Posted on by Ace Fekay

Office 365 PowerShell Fun with Mailbox Permissions

Published 9/11/2015

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, dealing with mailbox permissions.

I hope this blog and my future scripts blogs, especially with Office 365, help you out.

Scope

These are a few examples of dealing with every day requests for mailbox delegation and permissions administration. Sure, you can do it from your web based, Office 365 tenant dashboard, but what fun is that?

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up and there is no one place to get all of this at the simple level. All I see are elaborate scripts that do more than what I needed. Hence, my posts.

Open PowerShell session and Login – Of course you first have to open a PowerShell session to your tenant account

Open a PowerShell window.
Run the following:
$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $AceCred -Authentication Basic -AllowRedirection

This will prompt you to login using your credentials.

Then run:
import-pssession $MySession

To be able to run Start-OnlineCoexistenceSync Dirsync – on a DC

After you make any changes in your local AD, instead of waiting for the dirsync schedule to run, you can manually run a dirsync on your onprem AD to force a sync:

Command Prompt
cd “C:\Program Files\Microsoft Online Directory Sync”
Run:
.\DirSyncConfigShell.psc1

Or just run:
“C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”
Then run:
Start-OnlineCoexistenceSync  or invoke-dirsync

To view the dirsync log, click on the DirSync icon in task bar that opens the Synchronization Service Manager. If it’s not on the task bar, it can be found in:

“C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

===========================================================

To find who has been delegated to a mailbox

Get-Mailbox JohnDoe@contoso.com | fl displayname, GrantSendOnBehalfTo

To see the whole list of delegated users:

PS C:\Windows> Get-Mailbox JohnDoe@contosl.com | select -expandproperty GrantSendOnBehalfTo
Output:
user1
user2
user3
user4
user5
user6

Or you can run this, too:

PS C:\Windows> (Get-Mailbox JohnDoe@contoso.com|).grantsendonbehalfto
Output:
user1
user2
user3
user4
user5
user6

 

Remove Mike Smith as a delegate – example:

First find the permission:

This will give you a summary list:
get-mailboxpermission –identity Dept1-Shared-Mailbox | ft

This will give you a full list:
Get-MailboxPermission -identity Dept1-Shared-Mailbox | fl

Then remove it:

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights FullAccess -Inheritance All

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights SendAs -Inheritance All

To find who has FullAccess Permissions on a Mailbox

There are two ways the results can be displayed:

  • FT – Format Table – One big summarized list
  • FL – Format List – in sections with detail

using FT

get-mailboxpermission JohnDoe@contoso.com | ft

Output example:

Identity                   User                 AccessRights        IsInherited Deny
——–                    —-                      ————        ———– —-
JohnDoe               NT AUTHORITY\SELF    {FullAccess, Rea… False       False
JohnDoe               S-1-5-21-24478488… {FullAccess}        False       False
JohnDoe               NAMPRD05\jar02546… {FullAccess}        False       False
JohnDoe               NAMPRD05\FullAcce… {FullAccess}        False       False
JohnDoe               NAMPRD05\Administ… {FullAccess}        True        True
JohnDoe               NAMPRD05\Domain A… {FullAccess}        True        True
JohnDoe               NAMPRD05\Enterpri… {FullAccess}        True        True
JohnDoe               NAMPRD05\Organiza… {FullAccess}        True        True
JohnDoe               NT AUTHORITY\SYSTEM  {FullAccess}        True        False
JohnDoe               NT AUTHORITY\NETW… {ReadPermission}    True        False
JohnDoe               PRDMGT01\View-Onl… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Administ… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Domain A… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Enterpri… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Organiza… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Public F… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Rea… True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Managed … {ReadPermission}    True        False

using FL

get-mailboxpermission JohnDoe@contoso.com | fl

Output Example:

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : S-1-5-21-2447848828-1310731447-1641304557-6207581
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\jar02546711232540629
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\FullAccessAdmin
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : NAMPRD05\Administrator
Identity        : JohnDoe
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

etc

Other tidbits:

===========================

To display FullAccess on a Mailbox

Get-MailboxPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights | fl

===========================

This will display SendOnBehalf:

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

 

===========================

View SendAs:

Get-RecipientPermission JohnDoe | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights | fl

==========================

View all “Send As permissions” you’ve configured in your organization

Careful running this on a really large tenant or you will tie up the bandwidth and get throttled.

Get-RecipientPermission | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like ‘*Discovery Management*’) } | Select Identity, user, AccessRights | fl

=============================

Revoke “Send As” Permissions

Remove-RecipientPermission <Identity>  -AccessRights SendAs -Trustee <Identity>
Remove-RecipientPermission John   -AccessRights SendAs -Trustee Suzan

Adjustments & Improvements – To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False

 

More to come…

 

 

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 8/17/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002622 clip_image004622 clip_image006622 clip_image008622 clip_image010622 clip_image012622 clip_image014622

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.