🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Monitor Guest Access to User Mailboxes in Microsoft 365

Are you concerned about guest users accessing user mailboxes in Microsoft 365? Imagine a guest user retaining full access to a manager's mailbox even after the project ends. This could allow them to view organizational messages, download sensitive files, or manage the mailbox as their own. Without proper oversight, these scenarios could lead to data exposure. In this guide, we'll show you how to audit guest access to user mailboxes in Microsoft 365 to prevent such risks.

Solution 1
Solution 2
Important Tips
Errors and Resolution Steps
FAQs

Using Windows PowerShell

Microsoft 365 Permission Required
View-only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Guest users can be assigned three types of permissions over a users' mailbox in Microsoft 365: Full Access, Send As, and Send on Behalf Of.
  • To identify guest users with 'Full Access' permission to user mailboxes, execute the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     $Output = @()
Get-Mailbox -RecipientTypeDetails UserMailbox | ForEach-Object {
    $FullAccessPermissions = Get-MailboxPermission -Identity $_.UserPrincipalName | Where-Object { $_.User -ne "NT AUTHORITY\SELF"}
    ForEach ($Permission in $FullAccessPermissions){
        if ($Permission.User -like "*#EXT#*"){
            $Output += New-Object PSObject -Property @{
                UserName = $_.DisplayName
                Mailbox = $_.UserPrincipalName
                GuestUser = $Permission.User
                AccessRights = $Permission | Select -ExpandProperty AccessRights
}}}}
$Output
    full-access-powershell-output
  • Run the below cmdlet to get a list of guest users with 'Send As' access right to user mailboxes.
  • Windows PowerShell Windows PowerShell 
     $Output = @()
Get-Mailbox -RecipientTypeDetails UserMailbox | ForEach-Object {
    $SendAsPermissions = Get-RecipientPermission -Identity $_.UserPrincipalName | Where-Object { $_.Trustee -ne "NT AUTHORITY\SELF"}
    ForEach ($Permission in $SendAsPermissions){
        if ($Permission.Trustee -like "*#EXT#*"){
            $Output += New-Object PSObject -Property @{
                UserName = $_.DisplayName
                Mailbox = $_.UserPrincipalName
                GuestUser = $Permission.Trustee
                AccessRights = $Permission | Select -ExpandProperty AccessRights
}}}}
$Output
    send-as-powershell-output
  • Execute the below cmdlet to list all guest users with 'Send on Behalf Of' permission to user mailboxes.
  • Windows PowerShell Windows PowerShell 
     $Output = @()
Get-Mailbox -RecipientTypeDetails UserMailbox | Where-Object { $_.GrantSendOnBehalfTo -ne $null } | ForEach-Object{
    Foreach ($ObjectID in $_.GrantSendOnBehalfTo) {
        $User = Get-User -Identity $ObjectID
        if ($User.UserPrincipalName -like "*#EXT#*"){
            $Output += New-Object PSObject -Property @{
                UserName = $_.DisplayName
                Mailbox = $_.UserPrincipalName
                GuestUser = $User.UserPrincipalName
                AccessRights = "Send on Behalf Of"
}}}}
$Output
    send-on-behalf-of-powershell-output
AdminDroid Exchange Online Reporter

Stay Ahead of Risks by Monitoring Guest Access to User Mailboxes in Microsoft 365!

AdminDroid's Exchange Online auditing tool provides an end-to-end solution for monitoring Microsoft 365 mailbox permissions, mailbox settings, mailbox usages, and more. With these comprehensive insights, you can effortlessly audit guest access to Microsoft 365 mailboxes to ensure your critical assets remain secure while enabling seamless collaboration.

Visualize Exchange Online Mailbox Permissions

Make use of the mailboxes permission dashboard for visualizing Send as, Send on Behalf of, and Full access permissions across all mailboxes including those assigned to guest users.

Monitor Non-owner Mailbox Access in Exchange Online

Keep track of non-owner mailbox access report to identify unauthorized guest activities on sensitive mailboxes and ensure controlled access.

Stay Alerted of Newly Granted Mailbox Permissions

Leverage AdminDroid's advanced default alert policy template to receive real-time notifications for every mailbox permission granted and effortlessly verify if the changes are authorized or not.

Control Guest Access to Shared Mailbox in Exchange Online

Review Microsoft 365 shared mailbox permission report to ensure external users have the appropriate access and their communication remains uninterrupted.

Track Guest Activities in Microsoft 365 Mailboxes

Regularly audit mailboxes accessed by guest users to monitor their activities and identify any unauthorized actions performed on mailbox items.

Audit Outbound Emails Sent via Guest Delegation

Monitor the outbound email activity report to spot external emails sent via guest permissions, ensuring mailbox rights are not misused.

In conclusion, AdminDroid's Exchange Online management tool offers a robust solution for monitoring guest permissions to user mailboxes. With its detailed reports and real-time data, admins can easily track guest access rights, detect unauthorized activities, and ensure security across the organization.

Explore a full range of reporting options
Download Live Demo

Important Tips

Enable mailbox auditing for all users to track logins and detect unauthorized guest access with delegated permissions.

Use conditional access policies to improve authentication strength for guest users and secure highly privileged mailbox access effectively.

Restrict guest users in Microsoft Entra ID from gaining excessive privileges and protect sensitive data from unnecessary exposure.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while managing guest permissions to user mailboxes in Microsoft 365.

Error Remove permission operation failed.

This error occurs in the Exchange admin center when attempting to remove mailbox permission delegated to a guest user without the required admin permissions.

Fix Ensure that you have the necessary administrative permissions such as Global admin or Exchange admin to revoke mailbox permission of a guest user.

Error Write-ErrorMessage : Ex9BC9DD|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|User or group "<GuestUserEmail>" wasn't found. Please make sure you've typed it correctly.

This error occurs when running the 'Add-RecipientPermission' PowerShell cmdlet and the specified user doesn’t exist or doesn’t have a mailbox.

Fix Ensure that the user is a guest in your organization and has an active mailbox before assigning the permission.

Error WARNING: The appropriate access control entry is already present on the object "CN=fc34915e-2a4b-4217-9d52-0e967e8b13bd,OU=jispa.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=INDPR01A005,DC=PROD,DC=OUTLOOK,DC=COM" for account "S-1-5-21-122708444-3114493987-3236274769-54976102".

This issue occurs when you run the 'Add-MailboxPermission' cmdlet in Exchange Online PowerShell to assign already granted permissions to a guest user.

Fix Before assigning permissions, check if the user already has the delegated permission. Use the following cmdlet in Exchange Online PowerShell to verify existing mailbox permissions. 
Get-MailboxPermission -Identity "<UserPrincipalName>" 
#Replace the <UserPrincipalName> with the UPN of the mailbox you want to check.

Error Write-ErrorMessage : Cannot process argument transformation on parameter 'AccessRights'. Cannot convert value "SendOnBehalfOf" to type

This error occurs when using the 'Add-RecipientPermission' cmdlet with an invalid value. The SendOnBehalfOf value cannot be used for the AccessRights parameter, as the only valid value for this parameter is SendAs.

Fix To resolve this error, use SendAs as the value for the AccessRights parameter. If you need to configure SendOnBehalfOf permissions, use the 'Set-Mailbox' cmdlet instead. 
Set-Mailbox "<UserMailbox>" -GrantSendOnBehalfTo "<GuestUser>" 
#Replace the <UserMailbox> with the UPN of the mailbox and <GuestUser> with the guest's UPN to give SendOnBehalfof permission.

1. How to manage guest access in Microsoft 365 mailboxes?

Granting guest access to Microsoft 365 mailboxes is essential for enabling external collaborators to work efficiently with internal teams. However, it’s crucial to manage these permissions to prevent unauthorized access and compliance issues.

Let's see how to effectively manage guest access to user mailboxes in Exchange Online using PowerShell.

Steps to grant guest access to Exchange Online user mailboxes

  • Ensure you connect to the Exchange Online PowerShell module before proceeding.
  • Full Access permission allows a guest user to open and fully manage a mailbox. However, it does not include Send As or Send on Behalf Of permissions. To grant 'Full Access' permission, run the following cmdlet by replacing <UserName> with the UPN of the mailbox and <GuestUser> with the guest user's UPN.
Add-MailboxPermission –Identity "<UserName>" -User "<GuestUser>" -AccessRights FullAccess -InheritanceType All
  • Send As permission allows a guest user to send emails as the mailbox owner. To provide 'Send As' access, execute the cmdlet below by replacing <GuestUser> with the guest user's UPN and <UserMailbox> with the target mailbox's UPN.
Add-RecipientPermission –Identity "<UserMailbox>" -Trustee "<GuestUser>" -AccessRights SendAs
  • Send on Behalf of permission lets a guest user send emails on behalf of the mailbox owner. To assign this permission, execute the cmdlet below.
Set-Mailbox "<UserMailbox>" -GrantSendOnBehalfTo @{Add="<GuestUser>"}

If you want to grant guest access to a shared mailbox, replace <UserMailbox> with the UPN of the shared mailbox in the above commands. This ensures that external users have the right access to perform their roles effectively in a shared mailbox.

You can also remove any permissions granted to guest users using the following PowerShell cmdlets.

  • Remove-MailboxPermission: This cmdlet is used to remove 'Full Access' permission delegated.
  • Remove-RecipientPermission: Using this cmdlet, you can remove 'Send As' permission delegated.
  • Set-Mailbox: This cmdlet can also be used to revoke 'Send on Behalf of' permissions. However, the value for GrantSendOnBehalfTo must be modified.

For example, to remove Send on Behalf of permission granted to a guest user, run the following cmdlet

Set-Mailbox "<UserMailbox>" -GrantSendOnBehalfTo @{Remove="<GuestUser>"}

2. What are the risks of guest users accessing mailboxes in Exchange Online?

Unwanted mailbox permissions delegated to guest users may result in significant risks and compromise Microsoft 365 security. Some of these risks include:

  • Account Compromise: If a guest users’ account is compromised, attackers could gain access to user mailboxes. This could allow them to target other systems and sensitive data within the organization.
  • Data Leakage: Guest users may unintentionally share confidential information with unauthorized parties or external users, leading to potential data breaches.
  • Compliance Violations: Mismanaged guest permissions can result in compliance issues and damage the organization's reputation.
  • Phishing and Malware Risks: Guest users with mailbox access might unknowingly open phishing emails or malicious attachments. This could expose internal systems to malware attacks or lead to the theft of sensitive data.
  • Increased Security Vulnerabilities: Guest user accounts are harder to monitor than internal accounts. This makes it challenging to detect and prevent malicious activities.

To mitigate these risks and improve security, admins should regularly monitor guest permissions and mailbox folder permission changes in Exchange Online.

3. How to revoke a mailbox permission assigned to a guest user?

Excessive privileges mistakenly granted to guest users can pose significant risks to mailbox security. Identifying and revoking unnecessary permissions ensures proper access control and minimizes the risk of data exposure. In this section, we'll see how to remove mailbox permission assigned to a guest user in the Exchange admin center.

  • Log in to the Exchange admin center.
  • Navigate to Recipients»Mailboxes and select the mailbox you want to modify.
  • Click the Delegation tab in the flyout pane.
  • Choose the appropriate permissions (Full Access, Send As, Send on Behalf) and click Edit.
  • Locate the guest user from the list and select the Delete option.
  • Click Confirm to revoke the permission granted to the guest user.

Note: The changes may take up to 5 minutes to reflect in the Exchange admin center.

revoke-mailbox-permission-admin-center

4. How to audit guest mailbox permission changes in Exchange Online?

In Microsoft 365, auditing mailbox permission changes is essential to ensure proper access control, especially when dealing with guest users. Unauthorized additions or removals of permissions to guest users can compromise mailbox security and lead to data exposure.

Audit mailbox permission changes in the Microsoft Purview Compliance portal

  • Navigate to the Audit page in the Microsoft Purview Compliance Portal.
  • Customize the date and time range as per your requirements.
  • Select the following operations in the Activities-friendly names field.
    • Added delegate mailbox permissions, Removed delegate mailbox permissions
  • Then, click on Search. Once the search is completed, you can export all mailbox permissions changes.
  • To get all permissions delegated to guest users, add a filter to the AuditData column of the exported file using the "Text contains" option and specify "#EXT#".
mailbox-permission-changes-admin-center

Auditing mailbox permission changes in Microsoft 365 audit logs is challenging as it requires complex filtering, and the results are not user-friendly.

Streamline mailbox permission tracking in Exchange Online with AdminDroid

  • With AdminDroid's mailbox permission changes report, you can easily identify any unauthorized mailbox permission changes.
  • This report provides detailed information on all mailbox permission changes, including the authorization time, the mailbox involved, the admin who authorized the change, and more.
mailbox-permission-changes-admindroid

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Monitor Guest Access to User Mailboxes in Microsoft 365
Exchange Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo