The estimated reading time 3 minutes

Maybe you saw my old blogpost about finding Full Access Permissions on Exchange OnPrem and found it useful? But now we have 2021 more and more companies move to cloud services. I thought it would be useful to write the same article but for exchange online. So here it is.

Before you can access Exchange Online PowerShell, get ready and install Exchange Online PowerShell Module V2 (my lines of code work with V2 module). If you don’t know what to do see my older blogpost about PowerShell and Exchange Online V2

Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

Please connect with your exchange admin for Exchange Online.

Get all FullAccess Permissions

$fullaccess = Get-Mailbox -ResultSize unlimited | Get-MailboxPermission | Where-Object {(-not ($_.identity -like "*DiscoverySearchMailbox*")) -and (-not ($_.User -like "NT AUTHORITY\SELF")) -and ($_.IsInherited -eq $false)}
$fullaccess | ft Identity,User,AccessRights -AutoSize

After executing this command you have a varialbe called $fullaccess which owns the information. The content can be displayed by typing in “$fullaccess”. This action can take some time, please stay patient.
Next step is to create an output file.

$fullaccess | Sort-Object Identity |Select-Object Identity,User,AccessRights| Export-Csv -Path C:\temp\exonfullaccess.csv -Encoding UTF8 -Delimiter ";"  

With this command you export not all the properties, but the important to csv file (path C:\temp\exonfullaccess.csv), so you can use excel or something else to compare as you want.

CSV looks like this:

If you import in excel you can filter and do all you want.

Get all Send As Permissions

As we did before with FullAccess we can do an export with the “Send As” Permissions of the entire Exchange Online.

$sendas = Get-Mailbox -ResultSize unlimited | Get-RecipientPermission | Where-Object {(-not ($_.identity -like "*DiscoverySearchMailbox*")) -and (-not ($_.Trustee -like "NT AUTHORITY\SELF")) -and ($_.IsInherited -eq $false)}
$sendas | ft Identity,Trustee,AccessRights -AutoSize

All Send As Permissions are stored in the variable $sendas, so have look a it.

Need it as csv file so you can search and do other stuff. Here is the command:

$sendas | Sort-Object Identity |Select-Object Identity,Trustee,AccessRights| Export-Csv -Path C:\temp\exonsendas.csv -Encoding UTF8 -Delimiter ";"

Get all “Send on behalf”

Another common permission on mailboxes is “send on behalf”, which is maybe also interesting to know. Here some code to get it from exchange online.

$sendonbehalf = Get-Mailbox -ResultSize unlimited | Where-Object {$_.GrantSendOnBehalfTo -ne $null} 
$sendonbehalf | ft Userprincipalname,PrimarySMTPAddress,GrantSendOnBehalfTo

Another export job and we also have the infomation inside a csv file to work external.

$sendonbehalf  | Sort-Object Identity |Select-Object Userprincipalname,PrimarySMTPAddress,GrantSendOnBehalfTo| Export-Csv -Path C:\temp\exonsendonbehalf.csv -Encoding UTF8 -Delimiter ";"

Not that complicated and you have a short overview about assigned rights inside your exchange online environment. If you liked this blogpost, please click on helpful. Let me know if there are any questions. Have fun.

Print Friendly, PDF & Email
  • Was this Helpful ?
  • yes   no