How to Get-MailboxPermission in Powershell
One of the most challenging things to do in an Exchange Online Server is to keep control of assigned permissions to users within an organization.
There can be thousands of users, and managing this data can turn into a daunting task that not even the most prepared administrator is mentally prepared to manage.
The best way to manage, view, and check all granted permissions in mailboxes is by using the Get-MailboxPermission Powershell cmdlet.
In this blog post, we will learn how to Get-MailboxPermission in PowerShell, so we can successfully identify the current mailbox permissions in Exchange Online environments.
What is Get-MailboxPermission in PowerShell?
Get-Mailbox Permissions is a Powershell cmdlet available in the cloud-based service and the on-premises Exchange environments.
This command can be used to retrieve permissions on a mailbox, whether we talk about a single mailbox, room mailbox, or shared mailbox.
By using the Get-Mailbox Permission cmdlet, it’s possible to create a more organized environment, as administrators are able to control existing user permissions.
However, it is worth noting that the Get-Mailbox Permission command cannot change existing permissions - it only works to see them.
The following permissions are the most basic access types to user mailboxes:
- Read and Manage Permissions: Allows the user to read and manage email items within a mailbox;
- Send on Behalf Permissions: Also known as “Send Email on Behalf,” the Send on Behalf Permission, enables a group or single users to send, manage, and read emails on another inbox. However, if they decide to send an email from that mailbox, their display name or username will appear instead of the default name of the original sender (user principal name);
- Inbox Folder Permissions: Inbox Folder Permission refers to granting full permissions for tasks such as reading, modifying, deleting, and organizing emails within a certain mailbox;
- Send As Permissions: The Send As Permission allows users to send emails as if they were sent directly via an inbox that doesn't belong to them. In this case, other users can directly delegate various inboxes, and the recipient will not know that somebody else is managing these inboxes;
- Calendar Folder Permission: Calendar Folder Permissions enable users to access, modify, and manage actions related to the calendar events stored within that mailbox.
This is how the syntax of the Get-MailboxPermission PowerShell script looks like:
Get-MailboxPermission [-Identity] <MailboxIdParameter> [-User <SecurityPrincipalIdParameter>] [-SoftDeletedMailbox] [-Credential <PSCredential>] [-DomainController <Fqdn>] [-GroupMailbox] [-IncludeSoftDeletedUserPermissions] [-IncludeUnresolvedPermissions] [-ReadFromDomainController] [-ResultSize <Unlimited>] [-UseCustomRouting] [<CommonParameters>] |
Each one of these switches and parameters has a meaning that modifies the final output of the Get-MailboxPermission cmdlet.
This is what the most important parameters mean in this command:
- Identity: The Identity Parameter is used to identify the mailbox that needs to be edited. Identity uniquely identifies mailboxes by using the name, username, alias, distinguished name, email address, or other parameters that can be attributed to the mailbox;
- User: The User Parameter to the security principal of a mailbox. This includes user, security group, and group members of an Exchange management role group;
- SoftDeletedMailbox: This parameter is added to specify whether it’s necessary to retrieve permissions from a soft-deleted mailbox within the environment or not;
- Credential: The get Credential switch provides the credentials for authenticating the command, which allows you to run the Get-MailboxPermission cmdlet from another mailbox;
- DomainController: DomainController specifies the fully qualified domain name (FQDN) of the domain controller in case it’s necessary to target a specific FQDN;
- GroupMailbox: GroupMailbox tells the cmdlet that the target is a group mailbox and not an individual mailbox;
- ReadFromDomainController: This command forces the cmdlet to read data from a domain controller instead of reading cached data files;
- ResultSize Unlimited: In Get-Mailbox, ResultSize Unlimited refers to the specific number of results returned in the output;
- UseCustomRouting: This parameter tells the cmdlet to use custom routing whenever someone sends emails to the mailbox;
- CommonParemeters: Finally, CommonParameters represent common parameters that can be used alongside the Get-MailboxPermission command to improve its results or to get different outcomes after running it.
List of Mailbox Permissions Assigned in Exchange Online
Although the Get-MailboxPermission PowerShell command works to see and review permissions, it can be used as a starting point to modify these permissions later on.
However, before making any changes to a mailbox, it is important to understand what are the permissions that exist within Exchange environments:
Permission Type | Description | Assigned To |
Full Access Permission | With Full Access Permissions, users have full access to the user mailbox. | NT Authority/SELF |
Read Permission | Users have read permission to their own mailbox. In some cases, the Read Permission can apply to Networks and Exchange Server Trusted Subsystem. | NT Authority/SELF |
Change Owner | ChangeOwner Permissions allow a specific user (it can be more than one user) to change the owner on other users' mailboxes. | Administrator, Domain Admins, Enterprise Admins, and Organization Management. |
Change Permissions | ChangeOwner Permissions allow a specific user (it can be more than one user) to change the permissions on other users' mailboxes. | Administrator, Domain Admins, Enterprise Admins, and Organization Management. |
DeleteItem | Delete Item Mailbox Permission allows users to delete items from other mailboxes. | Administrator, Domain Admins, Enterprise Admins, and Organization Management. |
Benefits of Using Get-MailboxPermission PowerShell Command
Exchange managers and administrators can take advantage of the many benefits provided by the Get-MailboxPermission command.
Among the main benefits directly provided by this cmdlet, we have the following:
- Check out explicitly assigned permissions to mailboxes to modify them later;
- Manage permission requests by checking all the users who should have managing permissions, such as Change Owner and Change Permission roles;
- Troubleshoot errors, as it can show the permissions assigned to individual and shared mailboxes to identify why a certain user cannot access or manage the mailbox folder;
- Optimize resource allocation by identifying potential conflicts with permissions, which helps the team save a lot of time by having the correct permissions beforehand;
- Advanced PowerShell users can generate a mailbox permissions report that can be exported as a CSV file for further analysis.
Requirements to Run Get-Mailbox Permissions in PowerShell
To run cmdlets in PowerShell, it is necessary to have a manager or admin account within your organization.
Otherwise, the commands will not run as expected, which will prevent you from using Get-MailboxPermissions efficiently. This is how you can check the requirements to run this command:
- Connect to Exchange Online PowerShell, log into your Microsoft Office account, and open the Command window;
- Then, run the following command on PowerShell: $Perms = Get-ManagementRole -Cmdlet <Cmdlet>. Don’t forget to replace cmdlet with “Get-MailboxPermission,” as we are trying to take a look into the requirements to run this command;
- Check out the output of the command to see what roles, permissions, and account types are allowed to run the Get-MailboxPermission command within your organization. If you need further permissions, ask your organization manager for more help.
How to Use Get-MailboxPermission in PowerShell
Now, we are going to use the Get-MailboxPermission command in PowerShell.
Make sure that you have all the required permissions to run the command, and then follow these three simple steps.
Step 1: Access the Exchange Online PowerShell Module
First, it’s necessary to access the Exchange Online PowerShell Module. To connect to it, open it on your computer and run the following command:
Connect-ExchangeOnline -UserPrincipalName admin@mail.com |
Now, you will be asked to log into your Microsoft Office account using your credentials.
Finish the logging process, and continue with the next step.
Step 2: Run the Get-MailboxPermission Command
You can see the existing permissions by running the Get-MailboxPermission command natively. To do this, let’s take a look at the following example:
Get-MailboxPermission -Identity james@meetingroom365.com | Format-List |
This example returns the existing permission in James’s mailbox in the form of a format list.
Likewise, it is possible to see what users have permissions over certain mailboxes like this:
Get-MailboxPermission -Identity james@meetingroom365.com -User "Simon" |
In this case, the cmdlet output will result in a visual representation of the permissions that the user Simon has over James’s mailbox.
Additionally, you can see what users have certain roles in specific rooms like this:
Get-MailboxPermission -Identity Room 117 -Owner |
This command will show you a list of users (or user) who have owner permissions over the resource mailbox Room 117.
Step 3: Make Changes to Permissions with Other PowerShell Commands
The Get-MailboxPermission cmdlet only works to see current permissions, but you cannot modify or remove them.
This means that in order to make changes to these permissions, you need to run either of the following commands:
- Add-MailboxFolderPermission - this cmdlet works to add permissions to mailbox folders;
- Set-MailboxFolderPermission - this cmdlet allows you to modify permissions that have already been added to mailboxes.
Therefore, using the Get-MailboxPermission command works as a way to see the permissions, not to modify them.
Summary: How to Get-MailPermission in PowerShell Online Exchange Server
To summarize, the Get-MailPermission cmdlet is a great tool for seeing existing permissions, which is a necessary previous step to making changes to mailboxes. Before using this command, consider the following factors:
- To run the Get-MailboxPermission cmdlet, you need admin roles that are granted by your organization manager;
- The Get-MailboxPermission can be modified to retrieve the permission information of individual or multiple users, mailboxes, or rooms;
- Keep in mind that the Get-MailboxPermission command does not work to make changes - if you want to alter mailbox permissions, it will be necessary to use the Set or Add-MailboxPermission command for such purposes.
FAQ
Why is the Get-MailboxPermission Cmdlet Not Working?
If the Get-MailboxPermission cmdlet is not working on your end, check that you have enough permissions or correct roles to run it. Otherwise, check the syntax of the command before running it, and contact your organization manager for further assistance.