AccessRights -------- ---- ------------ HuKu Vasil Michev {FullAccess} retail Vasil Michev {FullAccess} sharednew Vasil Michev {FullAccess} testplan2 Vasil Michev {FullAccess} WC Vasil Michev {FullAccess}
-
List all shared/user/room/whatever mailboxes to which particular user has Full Access permissions:
PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil Identity User AccessRights -------- ---- ------------ HuKu Vasil Michev {FullAccess} retail Vasil Michev {FullAccess} sharednew Vasil Michev {FullAccess} testplan2 Vasil Michev {FullAccess}
-
List all mailboxes to which members of a particular security group have access:
PS C:\> Get-Mailbox | Get-MailboxPermission -User secgrp Identity User AccessRights -------- ---- ------------ Bathroom secgrp {FullAccess}
-
List all mailboxes to which a user has Send As permissions:
PS C:\> Get-Mailbox | Get-RecipientPermission -Trustee vasil Identity Trustee AccessControlType AccessRights -------- ------- ----------------- ------------ sharednew Vasil Michev Allow {SendAs}
-
List all user mailboxes to which members of a particular security group have Send As access:
PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission -Trustee secgrp Identity Trustee AccessControlType AccessRights -------- ------- ----------------- ------------ HuKu secgrp Allow {SendAs}
-
List all mailboxes to which a particular security principal has Send on behalf of permissions:
PS C:\> Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match "vasil"} Name Alias ServerName ProhibitSendQuota ---- ----- ---------- ----------------- Bathroom bathroom amspr03mb084 49.5 GB (53,150,220,288 bytes) WC WC dbxpr03mb096 9.5 GB (10,200,547,328 bytes)
- List all (shared) mailboxes without any Full Access permissions other than self:
PS C:\> Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited | ? { (Get-MailboxPermission $_.UserPrincipalName | ? {$_.User -ne "NT AUTHORITY\SELF"}).Count -eq 0 } Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId ---- ----- -------- ----------------- ------------------------- retail retail EURPR03DG210-db104 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx TestAppPermissions TestAppPermi... EURPR03DG038-db069 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
- List all mailboxes without any Send As permissions other than self:
PS C:\> Get-Mailbox -ResultSize Unlimited | ? { (Get-RecipientPermission $_.UserPrincipalName | ? {$_.Trustee -ne "NT AUTHORITY\SELF"}).Count -eq 0 } Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId ---- ----- -------- ----------------- ------------------------- retail retail EURPR03DG210-db104 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx shared2018 shared2018 EURPR03DG045-db051 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
- List all mailboxes without any Send on behalf of permissions:
PS C:\> Get-Mailbox -ResultSize Unlimited -Filter {GrantSendOnBehalfTo -eq $null} Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId ---- ----- -------- ----------------- ------------------------- vasil vasil EURPR03DG251-db050 49.5 GB (53,150,2... xxxx-xxxx-xxxx-xxxx-xxxx gosho gosho EURPR03DG490-db076 9.5 GB (10,200,54... xxxx-xxxx-xxxx-xxxx-xxxx
There will be slight differences if you are running this against on-prem Exchange, but remember that you can also look at the AD attributes there (msExchDelegateListLink and msExchDelegateListBL).
I have made use of the following:
On-Prem Exchange:
Get-EOPMailbox -ResultSize Unlimited -ErrorAction:SilentlyContinue | Get-EOPMailboxPermission -User $Uname | Get-EOPMailbox | Select Identity,DisplayName,UserPrincipalName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails
Exchange Online:
$Uemail = (Get-EXOMailbox $Uname).UserPrincipalName
Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission -Identity $_.Identity | Where-Object {$_.User -eq $Uemail} | Get-EXOMailbox | Select Identity,DisplayName,UserPrincipalName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails
Note: Exchange Online “Get-EXOMailboxPermission” has two serious flaws – The “-User” parameter is CASE SENSITIVE, which is stupid, and it returns an error on every mailbox the user doesn’t have permissions on (Get-MailboxPermission returns nothing under the same conditions).
Hi my friend, I’m looking for a script using Exchange Online powershell module to get all the conference rooms (resources) and their permissions, booking delegates, resource delegates, hidden from global list and booking policy.
Please be my guide. Thanks.
Hey Vasil, do you have solution for getting mailboxes using graph Api?
Nope, use PowerShell or the REST endpoints: https://www.michev.info/Blog/Post/2869/abusing-the-rest-api-endpoints-behind-the-new-exo-cmdlets
Hi Vasil,
When a new employee takes over the role of one that has left, what is the easiest way to ensure the new employee inherits everything that has already been set up for the departed employee? For example, any shared mailboxes or resources they connect to or have rights to as well as any users they have delegate rights to, regardless of what kind (i.e. The report would contain all of this information, including the delegate mailbox and what rights they have).
Cheers,
David.
Hello Vasil! Great post as always!
Do you know how one would query all Rooms and Equipment (or resources) a user is a member of? For example if you execute;
Get-Mailbox -Filter ‘(RecipientTypeDetails -eq “RoomMailbox”)’ | Select Name,Alias
It shows all Rooms mailbox, however when you search;
Get-Mailbox -RecipientTypeDetails RoomMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil
I do not get any results. Any ideas? Thank you!
That format should work. If you don’t have any user named “vasil” or said user has no permissions on any of the Room mailboxes, output will be empty – that’s the expected behavior.
I’m just impressed you’re still responding to comments on this seven year old article. 🙂 (Which, even today, is proving to be very helpful – thank you.)
Hey Vasil.
I want to list all Teams with no members please.
Thx you
Hi Vasil !
I want to List all shared mailboxes that only has delegate with PowerShell and export them as a csv document per Name, identity, alias, ProhibitSendQuota, UserPrincipalName, user, AccessRights.
Thx you.
Nice ..great job Vasil, very helpful
Thanks for your sharing !!
I want to export result of this command to csv file do you have any idea :
Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox | Get-MailboxPermission
Pipe the output to Export-CSV or better yet, use a proper script: https://github.com/michevnew/PowerShell/blob/master/Mailbox_Permissions_inventory.ps1
Hello Thanks for the article,
Do you have any idea how we can check for shared mailbox when was the particular user was added and by whom to the respective shared mailbox.
Check the admin audit log/Unified audit log if using Exchange Online.