Mailbox permission are typically translated to O365 during properly batched hybrid MRS moves, however there are still many scenarios where permissions must be audited on-premises and re-applied after migration. One example may be when using 3rd party migration tools.
2/10/2017 – Script has been updated to include new features based on feedback.
Download package and documentation is available from Microsoft Script Center.
Export-MailboxPermissions.ps1 should be run from on-premises Exchange Management Shell (EMS) and will collect mailbox access, send as, send on behalf, and folder delegate permissions into separate CSV datasets. Retrieval of each permission type can be toggled “$true” or “$false” in the script depending on requirements. Note that retrieving folder delegates can add considerable time to script processing. Therefore, evaluating only common folders (Inbox, Calendar) is toggled “$true” by default. Specifying a list of users (rather than running against the entire Org) can also be toggled “$true” or “$false”, however PrimarySmtpAddress column must be present in the file. Since mailbox permissions in O365 can only be assigned using mail-enabled objects, script won’t export delegates which are not mail-enabled on-premises (e.g. security groups) and will write warnings to an error log file for review. If groups are used to assign permissions, the option to expand memberships and apply explicit user access can also be toggled “$true”.
Import-MailboxPermissions.ps1 should be run from O365 remote PowerShell after mailboxes have been provisioned/migrated and will re-apply permissions according to collected on-premises datasets. Import of each export file can be toggled “$true” or “$false” in the script and re-applied separately if needed.