How to Use Get-RecipientPermission in Powershell

James Futhey

4 min read
How to Use Get-RecipientPermission in Powershell

Managing permissions in Exchange Online is essential for maintaining security and ensuring proper access control across mailboxes. One key task for administrators is verifying who can send emails on behalf of another user or shared mailbox.

The Get-RecipientPermission cmdlet in PowerShell makes this task straightforward by allowing admins to view "Send As" permissions, and today, we’ll learn how to use it!

What is the Get-RecipientPermission Cmdlet?

The Get-RecipientPermission cmdlet in Exchange Online is used to check who has "Send As" permissions on a mailbox, group or other recipient. With these permissions, users can send emails that appear to come from that person or mailbox instead of their own.

This cmdlet is primarily for administrators managing permissions across user accounts, though it's recommended to use Get-EXORecipientPermission instead since it’s the newer version.

Here’s the syntax (and meaning) of Get-RecipientPermission in PowerShell:

Get-RecipientPermission

[[-Identity] <RecipientIdParameter>]

[-AccessRights <MultiValuedProperty>]

[-ReadFromDomainController]

[-ResultSize <Unlimited>]

[-Trustee <SecurityPrincipalIdParameter>]

[<CommonParameters>]

  • Identity: Specifies the recipient (like a mailbox or group) whose permissions you want to view.
  • AccessRights: Filters results by specific permission type; the only valid option here is "SendAs."
  • ReadFromDomainController: Ensures data is retrieved directly from the domain controller in the user's domain, useful for the most up-to-date information.
  • ResultSize: Limits the number of results returned; set to "Unlimited" if you want to see all matching results.
  • Trustee: Filters results by specifying the user or group who has the "Send As" permission on the recipient.
  • CommonParameters: Standard parameters for most PowerShell cmdlets like -Verbose, -ErrorAction, and -OutVariable, to control output and error handling behavior.

Get-RecipientPermission vs. Add-RecipientPermission

Before proceeding, let’s clarify the difference between two similar PowerShell commands. The Get-RecipientPermission and Add-RecipientPermission cmdlets in Exchange Online serve different roles:

  • Get-RecipientPermission lets you view existing "Send As" permissions for a specific recipient, showing who can send emails as that user or mailbox.
  • Add-RecipientPermission is used to grant "Send As" permissions to a specified user or group, allowing them to send emails that appear to come from the recipient.

In summary, Get-RecipientPermission is for checking or auditing permissions, while Add-RecipientPermission is for assigning new permissions.

What Can You Use Get-RecipientPermission For?

There are a few great use cases for the Get-Recipient command in PowerShell:

  • Auditing Send As Permissions: Admins can check which users or groups have "Send As" permissions on executive or sensitive mailboxes to ensure only authorized users can send emails on behalf of key personnel.
  • Troubleshooting Permission Issues: Users can verify if a user lacks "Send As" permissions on a shared mailbox when they report being unable to send messages as that mailbox, helping diagnose access problems.
  • Reviewing Delegated Access: You can regularly monitor permissions on shared mailboxes (like help desks or department mailboxes) to keep track of users who can send emails as those accounts, ensuring permissions stay up to date with staffing changes.

Requisites to Run Get-RecipientPermission in PowerShell

To use the Get-RecipientPermission cmdlet in Exchange Online, you will need:

  1. Exchange Online Permissions: Specific admin permissions in Exchange Online, normally through roles like Mail Recipients or Recipient Permissions, as only authorized admins can manage or view permissions.
  2. Exchange Online PowerShell Access: You need to be connected to Exchange Online PowerShell to run this cmdlet, ideally using modern Connect-ExchangeOnline modules.
  3. Assigned Role in Role-Based Access Control (RBAC): Access to this cmdlet depends on the RBAC role assignments in your organization; without the right role, you won't be able to execute it.

How to Use Get-Recipient Permission in PowerShell in Just 4 Steps

Now, let’s follow 4 simple steps to use Get-RecipientPermission right away.

Step 1: Open PowerShell and Connect to Exchange Online

Before you can use Get-RecipientPermission, you need to connect to Exchange Online PowerShell. Open PowerShell on your computer, and in the PowerShell window, run the following command to connect to Exchange Online:

Connect-ExchangeOnline -UserPrincipalName admin@meetingroom365.com

Replace admin@meetingroom365.com with the email address of an Exchange Online admin account in your organization. You’ll be prompted to enter your credentials if you’re not already signed in.

Step 2: Checking Who Has Send As Permissions on a User’s Mailbox (Running the Command)

Once connected, you can start by viewing who has "Send As" permissions on a specific user’s mailbox. For this, we’ll use the Get-RecipientPermission cmdlet.

For example, to find out who has permission to send emails as James Smith, you would use:

Get-RecipientPermission -Identity "James Smith"



This will list every user or group with "Send As" rights on James’s mailbox. These permissions allow anyone listed to send emails that appear to come directly from James's email address, rather than their own.

Step 3: Filtering Results by a Specific Trustee

You also might want to check if a specific person has SendAs permissions for a mailbox. For instance, you could look up whether Simon John has permission to send emails as James Smith.

To do this, we’ll run the command with the -Trustee parameter to specify the individual you're verifying:

Get-RecipientPermission -Identity "James Smith" -Trustee "Simon John"


This command narrows down the results to only include entries where Simon John is explicitly granted Send As permissions on James’s mailbox.

Step 4: Checking Permissions Using an Email Address

Instead of using the user’s display name, you can also use the email address to identify the recipient. To check who has "SendAs" permissions on a shared mailbox, you can specify the mailbox’s email address like this:

Get-RecipientPermission -Identity "support@meetingroom365.com"

This command shows which users have "Send As" permissions on the shared support@meetingroom365.com mailbox, meaning they can send messages that look like they’re from the support team.

Fixing Get-RecipientPermission Not Working

In case Get-RecipientPermission is not working for you, try the following troubleshooting steps:

1. Error: "The term 'Get-RecipientPermission' is not recognized"

Solution: Ensure you are connected to Exchange Online PowerShell. Run Connect-ExchangeOnline -UserPrincipalName youradmin@yourdomain.com to establish a session before running the cmdlet.

2. Error: "The specified identity does not exist"

Solution: Double-check the identity you’re using. Ensure that the user or mailbox name is correct, and if using an email address, make sure it is properly formatted (e.g., support@meetingroom365.com).

3. Error: "Access Denied"

Solution: Verify that you have the necessary admin permissions to run the cmdlet. You might need to be assigned the appropriate role (such as Recipient Management or Mail Recipients) to view permissions on mailboxes.

Using this command effectively allows administrators to ensure proper access control and maintain security across mailboxes.

Regularly checking these permissions helps prevent unauthorized use and keeps your organization’s email system secure, and now you have all the knowledge you need to start using Get-RecipientPermission in PowerShell!