How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?

Blog Moving Here...

Hello All,

This is a quick blog post to assist admins with working on resource mailboxes. This post was written specifically for Exchange Online, however it should work for Exchange 2013 and Exchange 2010 as well. In the event that you are trying to pull all the shared mailboxes in your organization and determine who has permissions to what. Follow the cmdlets below and you will be able to export the data to a txt file for you to reference and review at your leisure.

 

    1. The first cmdlet will collect all the shared mailboxes and insert them into a variable.
      1. $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname
    2. This step will take that variable of mailboxes, and for each one output the name of the mailbox, user with access and the access rights assigned, and write it to a txt file.
      1. $mailboxes | sort displayname | foreach {Get-MailboxPermission -Identity $_.alias | ft identity,user,accessrights} >SharedPermissions.txt

 

 

You may notice that you have nested Security groups with permissions to those shared mailboxes. To get the membership list of the nested SG's, the cmdlet will be similar with a few small changes:

  1. Change the enumeration limit to -1 so we can return the full output.
    1. $FormatEnumerationLimit =-1
  2. Get the full list Security Groups and add it to a variable.
    1. $sgroup= Get-Group -RecipientTypeDetails MailUniversalSecurityGroup -resultsize unlimited
  3. Run a powershell cmdlet so that For Each group we output the displayname and members to a text file named "Group members.txt".
    1. $sgroup | sort displayname | foreach {Get-Group -Identity $_.WindowsEmailAddress | fl displayname,members} > SGroupMembers.txt

 

Note* Line 3 may fail if you are attempting to write to your C directory. You may need to change the directory to write to a temp folder. To change the directory use this cmdlet. This will write the file to your C:\temp folder, if one does not exist. It will be created.

CD C:\temp

 

Then run step 3 again.

 

You can do the same with other resource mailboxes such as room mailboxes, shared mailboxes, Universal Distribution Groups, and Universal Security Groups, all you will need to do is change the -RecipienttypeDetails and verify the parameters that you are looking for.

 

Good Luck!

Comments

  • Anonymous
    December 09, 2016
    Hello 0- First, thanks for the script this is great, however exporting to CSV proves to be rather troublesome. We do not get the right info as per the text, just a bunch of #codes.
  • Anonymous
    February 10, 2017
    Thanks
  • Anonymous
    February 13, 2017
    can I have the command to get all the users who has full and send as access to the shared mailbox.
  • Anonymous
    February 21, 2017
    Hi laala naresh,based on the script provided by 'Dom Picket MSFT', please find below the command to get all the users who has sendAs access to the shared mailbox.#List all shared mailboxes permissions $Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName | sort displayname $Mailboxes | sort displayname | % { Get-MailboxPermission -Identity $.alias | select identity,user,accessrights | where { ($.User -notlike ‘NT AUTHORITY’) -and ($.User -notlike ‘S-1-5-21-’) -and ($.User -notlike ‘JitUsers’) -and ($.User -notlike ‘NT AUTHORITY’) -and ($.User -notlike ‘PRDMGT01’) -and ($.User -notlike ‘EURPRD06’) -and ($.User -notlike ‘EURPR06A003’) } } | Out-GridViewI hope this is helpfulThanks.
  • Anonymous
    March 13, 2017
    Can someone explain me where is he using the $FormatEnumeartionLimit variable? He has created it but I can't see where does he use it.
  • Anonymous
    March 13, 2017
    You can just copy and paste it anywhere in your powershell window. I recommended doing it as step one. It only updates powershell so you can see the full output of your cmdlets.
  • Anonymous
    September 15, 2017
    Hi, Thanks a lot, it worked perfect for my need!!cheers
  • Anonymous
    October 09, 2018
    It is awesome when you find exactly what you are looking for. Excellent post.
  • Anonymous
    December 05, 2018
    Hi,I would like to share another way to get the information:#Get all SharedMailBox and list the user access rights and export to csv fileGet-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:unlimited | Get-MailboxPermission | select identity,user,accessrights | where {($_.user -like '@')} | Export-Csv c:\temp\sharedmailboxlist.csv -NoTypeInformation -Encoding utf8