The estimated reading time 3 minutes
Maybe you saw my old blogpost about finding Full Access Permissions on Exchange OnPrem and found it useful? But now we have 2021 more and more companies move to cloud services. I thought it would be useful to write the same article but for exchange online. So here it is.
Before you can access Exchange Online PowerShell, get ready and install Exchange Online PowerShell Module V2 (my lines of code work with V2 module). If you don’t know what to do see my older blogpost about PowerShell and Exchange Online V2
Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline
Please connect with your exchange admin for Exchange Online.
Get all FullAccess Permissions
$fullaccess = Get-Mailbox -ResultSize unlimited | Get-MailboxPermission | Where-Object {(-not ($_.identity -like "*DiscoverySearchMailbox*")) -and (-not ($_.User -like "NT AUTHORITY\SELF")) -and ($_.IsInherited -eq $false)} $fullaccess | ft Identity,User,AccessRights -AutoSize
After executing this command you have a varialbe called $fullaccess which owns the information. The content can be displayed by typing in “$fullaccess”. This action can take some time, please stay patient.
Next step is to create an output file.
$fullaccess | Sort-Object Identity |Select-Object Identity,User,AccessRights| Export-Csv -Path C:\temp\exonfullaccess.csv -Encoding UTF8 -Delimiter ";"
With this command you export not all the properties, but the important to csv file (path C:\temp\exonfullaccess.csv), so you can use excel or something else to compare as you want.
CSV looks like this:
Get all Send As Permissions
As we did before with FullAccess we can do an export with the “Send As” Permissions of the entire Exchange Online.
$sendas = Get-Mailbox -ResultSize unlimited | Get-RecipientPermission | Where-Object {(-not ($_.identity -like "*DiscoverySearchMailbox*")) -and (-not ($_.Trustee -like "NT AUTHORITY\SELF")) -and ($_.IsInherited -eq $false)} $sendas | ft Identity,Trustee,AccessRights -AutoSize
All Send As Permissions are stored in the variable $sendas, so have look a it.
Need it as csv file so you can search and do other stuff. Here is the command:
$sendas | Sort-Object Identity |Select-Object Identity,Trustee,AccessRights| Export-Csv -Path C:\temp\exonsendas.csv -Encoding UTF8 -Delimiter ";"
Get all “Send on behalf”
Another common permission on mailboxes is “send on behalf”, which is maybe also interesting to know. Here some code to get it from exchange online.
$sendonbehalf = Get-Mailbox -ResultSize unlimited | Where-Object {$_.GrantSendOnBehalfTo -ne $null} $sendonbehalf | ft Userprincipalname,PrimarySMTPAddress,GrantSendOnBehalfTo
Another export job and we also have the infomation inside a csv file to work external.
$sendonbehalf | Sort-Object Identity |Select-Object Userprincipalname,PrimarySMTPAddress,GrantSendOnBehalfTo| Export-Csv -Path C:\temp\exonsendonbehalf.csv -Encoding UTF8 -Delimiter ";"
Not that complicated and you have a short overview about assigned rights inside your exchange online environment. If you liked this blogpost, please click on helpful. Let me know if there are any questions. Have fun.
[…] Find all fullaccess and sendas permissions in Exchange Online available first on […]