How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?


Hello All,

This is a quick blog post to assist admins with working on resource mailboxes. This post was written specifically for Exchange Online, however it should work for Exchange 2013 and Exchange 2010 as well. In the event that you are trying to pull all the shared mailboxes in your organization and determine who has permissions to what. Follow the cmdlets below and you will be able to export the data to a txt file for you to reference and review at your leisure.

 

    1. The first cmdlet will collect all the shared mailboxes and insert them into a variable.
      1. $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    2. This step will take that variable of mailboxes, and for each one output the name of the mailbox, user with access and the access rights assigned, and write it to a txt file.
      1. $mailboxes | sort displayname | foreach {Get-MailboxPermission -Identity $_.alias | ft identity,user,accessrights} >SharedPermissions.txt

 

 

You may notice that you have nested Security groups with permissions to those shared mailboxes. To get the membership list of the nested SG's, the cmdlet will be similar with a few small changes:

  1. Change the enumeration limit to -1 so we can return the full output.
    1. $FormatEnumerationLimit =-1
  2. Get the full list Security Groups and add it to a variable.
    1. $sgroup= Get-Group -RecipientTypeDetails MailUniversalSecurityGroup -resultsize unlimited
  3. Run a powershell cmdlet so that For Each group we output the displayname and members to a text file named "Group members.txt".
    1. $sgroup | sort displayname | foreach {Get-Group -Identity $_.WindowsEmailAddress | fl displayname,members} > SGroupMembers.txt

 

Note* Line 3 may fail if you are attempting to write to your C directory. You may need to change the directory to write to a temp folder. To change the directory use this cmdlet. This will write the file to your C:\temp folder, if one does not exist. It will be created.

CD C:\temp

 

Then run step 3 again.

 

You can do the same with other resource mailboxes such as room mailboxes, shared mailboxes, Universal Distribution Groups, and Universal Security Groups, all you will need to do is change the -RecipienttypeDetails and verify the parameters that you are looking for.

 

Good Luck!

Comments (5)

  1. Adam says:

    Hello 0-

    First, thanks for the script this is great, however exporting to CSV proves to be rather troublesome. We do not get the right info as per the text, just a bunch of #codes.

  2. turbomcp says:

    Thanks

  3. laala naresh says:

    can I have the command to get all the users who has full and send as access to the shared mailbox.

  4. Yassine SOUABNI says:

    Hi laala naresh,

    based on the script provided by 'Dom Picket MSFT', please find below
    the command to get all the users who has sendAs access to the shared mailbox.

    #List all shared mailboxes permissions
    $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    $Mailboxes | sort displayname | % {
    Get-MailboxPermission -Identity $_.alias | select identity,user,accessrights |
    where {
    ($_.User -notlike ‘*NT AUTHORITY*’) -and
    ($_.User -notlike ‘*S-1-5-21-*’) -and
    ($_.User -notlike ‘*JitUsers*’) -and
    ($_.User -notlike ‘*NT AUTHORITY*’) -and
    ($_.User -notlike ‘*PRDMGT01*’) -and
    ($_.User -notlike ‘*EURPRD06*’) -and
    ($_.User -notlike ‘*EURPR06A003*’)
    }
    } | Out-GridView

    I hope this is helpful
    Thanks.

  5. dup says:

    Can someone explain me where is he using the $FormatEnumeartionLimit variable? He has created it but I can't see where does he use it.

  6. You can just copy and paste it anywhere in your powershell window. I recommended doing it as step one. It only updates powershell so you can see the full output of your cmdlets.

Skip to main content