🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Export Microsoft 365 Shared Mailbox Permission Report

Do you ever feel overwhelmed by managing shared mailbox permissions? Managing delegate permissions for multiple Exchange online shared mailboxes has always been a nightmare for Microsoft 365 admins. No worries! Explore simple methods to acquire shared mailbox permission report and streamline your Exchange Online management.

Native Solution

Microsoft 365 Permission Required

High

Global Admin or Exchange Online Admin.

Option 1 Using Microsoft 365 admin center

  • Navigate to the Microsoft 365 admin center.
  • Click on ‘Teams and groups’ in the left navigation pane.
  • Select 'Shared mailboxes' to view the list of shared mailboxes in Microsoft 365.
  • Select the desired shared mailbox in the list of Exchange Online shared mailboxes. You can find "Manage mailbox permissions".
  • Select any delegate permission to see the members assigned to it.
Using Microsoft 365 admin center

Option 2 Using Windows PowerShell:

  • Make sure you installed and imported the Exchange online module using these cmdlets.
  • Windows PowerShell Windows PowerShell 
     Install-Module -Name ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement
  • Run the below cmdlets to connect Exchange Online and get the list of all shared mailboxes with their delegated permissions.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • To retrieve all delegates with ‘Full Access’ permission for all shared mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox |?{$_.RecipientTypeDetails -eq "SharedMailbox"} | Get-MailboxPermission|?{$_.User -ne 'nt authority./self'} |Select-Object Identity,User,AccessRights
  • To retrieve all delegates with ‘Send As’ permission for all shared mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox |?{$_.RecipientTypeDetails -eq "SharedMailbox"} | Get-RecipientPermission | where {($_.Trustee -ne 'nt authority./self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights
  • To retrieve all delegates with ‘Send on behalf of’ permission for all shared mailboxes.
  • Windows PowerShell Windows PowerShell 
     Get-Mailbox |?{$_.RecipientTypeDetails -eq "SharedMailbox" -and $_.GrantSendOnBehalfTo -ne $null }| Select  PrimarySmtpAddress,GrantSendOnBehalfTo,RecipientTypeDetails
Using Windows PowerShell:

Option 3 Using PowerShell Script

  • Since there is a limitation in getting complete shared mailbox permissions and their access rights with a single cmdlet, we have prepared a PowerShell script to export shared mailbox permissions to csv.
  • Download and run the following script in the Administrator PowerShell.
GetSharedMailboxPermission.ps1
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access assigned by Super Admin.

StepsUsing AdminDroid

ad
  • Open the AdminDroid Office 365 Reporter.
  • Navigate to 'Mailbox permission detail' report under Reports»Exchange»Shared mailbox info.
Using AdminDroid

Get shared mailbox permission report with detailed information such as users with access and their type of access rights, access permission, etc.

chart-view

Additionally, the report provides a combo view, graphical view, and tabular view which gives complete visibility into your shared mailbox delegate permissions in a snapshot.

geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Complete view of your Microsoft 365 shared mailbox permissions!

Granting shared mailbox access to multiple users can put sensitive information at risk! AdminDroid: Your safeguard for secure access control.

Witness the report in action using the

Live Demo

Important Tips

Review audit disabled shared mailboxes and enable mailbox auditing to track delegate activity for improved mailbox security.

Enforce MFA for delegates to add an extra layer of security, reducing the risk of unauthorized access to shared mailboxes.

Regularly check shared mailbox email forwarding to prevent anonymous external forwarding and take steps to delegate permissions as needed.

Exchange OnlineStrengthen Mailbox Security by Monitoring and Managing Shared Mailbox Permissions in Microsoft 365

Showing 1 of 6
What are the risks in improper shared mailbox permissions? How can shared mailbox limitations affect delegate permissions? What are the permission levels for a shared mailbox? How to get a list of shared mailboxes and users with permissions? How to manage shared mailbox permissions in Office 365? How to audit shared mailbox permission changes?

What are the risks in improper shared mailbox permissions?

Improper shared mailbox delegate permissions can lead to several challenges and potential issues within a Microsoft 365 organization. Some of these challenges include:

  • Data Security Risks: Mismanaged permissions can result to unauthorized access of sensitive emails and data, increasing the risk of data breaches or leaks.
  • Threat of Email Deletion: Delegates with 'Full Access' permissions might accidentally or intentionally delete crucial emails, leading to data loss or severe security issues.
  • Loss of Accountability: Without a clear understanding of a user's delegate permissions, it can be challenging to track email access, modifications, or deletions, making it difficult to establish accountability.
  • Mailbox Usage Limitations: Conflicts might arise when multiple delegates try to access shared mailbox and manage emails simultaneously, potentially causing errors or data inconsistencies.

To stay secure from these kinds of challenges, make sure to regularly monitor the shared mailbox permissions after they are assigned to the Microsoft 365 users.

How can shared mailbox limitations affect delegate permissions?

Shared mailboxes in Exchange Online are a valuable resource for efficient email collaboration among team members, but they have some limitations that can affect delegate permissions. Here are a few things to keep in mind:

  • Limited Storage: Shared mailboxes have a storage limit of 50 GB when not assigned an Exchange Online license. This limitation can become problematic when managing multiple users or storing large files. If the storage limit is exceeded, users with delegate permissions may face difficulties in accessing or managing the shared mailbox.
  • Archive Mailbox Limit: Shared mailboxes in Microsoft 365 do not include an archive option by default. A shared mailbox archive may require additional licensing.
  • Access Restriction: Shared mailboxes are limited for internal use within an organization. You cannot delegate access to a shared mailbox for external users or non-employees in Microsoft 365 by default.
  • No Direct Access to Shared mailbox: Users cannot login directly to a shared mailbox. They access shared mailbox through their own accounts with the permissions assigned to them. If the delegated users do not have Outlook licenses, they will not be able to access shared mailboxes.

Here are some tips to manage shared mailbox delegate permissions to face off these limitations:

  • Assign shared mailbox with Exchange Online Plan 2 license to increase the size limit to 100 GB and licensing for archive mailbox.
  • Create and add external users to the distribution list in Microsoft 365 to grant access to shared mailboxes.
  • Ensure user’s licensing while granting delegate permissions to the shared mailbox in Microsoft 365.

By following these tips, you can efficiently manage the delegates and minimize the impact of the limitations of shared mailboxes.

What are the permission levels for a shared mailbox?

Shared mailboxes in Microsoft 365 typically have the following permission levels, which determine the access level of users or delegates may have:

  • Full Access: Users with 'Full Access' permissions can view, add, modify, and delete items in the shared mailbox. They can also create and manage calendar events & contacts. However, they are not allowed to send emails from the mailbox.
  • Send As: Delegates with 'Send As' permissions cannot access a shared mailbox, but they can send emails from it, which appear as if they originate from the shared mailbox and rather than the delegate.
  • Send on Behalf: Users with 'Send on Behalf' permissions can send emails using the shared mailbox's email address, which clearly indicates that the email was sent on behalf of the shared mailbox. Recipients can see the delegate's email address as the sender. On the other hand, delegates are unable to access any items in the shared mailbox.

These shared mailbox permission levels provide a range of access options and allow organizations to tailor the list of users who have access to shared mailboxes based on their organization’s requirements.

AdminDroid makes it easy to track all actions performed in the shared mailbox using the permissions assigned to the Exchange Online users.

  • AdminDroid reports, such as Send-As Activities and Send-on-Behalf Activities, capture all email actions performed by delegates, including 'Sent by' and 'Sent-on-behalf of' email addresses.
  • These reports provide user details, revealing who sent the email and on whose behalf it was sent in a more efficient way.
  • By using the Download button, you can easily export the report to your local system in any desired format.
send-on-behalf-of-report

How to get a list of shared mailboxes and users with permissions?

Getting shared mailbox permissions in Office 365 is crucial for efficient teamwork and secure email access. This ensures authorized users can seamlessly access these mailboxes, improving collaboration and productivity. You can get all shared mailboxes in Exchange Online and users with permissions from Microsoft 365 in the below ways:

  • Microsoft 365 Admin Center - Navigate to 'Shared mailbox' under ‘Teams and groups’. By selecting a desired shared mailbox, you can find manage mailbox permissions. Select any delegate permission to see the members with specific permissions.
  • Exchange Admin Center – To check shared mailbox delegation in the Exchange admin center, navigate to the Recipients»Mailboxes. You can individually select the shared mailboxes and check all delegated permissions in the 'Delegation' section.
  • Microsoft PowerShell - Run the script provided and get shared mailbox permissions in PowerShell with detailed access rights.

However, Microsoft 365 admin center involves manually searching for shared mailboxes and their delegation, which can be time-consuming. PowerShell, on the other hand, lacks a straightforward method for exporting shared mailbox permissions report efficiently.

Get a complete overview of shared mailbox permissions in a few seconds.

  • Utilize AdminDroid’s dedicated Shared mailbox permission detail report located under Reports»Exchange»Shared mailbox info, to list all shared mailboxes and users with their delegated access rights.
permission-detail-report
  • Simply click on the mail icon at the top of the report page and send the report directly to your inbox in the desired format.
  • Here's a handy tip: You can click on the column heading to re-arrange the report data based on that specific column. In this case, you can click on the 'Access rights' column to sort the users from high-level access to low-level access. This makes it easy to quickly grasp the level of access rights for each user.

How to manage shared mailbox permissions in Office 365?

Managing shared mailbox delegation in Microsoft 365 includes assigning various access permission levels to specific users for certain shared mailboxes.

Efficiently managing mailbox delegation in Office 365 is essential for organized teamwork and secure email communication. It ensures proper access for the right people, reduces risks of data breaches, unauthorized access, and maintains a secure and organized email communication system.

How to add shared mailbox permissions in PowerShell?

Utilize these cmdlets to grant access to shared mailbox permissions for desired users, ensuring effective shared mailbox management.

  • To add ‘Full Access’ permission: 
    Add-MailboxPermission <Shared Mailbox> -User <Identity> -AccessRights FullAccess -InheritanceType All
  • To delegate ‘Send As’ permission: 
    Add-RecipientPermission <Shared Mailbox> -AccessRights SendAs -Trustee <Identity> -Confirm:$false
  • To add ‘Send-On-Behalf of’ permission: 
    Set-Mailbox <Shared Mailbox> -GrantSendOnBehalfTo <Identity>

How to grant access to a shared mailbox in Exchange admin center?

  • Login to the Exchange Online admin center.
  • Navigate to ‘Mailboxes’ section under Recipients in the left navigation pane.
  • Select the desired mailbox and click ‘Mailbox delegation’.
  • Choose the level of access you want to grant to the delegates, such as "Full Access", "Send As", or "Send on Behalf" and click ‘Edit’.
  • To add delegates to a shared mailbox, click the "Add members", then search and select the users you want to delegate access to.
  • After configuring the permissions, click 'Save' and confirm your changes.
  • Finally, inform the delegates about their new permissions and responsibilities.

You can follow the same steps to revoke the shared mailbox permissions from users. After selecting the users, you will find the option 'Remove permissions’. Click on it to remove delegate permissions from the selected users.

How to audit shared mailbox permission changes?

Keeping an eye on shared mailbox permissions is crucial. Unauthorized shared mailbox access may put Microsoft 365 data security at risk. However, regular monitoring of shared mailbox permissions allows you to quickly spot unusual permission changes and make your Exchange Online mailboxes more secure.

Auditing is enabled by default for all mailboxes, but to search mailbox settings and permission changes in the native solution, you must enable auditing for using PowerShell.

Connect-ExchangeOnline

Set-Mailbox –Identity <SharedMailbox> -AuditEnabled $True

Although we enabled searching audit logs, tracking these changes can be a time-consuming task for Microsoft 365 administrators. This delay in spotting unauthorized access or suspicious activities with shared mailboxes can raise security vulnerabilities.

Using mailbox permission changes report in AdminDroid, you can effortlessly monitor and detect abnormal changes in shared mailbox permissions with this comprehensive report.

  • The "Authorized Mailbox" column in this report shows the shared mailboxes for which the permission changes were made. The "Authorized User" column shows the user who made specific permission changes. This ensures that only authorized changes happened in Exchange Online mailboxes.
permission-changes-report
  • AdminDroid Advanced Alerting feature ensures you receive real-time notifications whenever there are unusual changes in shared mailbox permissions. This helps you detect inappropriate actions quickly and allows you to take necessary actions promptly.
  • TIP: Customize your alert thresholds to improve the accuracy of detecting and preventing unauthorized activities related to shared mailbox permissions.

AdminDroid Exchange Online ReporterUnlock the power of visibility in shared mailbox delegate permissions

AdminDroid Exchange Online management tool presents a user-friendly interface that efficiently furnishes reports on shared mailbox delegate permissions. This saves significant time and effort for administrators, streamlining the process of shared mailbox management.

AdminDroid's inherent capabilities for managing shared mailbox delegate permissions are outlined below:

The "Shared Mailbox Permission Detail" report provides insights into users with access, encompassing details like access rights, mailbox display name, and more. This report proves invaluable for administrators seeking to efficiently manage shared mailbox delegate permissions and enhance user management practices.

A Quick Summary

Advanced Alerting on Shared Mailbox Permission Changes

Receive real-time alerts from AdminDroid when there are unexpected changes to mailbox permissions in shared mailbox. Customize threshold limits to enhance the accuracy of identifying and preventing unauthorized actions involving shared mailboxes.

Delegate Permissions Audit

Go beyond the basic mailbox permissions details and delve into detailed insights about shared mailbox permission changes. Detect unusual delegate access permission changes through in-depth reports, to proactively prevent unauthorized access.

Automated Delegation Summary Reports

Schedule the shared mailbox permission summary report at a weekly/monthly frequency to your inbox and verify the reports without even logging into AdminDroid.

Streamline Shared Mailbox Delegation Oversight

Simplify the Shared mailbox delegation management with a concise shared mailbox permissions report. Easily determine Microsoft 365 users who have specific access to shared mailboxes in Exchange Online.

In-Depth Shared Mailbox Access Activities

Gain insights of AdminDroid’s customized shared mailbox access activities report to proactively monitor shared mailbox accesses. Ensure the delegated users are properly managing the sensitive information of shared mailboxes.

Control Access to Shared Mailbox Reports

Utilize AdminDroid's custom role delegation feature to create and manage roles for accessing shared mailbox permissions reports. Ensure authorized admins can only access these permission reports of your Microsoft 365.

In summary, AdminDroid offers robust capabilities that enable you to effectively oversee and monitor shared mailbox delegate permissions. Additionally, you can leverage a range of shared mailbox reports which enables you to manage shared mailboxes within your Microsoft 365 environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps for Shared Mailbox in Exchange Online

The following are possible errors and troubleshooting hints while getting shared mailbox delegate permissions report.

Error: This message could not be sent. You do not have the permission to send the message on behalf of the specified user.

This error will occur if a user is assigned only with "read and manage" permission. They won't be able to send emails from the shared mailbox.

Troubleshooting hint :To send emails from the shared mailbox, grant 'Send as' or 'Send on behalf of' permission to the desired delegate users.

Error: The term 'Add-MailboxPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when a user without the necessary administrative roles attempts to delegate permissions to another user for the shared mailbox.

Troubleshooting hint :Ensure the user is assigned suitable administrative roles, like Global Administrator or Exchange Online Administrator to assign the permissions to shared mailboxes in Exchange Online. 

// Run the below cmdlet to connect MSonline account.
Connect-MsolService
// Run the below cmdlet to add the required role.
Add-MsolRoleMember -RoleMemberEmailAddress "<UserPrincipleName>" -RoleName "<Admin role name>"

Error: The term 'Get-Mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error will occur while you are running the ‘Get-Mailbox' cmdlet without connecting to the Exchange online.

Troubleshooting hint :To get delegate permissions and shared mailboxes in Exchange Online. Make sure to install and connect to the Exchange Online module by using the following cmdlet. 

Connect-ExchangeOnline

Error: Select no more than 5 users.

This error occurs if you attempt to delegate permissions to more than 5 users at once in Microsoft 365 admin center.

Troubleshooting hint :If you need to add more than 5 users at once, please use the Exchange Online admin center to delegate permission levels.

Error: Delegate user doesn't appear in the search results.

This error occurs when the delegate user is an external user and not added to the organization.

Troubleshooting hint :To grant access to shared mailbox for an external user or an user from outside the organization, use the following PowerShell cmdlet. 

// Run the below cmdlet to connect your Exchange Online account.
Connect-ExchangeOnline
// Run the below cmdlet to add the required permission to desired external users.
Add-RecipientPermission <MailboxName> -AccessRights SendAs -Trustee <UserPrincipleName> -Confirm:$false