How to Get Exchange Online Mailbox Permissions Report Using PowerShell or Netwrix Auditor

Native Solution vs. Netwrix Auditor for Exchange
{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Exchange
Native Solution
Netwrix Auditor for Exchange

1. Connect to Office 365 PowerShell by running the PowerShell ISE as Administrator and executing the following command:

Set-ExecutionPolicy RemoteSigned

2. Request Windows PowerShell credentials by running the following command:

$Cred = Get-Credential

Enter your account and passwordand then click OK.

3. Create a session using the following command, modifying the –ConnectionUri parameter based on your Exchange Online location:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential$Cred -Authentication Basic –AllowRedirection

4. Connect to Exchange Online:

Import-PSSession$Session -DisableNameChecking

5. Generate user permissions report, do one of the following:

  • To get a full summary of users’ permissions, use the following Get-Mailbox command:

Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Export-Csv -Path "c:\temp\mailboxpermissions.csv" –NoTypeInformation

  • If you need a report on a specific user, use the -identity parameter instead of -resultsize unlimited.
  • To filter users having full access, use the parameter where {($_.accessrights -contains "FullAccess")}:

Get-Mailbox -resultsize unlimited | Get-MailboxPermission| where {($_.accessrights -contains "Fullaccess")}  | Select AccessRights,Deny,InheritanceType,User,Identity,IsInherited  | Export-Csv -Path "c:\temp\fullaccess.csv" -NoTypeInformation

  • By default, you will get a full list of users, including non-owner access. To get information about direct user permissions only, use either {($_.user -ne "NT AUTHORITY\SELF")} or {($_.user -like '*@*')}:

Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Select Identity, User, Deny, AccessRights, IsInherited| Where {($_.user -ne "NT AUTHORITY\SELF")}| Export-Csv -Path "c:\temp\NonOwnerPermissions.csv" -NoTypeInformation

  • To view information about “Send As” permissions, use the Get-RecipientPermission cmdlet:

Get-Mailbox -resultsize unlimited | Get-RecipientPermission| where {($_.trustee -ne "NT AUTHORITY\SELF")}|select Identity,Trustee,AccessControlType,AccessRights,IsInherited  | Export-Csv -Path "c:\temp\sendaspermissions.csv" –NoTypeInformation

  • To report on mailboxes with the “Send on Behalf” permission, use the following script:

$GrantSendOn= Get-Mailbox-resultsize unlimited| where {($_.GrantSendOnBehalfTo -ne "")} 

$Out=foreach ($user in $GrantSendOn.GrantSendOnBehalfTo) {

$obj= New-Object System.Object

$obj|Add-MemberNoteProperty eMail$GrantSendOn.WindowsEmailAddress

$obj|Add-Member NoteProperty DisplayName $GrantSendOn.DisplayName

$obj|Add-Member NoteProperty User $user

$obj }

$Out| Export-Csv -Path "c:\temp\sendonbehalfpermissions.csv" –NoTypeInformation 

6. Review report:

How to Report Exchange Online Mailbox Permissions - Native Auditing


7. Terminate your session by using the following command:


Run Netwrix Auditor → Click "Reports" → choose Exchange Online → State-in-Time Reports → Choose " Mailbox Non-Owner Permission Details" → click "View".

How to Report Exchange Online Mailbox Permissions - Netwrix Auditor

Untangle Exchange Online Non-owner Mailbox Permissions

To enable collaboration or ensure coverage when someone is out of the office, users are sometimes granted permissions to access other mailboxes: the delegate can receive and send email messages, meeting requests and responses on behalf of another user. While delegation can be required to satisfy business needs, in large organizations, delegation of mailbox rights can be an operational nightmare for both IT and security teams, because auditing the list of users who are accessing, reading and sending sensitive information is complicated and time-consuming. 

In Exchange Online, as with on-premises Exchange, the native tool for getting summary of users who have permissions to access other users’ email is PowerShell. With the Get-MailboxPermission PowerShell command, you can check which users have what type of permissions to access other mailboxes. However, this command does not list all mailbox permissions. For instance, to check “Send on Behalf” rights, you have to use different syntax. Similarly, if you need to see the permissions of a specific security group, you have to add the Get-ADGroupMember cmdlet to the scriptBecause reporting on different types of access rights requires you to add new parameters and commands to the get necessary data, using PowerShell to get mailbox permissions can be overwhelming even if you have small list of Office 365 security principals. Also, keep in mind that using PowerShell with cloud solutions like Exchange Online can involve significant delays. 

With Netwrix Auditor for Exchange you can get a clear report on non-owner permissions in just a few clicks. It will provide all the necessary details, such as which users have non-owner permissions to which mailboxes and what level of permissions each user has. Moreover, Netwrix Auditor for for Exchange delivers information about non-owner mailbox access events, changes to permissions to shared mailboxes and much more information that can help you ensure better control over what’s going on in your Exchange Online and Exchange Server environment.


Related How-tos