🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Get Exchange Online Mailbox Permissions Report

Mailbox permission in Exchange Online can enhance email communication within an organization. However, excessive mailbox permissions to a suspicious user could lead to data breaches or compromised security. In this guide, we will walk you through the simple steps to export mailbox permission report in Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High

Global Admin and Exchange Admin.

Option 1 Using Exchange Online Admin Center

  • Sign-in to the Exchange Online admin center.
  • Navigate to 'Mailboxes' under 'Recipients' to see all mailboxes in Exchange Online.
  • Select the desired mailbox and click on 'Mailbox delegation'.
  • Select any delegate permission to see the members assigned to it.
Using Exchange Online Admin Center

Option 2 Using Windows PowerShell:

  • Run the below cmdlet to connect Exchange Online.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • To get users with 'Full Access' permissions for all Exchange Online mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox | Get-MailboxPermission|?{$_.User -ne 'nt authority\self'} |Select-Object Identity,User,AccessRights
  • To find users with 'Send As' permission for all Exchange Online mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox | Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights
  • To check 'Send on Behalf' permissions for all Exchange Online mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox |?{$_.GrantSendOnBehalfTo -ne $null }| Select  PrimarySmtpAddress,GrantSendOnBehalfTo,RecipientTypeDetails
Using Windows PowerShell:

Option 3 Using PowerShell Script

  • PowerShell cmdlets do not provide all types of mailbox access rights in a single cmdlet as well as a user-friendly Exchange Online mailbox permissions report.
  • Thus, we’ve prepared the script to export mailbox permissions to csv in PowerShell. This report format gives you a clear understanding about all types of mailbox permissions.
  • Download and run the following script in the Administrator PowerShell.
GetMailboxPermission.ps1
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access assigned by Super Admin.

StepsUsing AdminDroid

ad
  • Login to the AdminDroid Office 365 reporter.
  • Navigate to the 'Mailbox Permission Detail' report under Reports»Exchange»Mailbox Permissions.
Using AdminDroid

Get comprehensive Exchange Online mailbox permission report, including all users with access and their mailbox access level, permission status etc.

chart-view
  • Explore our built-in charts for a visually appealing overview of Exchange Online mailbox access rights. This simplified format makes it easy to identify the number of users and their specific access types effortlessly.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Export Exchange Online mailbox permissions in a single click!

Users with inappropriate Exchange Online mailbox permissions can put your sensitive data at risk! Monitor and streamline your Microsoft 365 mailbox permissions with AdminDroid.

Witness the report in action using the

Live Demo

Important Tips

Discover and implement the latest quarantine management features in Microsoft defender and shield against increasing number of email threats.

Monitor delegate audit enabled mailboxes in Exchange Online to detect any sensitive actions performed by non-owners in your Microsoft 365 environment.

Remember to report suspicious messages in delegated mailboxes and stay secure against phishing and junk emails in Exchange Online.

Exchange OnlineManage Exchange Online Mailbox Permissions in Microsoft 365

Showing 1 of 4
How to manage permissions for recipients in Exchange Online? How to see what mailboxes a user has access to in Microsoft 365? What is the difference between mailbox permission and mailbox folder permission? How to export mailbox permissions to CSV?

How to manage permissions for recipients in Exchange Online?

Effectively managing permissions for recipients in Exchange Online is crucial for maintaining a secure and organized email communication system. It involves assigning appropriate mailbox access rights to legitimate recipients, ensuring streamlined collaboration and minimizing the risk of unauthorized access or data breaches.

You can follow the below PowerShell cmdlets to give mailbox permissions to another Microsoft 365 user.

To give 'Full Access' permission for a user to a mailbox, you can run the below command:

Add-MailboxPermission <User Mailbox> -User <Identity> -AccessRights FullAccess -InheritanceType All

You can run the below command to give 'Send As' permission for a specific user to a mailbox:

Add-RecipientPermission <User Mailbox> -AccessRights SendAs -Trustee <Identity> -Confirm:$false

To delegate 'Send on Behalf' permission for a user to a mailbox, you can run the below command:

Set-Mailbox <User Mailbox> -GrantSendOnBehalfTo <Identity>

Track and detect who modified mailbox permissions in Microsoft 365!

Unapproved permission changes in Exchange Online mailboxes could lead to potential security issues such as data leaks in sensitive business email conversations, customer details, and more. Regular monitoring of mailbox permission changes in Microsoft 365 is essential for managing mailbox access rights. Also, it helps to identify and track excessive and unnecessary permissions effectively.

How to see what mailboxes a user has access to in Microsoft 365?

Mailbox permission monitoring involves understanding the mailboxes a user can access in Microsoft 365. It helps you to efficiently resolve Exchange Online mailbox access issues and ensures that sensitive information remains accessible only to authorized individuals.

In Exchange Online admin center, you can get delegated permissions for a list of all Exchange Online mailboxes. However, getting specific user access rights is a time-consuming task.

You can get all Exchange Online mailboxes to which a user has 'Full Access' permissions using the below PowerShell cmdlet:

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-MailboxPermission –User <UPN>

Utilize the below PowerShell cmdlet to obtain list of mailboxes to which a user has 'Send As' permissions:

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission –Trustee <UPN>

Since SendOnBehalf permission is not classified under the 'Mailbox permission' parameter, PowerShell cannot list all mailboxes for a given user with this permission. Also, these PowerShell commands require additional steps to export mailbox permissions to CSV, which can be time-consuming.

Therefore, we’ve crafted the unified script to effortlessly export list of mailboxes to which a specific user has 'Full Access', 'Send As', 'Send on Behalf' permissions.

Download MailboxesUserCanAccess.ps1 and run the script in Administrator PowerShell with ".\MailboxesUserCanAccess.ps1 -UPN <user@contoso.com> -SendOnBehalf" parameter to export list of mailboxes to CSV to which a specific user has 'SendOnBehalf' permission.

  • With AdminDroid’s Access to Other Mailboxes report you can effortlessly filter the ‘specific user’ using the “Easy Filter” feature. This gives a comprehensive list of all mailboxes the desired user can access and their type of mailbox access rights.
  • With a single click on the mailbox icon(✉), you can email the user access to other mailboxes report directly to your inbox.
user-access-to-others-mailboxes

TIP: AdminDroid’s AI powered graphs enable you to get a list of mailboxes a user can access and the distribution of access rights within those mailboxes.

What is the difference between mailbox permission and mailbox folder permission?

Mailbox permissions and mailbox folder permissions are distinct concepts in Microsoft 365.

  • Exchange Online mailbox permissions refers to the delegated access given to a user mailbox based on access rights like "Full Access," "Send As," and "Send on Behalf".
  • On the other hand, Exchange Online mailbox folder permissions are specific permissions granted to access individual folders within a mailbox, such as the inbox or calendar.

Understanding this difference is crucial for managing Exchange Online mailbox access effectively. Also, monitoring Exchange Online mailbox folder permissions ensures the security and privacy of mailbox contents.

You can "add" mailbox folder permissions using the below PowerShell cmdlet:

Add-MailboxFolderPermission -Identity <UserUPN>:\<FolderName> -User <DelegatedUserUPN> -AccessRights <RolesOrPermissions>

You can "get" mailbox folder permissions of required users using the below PowerShell cmdlet:

Get-MailboxFolderPermission -Identity <UserUPN>:\<FolderName>

Also, it is necessary to monitor users who grant access to specific mailbox folders, preventing any unwanted changes to mailbox folder permissions. It helps to enhance mailbox security at folder level and enhances overall Exchange Online management.

With AdminDroid advanced alerting, you can configure threshold limits for folder permission changes and receive real-time notifications whenever there is an unusual activity in Exchange Online mailbox folders.

  • AdminDroid’s Folder Permissions report provides information on users who provide access to specific mailbox folders.
  • Utilize 'Authorized by' and 'Authorized folder' columns to verify only authorized users are granting access to only required folders.
folder-permissions-report

PRO TIP: With the 'Authorized by' graph you can get detailed information on specific users granting folder permissions to other Microsoft 365 users. This provides a comprehensive overview of authorization activities, enabling efficient monitoring of folder permissions across your organization.

How to export mailbox permissions to CSV?

Exporting mailbox permissions to CSV in Microsoft 365 is very helpful for admins, especially when managing multiple mailbox permissions across various users and groups. It enables admins to efficiently analyze and manage permissions, ensuring that the right users have appropriate access to mailbox and its data.

However, Microsoft 365 admins cannot export mailbox permissions for multiple users as the export option is not available in the native solution. This limitation makes it challenging to monitor and manage multiple users' Exchange Online mailbox permissions.

Using AdminDroid, admins can easily export mailbox permissions to CSV and other various formats such as HTML, PDF, XLS, and XLSX.

  • Download a report at preferred format by clicking on the 'Download' icon and save it to the local system.
  • Gain comprehensive insights on Exchange Online mailbox permissions, such as mailbox display name, user with access, access rights, and other related properties.
mailbox-permission-detail

AdminDroid Exchange Online ReporterStrengthen mailbox security with detailed mailbox permission reports!

AdminDroid's Exchange Online reporter offers accurate mailbox permission details and other useful mailbox related reports. It allows you to effortlessly visualize user access rights, track permission changes, and ensure secure mailbox management. Also, you can easily identify any potential security risks, enhancing overall mailbox access management.

AdminDroid simplifies managing Exchange Online mailbox permissions with the following highlights:

The 'Mailbox Permissions Detail' report under Reports»Exchange»Mailbox Permissions gives you a granular view of mailbox permissions, including mailbox name, user with access, and type of access rights in Exchange Online mailboxes.

A Quick Summary

Control Guest Access Rights in Mailboxes

Monitor guests access to other mailboxes to ensure secure collaboration and data protection in your Exchange Online environment.

Efficient External Email Forwarding Management

Manage external email forwarding in Microsoft 365 with in-depth details and prevent any unauthorized data leaks and security breaches.

Enhanced Mailbox Access Monitoring

Monitor non-owner mailbox access report in Exchange Online to identify and address any sensitive actions by delegated users promptly.

User-Friendly Exchange Online Mailbox Insights

Effortlessly visualize and manage Exchange Online mailbox access rights across your organization with AdminDroid's mailbox permissions dashboard.

Comprehensive Mailbox Device Management Reporting

Manage Microsoft 365 mobile devices accessing Exchange online mailboxes using AdminDroid’s mailbox device management reporting that includes OS version, device policy, etc.

Streamlined Overview of Shared Mailbox Permissions

Mailbox permission management also includes monitoring shared mailbox permissions and promptly detect any unapproved permissions in the Exchange Online shared mailboxes.

In conclusion, AdminDroid empowers admins with unmatched capabilities in Exchange Online mailbox permissions reporting and various mailbox-related insights. Its user-friendly reports provide a comprehensive overview that enables admins to efficiently manage and optimize mailbox-related operations within the Microsoft 365 environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps while exporting Mailbox Permission Report in Microsoft 365

The following are possible errors and troubleshooting hints while checking mailbox permissions in Microsoft 365.

Error: Write-ErrorMessage : A server side error has occurred because of which the operation could not be completed. Please try again after some time. If the problem still persists, please reach out to MS support.

This error occurs when the mailbox type is not specified in the cmdlet. Scanning all mailboxes in the organization can take time and give this error.

Troubleshooting hint :Specify the required type of mailbox and run the PowerShell cmdlet like below. 

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-MailboxPermission –User <UPN>

Error: Write-ErrorMessage : Ex41BAF5|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|The specified mailbox Identity:"UPN" doesn't exist.

This error occurs when you try to give folder permission for a password expired user mailbox.

Troubleshooting hint :Make sure the user has an active password and an Exchange Online license before granting folder permissions to another user.

Error: Write-ErrorMessage : Cannot process argument transformation on parameter 'Identity'. Cannot convert value "User@Contoso.com:" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "The mailbox folder identity "User@Contoso.com:" isn't in the correct format. The correct format should look like this: ":". "

This error occurs when you enter incorrect or non-existing folder name in the "Get-MailboxFolderPermission" cmdlet.

Troubleshooting hint :Ensure that the specified folder exists in the given mailbox and specify the folder name precisely as shown in the PowerShell cmdlet below. 

Get-MailboxFolderPermission -Identity <UPN>:\Inbox

Error: Get-MailboxPermission : The term 'Get-MailboxPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when you try to run the 'Get-MailboxPermission' without proper admin priveleges.

Troubleshooting hint :Ensure to connect the Exchange Online module with Global or Exchange Online administrator privileges. 

Connect-ExchangeOnline

Error: Delegate user doesn't appear in the search results.

This error occurs when the delegate user is not assigned with active Exchange Online license.

Troubleshooting hint :To grant access to another mailbox make the user is assigned with valid and active Exchange Online license.