How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?

  • Article

Blog Moving Here...

Hello All,

This is a quick blog post to assist admins with working on resource mailboxes. This post was written specifically for Exchange Online, however it should work for Exchange 2013 and Exchange 2010 as well. In the event that you are trying to pull all the shared mailboxes in your organization and determine who has permissions to what. Follow the cmdlets below and you will be able to export the data to a txt file for you to reference and review at your leisure.

 

    1. The first cmdlet will collect all the shared mailboxes and insert them into a variable.
      1. $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    2. This step will take that variable of mailboxes, and for each one output the name of the mailbox, user with access and the access rights assigned, and write it to a txt file.
      1. $mailboxes | sort displayname | foreach {Get-MailboxPermission -Identity $_.alias | ft identity,user,accessrights} >SharedPermissions.txt

 

 

You may notice that you have nested Security groups with permissions to those shared mailboxes. To get the membership list of the nested SG's, the cmdlet will be similar with a few small changes:

  1. Change the enumeration limit to -1 so we can return the full output.
    1. $FormatEnumerationLimit =-1
  2. Get the full list Security Groups and add it to a variable.
    1. $sgroup= Get-Group -RecipientTypeDetails MailUniversalSecurityGroup -resultsize unlimited
  3. Run a powershell cmdlet so that For Each group we output the displayname and members to a text file named "Group members.txt".
    1. $sgroup | sort displayname | foreach {Get-Group -Identity $_.WindowsEmailAddress | fl displayname,members} > SGroupMembers.txt

 

Note* Line 3 may fail if you are attempting to write to your C directory. You may need to change the directory to write to a temp folder. To change the directory use this cmdlet. This will write the file to your C:\temp folder, if one does not exist. It will be created.

CD C:\temp

 

Then run step 3 again.

 

You can do the same with other resource mailboxes such as room mailboxes, shared mailboxes, Universal Distribution Groups, and Universal Security Groups, all you will need to do is change the -RecipienttypeDetails and verify the parameters that you are looking for.

 

Good Luck!