PowerShell scripts to report on Mailbox permissions in Exchange Online and Exchange On-Premises


Exchange Admins need to check constantly on who has permission to what. We need to constantly confirm if person A has access to mailbox B, as well as generate reports on all the mailboxes that have permissions granted to other users pre-migration, mid-migration and post migration.

Some cmdlets work on both Exchange Online and Exchange On-Premises, and sometimes they are completely different. This makes it more challenging if running in Hybrid and you have still have some on-premises mailboxes.

To make it easier for myself (and you), I have created the Mailbox Permission Pack. This pack of eight scripts can generate reports for both Exchange Online and Exchange On-Premises.

The scripts perform two main functions in each Exchange environment -
- Report which mailboxes a particular user or email enabled security group have access to
- Report on all mailboxes that are configured with permissions and who has that access.


See below for a more detailed explanation of what the scripts accomplish.

=================================================================

The Mailbox Permission Pack will provide reports on the following for both 
Exchange On-Premises and Exchange Online.


Report on all mailboxes that are configured with the following permissions -
- All Mailboxes with Full Access configured
- All Mailboxes with Send As configured
- All Mailboxes with Send on Behalf configured

Report on which mailboxes a specific user or email enabled security group has access to -
- Mailboxes with Full Access
- Mailboxes with Send As
- Mailboxes with Send on Behalf

=================================================================

Pre-requisites -
To run these PowerShell scripts, you must first connect to either Exchange Online or Exchange On-Premises. Follow my tutorials and use my Office 365 PowerShell connection scripts to connect to Exchange Online.
Note that the Exchange Local server needs to import the Active Directory module in PowerShell, so the machine that the scripts run on must have the AD tools installed.

Note - You must have the directory - c:\reports - created prior to running the scripts or edit the $logpath variable in the two scripts that document permissions for ALL mailboxes.


Connect to Exchange Online - see tutorials below
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link


Connect to Exchange On-Premises
Run the scripts from Exchange Management Shell from the Exchange server or a pre-configured Exchange admin machine

=================================================================

Note - For demonstration purposes, I have created clearly named accounts and granted permissions appropriately in my test environment-
User Name - sendonbehalf01
Permission - SendOnBehalf to several accounts

User Name - fullaccess01
Permission - Full Access to several accounts

User Name - sendas01
Permission - Send As to several accounts

=================================================================

Exchange Online


Exchange Online - Using the scripts
- Note that you only run the scripts starting with - EXO - Exchange Online

Process - Single script to determine ALL mailboxes that have configured permissions.

Open PowerShell and connect to Office 365 (use tutorials at the top of this article)
Change to the directory that the scripts are located.
Type in the script name - ExchangeOnlineMailboxPermissions.ps1
Press enter -
- Note that the script may take some time if you have a lot of mailboxes -





Once completed, the report will be in the c:\reports directory by default -







If you would like to change the directory the reports are created in, change the variable highlighted below.






















The csv reports will be similar to the ones pictured below -

Exchange Online - Send As report -
This report shows all Exchange Online mailboxes (Identity column) and the user or group with Send As permission (Trustee Column). The AccessRights column displays the permission.







Exchange Online  - Send on Behalf report -
This report shows all Exchange Online mailboxes (Name / Alias / UserPrincipalName/PrimarySTMP column) and the user or group with Send on Behalf permission (GrantSendOnBehalf Column)







Exchange Online  - Full Access report -
This report shows all Exchange Online mailboxes (Identity column) and the user or group with Full Access permission (User Column)










=================================================================


Exchange Online - Using the scripts
- Note that you only run the scripts starting with - EXO - Exchange Online

Process - Scripts to determine access a SPECIFIC user or group has. 
Script - EXO-AllMailboxesToWhichUserOrGroupHasSendOnBehalfPermissions.ps1

Open PowerShell and connect to Office 365 (use tutorials at the top of this article)
Change to the directory that the scripts are located.
Type in the script name and enter
- Note that the script may take some time if you have a lot of mailboxes -



The script will run and prompt for the ALIAS of the mailbox or email enabled security group
Enter the ALIAS as prompted - press enter.
Once the script has run, it will display the mailboxes that the specified user (sendonbehalf01) has Send On Behalf access to. -








Use the same process for all three scripts - 
- EXO-AllMailboxesToWhichUserOrGroupHasSendOnBehalfPermissions.ps1
- EXO-AllMailboxesToWhichUserOrGroupHasFullAccessPermissions.ps1
- EXO-AllMailboxesTo WhichUserOrGroupHasSendAsPermissions.ps1

Please ensure you always enter the ALIAS of the mailbox or mail enabled security group.


Outputs of all scripts below -

Mailboxes that the specified user (sendonbehalf01) has Send On Behalf access to


Mailboxes that the specified user (fullaccess01) has Full Access to







Mailboxes that the specified user (sendas01) has Send As access to



=================================================================

Exchange On-Premises


Exchange On-Premises - Using the scripts
- Note that you only run the scripts starting with - EXL - Exchange Local

Process - Single script to determine ALL mailboxes that have configured permissions.

Open Exchange PowerShell (Exchange Management Shell)
Change to the directory that the scripts are located.
Type in the script name - ExchangeLocalMailboxPermissions.ps1
Press enter -
- Note that the script may take some time if you have a lot of mailboxes -







Once completed, the report will be in the c:\reports directory by default -







If you would like to change the directory the reports are created in, change the variable highlighted below.



















The csv reports will be similar to the ones pictured below -

Local Exchange - Send As report -
This report shows all local mailboxes (Identity column) and the user or group with Send As permission (User Column)



















Local Exchange  - Send on Behalf report -
This report shows all local mailboxes (Name column) and the user or group with Send on Behalf permission (GrantSendOnBehalf Column)
























Local Exchange  - Full Access report -
This report shows all local mailboxes (Identity column) and the user or group with Full Access permission (User Column)




















=================================================================

Exchange On-Premises - Using the scripts
- Note that you only run the scripts starting with - EXL - Exchange Local

Process - Scripts to determine access a SPECIFIC user or group has. 
Script - EXL-AllMailboxesToWhichUserOrGroupHasSendOnBehalfPermissions.ps1

Open Exchange PowerShell (Exchange Management Shell)
Change to the directory that the scripts are located.
Type in the script name and enter
- Note that the script may take some time if you have a lot of mailboxes -


The script will run and prompt for the ALIAS of the mailbox or email enabled security group
Enter the ALIAS as prompted - press enter.








Once the script has run, it will display the mailboxes that the specified user (sendonbehalf01) has Send On Behalf access to. -















Use the same process for all three scripts - 
- EXL-AllMailboxesToWhichUserOrGroupHasSendOnBehalfPermissions.ps1
- EXL-AllMailboxesToWhichUserOrGroupHasFullAccessPermissions.ps1
- EXL-AllMailboxesToWhichUserOrGroupHasSendAsPermissions.ps1

Please ensure you always enter the ALIAS of the mailbox or mail enabled security group.


Outputs of all scripts below -

Mailboxes that the specified user (sendonbehalf01) has Send On Behalf access to



Mailboxes that the specified user (fullaccess01) has Full Access to










Mailboxes that the specified user (sendas01) has Send As access to













=================================================================




No comments:

Post a Comment