How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?

Blog Moving Here...

Hello All,

This is a quick blog post to assist admins with working on resource mailboxes. This post was written specifically for Exchange Online, however it should work for Exchange 2013 and Exchange 2010 as well. In the event that you are trying to pull all the shared mailboxes in your organization and determine who has permissions to what. Follow the cmdlets below and you will be able to export the data to a txt file for you to reference and review at your leisure.


    1. The first cmdlet will collect all the shared mailboxes and insert them into a variable.
      1. $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    2. This step will take that variable of mailboxes, and for each one output the name of the mailbox, user with access and the access rights assigned, and write it to a txt file.
      1. $mailboxes | sort displayname | foreach {Get-MailboxPermission -Identity $_.alias | ft identity,user,accessrights} >SharedPermissions.txt



You may notice that you have nested Security groups with permissions to those shared mailboxes. To get the membership list of the nested SG's, the cmdlet will be similar with a few small changes:

  1. Change the enumeration limit to -1 so we can return the full output.
    1. $FormatEnumerationLimit =-1
  2. Get the full list Security Groups and add it to a variable.
    1. $sgroup= Get-Group -RecipientTypeDetails MailUniversalSecurityGroup -resultsize unlimited
  3. Run a powershell cmdlet so that For Each group we output the displayname and members to a text file named "Group members.txt".
    1. $sgroup | sort displayname | foreach {Get-Group -Identity $_.WindowsEmailAddress | fl displayname,members} > SGroupMembers.txt


Note* Line 3 may fail if you are attempting to write to your C directory. You may need to change the directory to write to a temp folder. To change the directory use this cmdlet. This will write the file to your C:\temp folder, if one does not exist. It will be created.

CD C:\temp


Then run step 3 again.


You can do the same with other resource mailboxes such as room mailboxes, shared mailboxes, Universal Distribution Groups, and Universal Security Groups, all you will need to do is change the -RecipienttypeDetails and verify the parameters that you are looking for.


Good Luck!

Comments (9)
  1. Adam says:

    Hello 0-

    First, thanks for the script this is great, however exporting to CSV proves to be rather troublesome. We do not get the right info as per the text, just a bunch of #codes.

  2. turbomcp says:


  3. laala naresh says:

    can I have the command to get all the users who has full and send as access to the shared mailbox.

  4. Yassine SOUABNI says:

    Hi laala naresh,

    based on the script provided by ‘Dom Picket MSFT’, please find below
    the command to get all the users who has sendAs access to the shared mailbox.

    #List all shared mailboxes permissions
    $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    $Mailboxes | sort displayname | % {
    Get-MailboxPermission -Identity $_.alias | select identity,user,accessrights |
    where {
    ($_.User -notlike ‘*NT AUTHORITY*’) -and
    ($_.User -notlike ‘*S-1-5-21-*’) -and
    ($_.User -notlike ‘*JitUsers*’) -and
    ($_.User -notlike ‘*NT AUTHORITY*’) -and
    ($_.User -notlike ‘*PRDMGT01*’) -and
    ($_.User -notlike ‘*EURPRD06*’) -and
    ($_.User -notlike ‘*EURPR06A003*’)
    } | Out-GridView

    I hope this is helpful

  5. dup says:

    Can someone explain me where is he using the $FormatEnumeartionLimit variable? He has created it but I can’t see where does he use it.

  6. You can just copy and paste it anywhere in your powershell window. I recommended doing it as step one. It only updates powershell so you can see the full output of your cmdlets.

  7. MSB365 says:

    Hi, Thanks a lot, it worked perfect for my need!!

  8. cnavillus says:

    It is awesome when you find exactly what you are looking for. Excellent post.

  9. Hi,

    I would like to share another way to get the information:

    #Get all SharedMailBox and list the user access rights and export to csv file
    Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:unlimited | Get-MailboxPermission | select identity,user,accessrights | where {($_.user -like ‘*@*’)} | Export-Csv c:\temp\sharedmailboxlist.csv -NoTypeInformation -Encoding utf8

Comments are closed.

Skip to main content