Before updating the Exchange Server, it is recommended to put the Exchange Server in maintenance…
List all mailboxes user has access to with PowerShell
In Exchange, we can get mailbox permissions. That’s great if you want to know which user has access to which mailbox. You can assign security groups instead of a user directly as mailbox permission. What if you like to reverse it and get all mailboxes user has access to? In this article, you will learn how to list all mailboxes user has access to with PowerShell.
Table of contents
Get mailbox permissions
Sign in to Exchange Admin Center. Click recipients in the feature pane and follow with mailboxes in the tab. Find the user in the list view and double-click on it.
Check which mailboxes have access to the mailbox of Amanda Morgan:
- Send as Access: Boris Campbell, Kylie Davidson
- Send on Behalf: Christopher Payne
- Full Access: Benetiz Anees
The above information is excellent, but that’s not what we like to know. We want to know which mailboxes the user Amanda Morgan has access to.
List all mailboxes user has access to
You can open every mailbox and look if you find the user in the Send as/Send on Behalf/Full Access permissions. We don’t want to open all the mailboxes one by one and check if we can find the user in the list as that is time-consuming.
Get Send As permissions
The user has Send As permissions for these mailboxes.
[PS] C:\>Get-Mailbox | Get-ADPermission | Where-Object { $_.ExtendedRights -like "*send*" -and ($_.User -match "Amanda.Morgan")} | ft User,Identity
User Identity
---- --------
EXOIP\Amanda.Morgan exoip.local/Company/Users/IT/Kylie Davidson
EXOIP\Amanda.Morgan exoip.local/Company/Users/IT/Richard GrantGet Send on Behalf permissions
List which mailboxes the user has Send on Behalf permissions.
[PS] C:\>Get-Mailbox -ResultSize Unlimited | Where-Object {$_.GrantSendOnBehalfTo -match "Amanda Morgan"} | ft GrantSendOnBehalfTo,Name
GrantSendOnBehalfTo Name
------------------- ----
{exoip.local/Company/Users/Finance/Amanda Morgan} Grace ReesGet Full Access permissions
Run Exchange Management Shell as administrator. Make use of the Get-Mailbox cmdlet. The user has Full Access permissions to these mailboxes.
[PS] C:\>Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User "Amanda Morgan" | ft User,Identity,AccessRights
User Identity AccessRights
---- -------- ------------
EXOIP\Amanda.Morgan exoip.local/Company/Users/Finance/Sebastian Nolan {FullAccess}
EXOIP\Amanda.Morgan exoip.local/Company/Users/Finance/Dylan Piper {FullAccess}
EXOIP\Amanda.Morgan exoip.local/Company/Exchange/Resources/Room Tokyo {FullAccess}Filter mailboxes with RecipientTypeDetails parameter
Make use of the RecipientTypeDetails parameter. The RecipientTypeDetails parameter filters the results by the specified mailbox subtype. Valid values are:
- DiscoveryMailbox
- EquipmentMailbox
- GroupMailbox
- LegacyMailbox
- LinkedMailbox
- LinkedRoomMailbox
- RoomMailbox
- SchedulingMailbox
- SharedMailbox
- TeamMailbox
- UserMailbox
The user has Full Access permissions to these room mailboxes.
[PS] C:\>Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails RoomMailbox | Get-MailboxPermission -User "Amanda Morgan" | ft User,Identity,AccessRights
User Identity AccessRights
---- -------- ------------
EXOIP\Amanda.Morgan exoip.local/Company/Exchange/Resources/Room Tokyo {FullAccess}You can always list the results as a list instead of a table.
[PS] C:\>Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails RoomMailbox | Get-MailboxPermission -User "Amanda Morgan" | fl
RunspaceId : 5325c6df-036a-4de4-b07f-6273c28ad286
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : EXOIP\Amanda.Morgan
Identity : exoip.local/Company/Exchange/Resources/Room Tokyo
IsInherited : False
IsValid : True
ObjectState : UnchangedDid this help you to list all mailboxes user has access to with PowerShell?
Read more: Export mailbox folder permissions to CSV file »
Conclusion
You learned how to list all mailboxes user has access to with PowerShell. It will take time to find mailboxes which user has access to in Exchange Admin Center. Make use of the Get-Mailbox cmdlet in PowerShell and get the permissions.
Did you enjoy this article? You may also like Create send connector in Exchange. Don’t forget to follow us and share this article.
What Others Are Reading
So, Are we to take it from these commands that there is no single report we are able to run that will give us full details of all resources and mailboxes a user has access to, also detailing the type of access? i.e. We need to run several commands for each different kind of mailbox access as well as each different kind of resource.
The scenario I am thinking of is probably one of the most common in any corporate environment, where a person leaves a company and is directly replaced be a new staff member. We create the new account for the new staff member and it seems we have no reliable means of seeing all the attributes of the user they are replacing, to ensure all attributes are applied to them. Currently, we have to go to a myriad of different places and run a multitude of different reports, just to see, never mind reallocate/move email, data, forms, sites etc…
Thank you for this wonderful resource! One question that I had was how would you delete a users permissions across mailboxes? For example, I ran the above commands and got a list of all of the mailboxes that a particular user has Full Access on. I wish to remove him from all of these mailboxes. Is there an easy way to accomplish that? Thanks in advance!
Hi Ali, in Exchange on-prem you can check the AD attribute msExchDelegateListBL to see what accounts a user has Full Access rights to.
Get-ADUser samaccountname -Properties msExchDelegateListBL | fl msExchDelegateListBL
Do you know the equivalent in O365?
Hi Koji,
You can use the Full Access permissions command that I wrote in the article for Exchange Online (Microsoft 365/Office 365) and retrieve which accounts the user has full access rights to.
Connect to Exchange Online PowerShell and run below command (change the user account).
The problem that I have is that we have tens of thousands of mailboxes and that command fails all the time with an out of resources error message. I’m assuming that there is an attribute in AzureAD so the automapping happens just like in AD. I just cannot find it.
Any idea if I want to include email addresses of the Identity how to do that, I am using: Get-Mailbox | Get-MailboxPermission -User “test-user”
Identity User AccessRights
——– —- ————
ABC test-user@domain.com {FullAccess}
I just want to include the email address of Identity!!
Thanks
What if I need this report for all users at once?
Thanks for your article.
Everything goes ok with the “Get Send on Behalf permissions” and with “Get Full Access permissions” commands.
Just with the “Get Send As permissions” I get an error because the term ‘Add-ADPermission’ is not recognized as the name of a cmdlet, function, script file, or operable program.
Can you help me find my fault?
You’re welcome. I am glad that two of the cmdlets did work. Let’s see why the third and last one didn’t, as it should.
Are you using Exchange Online or Exchange on-premises? Use Exchange Management Shell when running the cmdlets.
I use an hybrid environment with Exchange Online and Active Directory on-premise.
The Exchange management Shell is installed on a server on premise to manage the creation of the mailbox. Even if I connect with it to 365 executing the command I don’t get the previous error but I don’t get neither any result, just the command prompt…
I’m still missing something in the procedure.
Thx anyway
The focus was on Exchange on-premises when writing this article. That’s why I asked if you are running Exchange Online or Exchange on-premises. The cmdlets vary a little bit between these two.
I will write a new article about how to list all mailboxes user has access to in Exchange Online or update this one.
To answer your question:
Connect to Exchange Online PowerShell. We will use the Exchange Online PowerShell cmdlets as this will retrieve the results faster.