Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3

When we use the basic PowerShell command for displaying mailbox permission in Office 365 (Exchange Online) environment, we deal with issues:

1. Non relevant information
   The result that will be displayed will include additional details about the permission that the specific user has on his mail box and additional information about built-in system group that have a permission on each of the user mailboxes.
2. The user name format
   When we display information about a mailbox permission, the information about the user name is displayed by using the AD user name. In Office 365 (Exchange Online) environment, the user display name is different from the standard user display name or the mailbox alias. The result is sometimes hard to read or understand because it’s not so easy to understand the “strange AD user names” verses the convention that we know such as referencing a user by his display name or alias names.

Using the default display for displaying mailbox permissions

The PowerShell cmdlets that we use for displaying mailbox permissions is:
Get-MailboxPermission

For example: to display the Full Access mailbox permission that users (or a group) have in John Mailbox, we can use the PowerShell command:

Get-MailboxPermission John

The output is displayed in the following screenshot.

Technically, we got the required results, but if we look deeper in the result that are displayed don the PowerShell console, we could recognize some “issues”:

 The user column

Under the header named User, we can see information about many “objects” such as a built-in system group that have Full Access permission to John mailbox and other users. The information about the “objects” that have mailbox permissions is not very clear because of three reasons:

• The user column is not wide enough and for this reason a large portion of the user name is “wiped out”
• The information on the object that have mailbox permission include much non-relevant information about built-in system group, information about the pension that the user has on his mailbox, etc.
• The user’s name who has mailbox permission displayed by using the Active Directory user name. In Office 365 environment the Active Directory user name is different for the standard user alias or display name.
• The prefix for the user name is the server name ( a non-useful information )

Additionally, the default display includes a column such as: as: IsInherited and Deny (number 2). Most of the time this information is also non- relevant.

Optimize the results of the Displayed Mailbox permissions

Step 1 – clear unnecessary column

In the first step, we will remove non-relevant column by using the FL (file list) parameter. The FL option enables us to specify the exact column (by specifying the column header name). In our example, we would like to display only the following columns: Identity, user, AccessRights

Get-MailboxPermission John |FT Identity,user,AccessRights

In the screenshot we can see that now the “user” column displayed more clearly, but we still have some issues: there is a lot of non-relevant information such as the information about the built-in systems groups that have Full Access permission son John’s mailbox and additionally, the information about the user who have Full Access permission such as: the admin account are displayed by using the Active directory user name that includes a combination of the user name and numbers.

Step 2 – clear unnecessary information about built-in groups and SELF

To be able to display only the “explicitly assigned permissions” to a mailbox, we will need to filter out or remove non- relevant data.
The first detail that we want to remove is the “SELF” permission that each user has on his mailbox. The second type of permissions that we want to remove from the displayed result described as: “IsInherited “permissions.

To clear out the non-necessary information, we will use a logic condition (by using the PowerShell command – Where) the exclude out full mailbox permission that classified as: NT AUTHORITY\SELF and IsInherited

Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like "NT AUTHORITY\SELF") } |FL Identity, user, AccessRights

In the following screenshot, we can see that we successfully manage to exclude or clear out most of the non-relevant information. We can clearly see now that two users have Full Access mailbox permission to John’s mailbox.

Step 3 – Using calculated properties

In the next step, we will complete the required task. Our mission now is to enable more readable user name in the User column.
We will replace the Active Directory user name convention by using the property: “name”.
Additionally, we will change the column header name from the existing name: User to the friendlier column header.

For this purpose, we will create a new column header named: “Users who have Full Access.” The content of the new column will include the user name that has Full Access mailbox permissions to John’s mailbox but, instead the standard user name conventions, we “pull out” the “name” property (or identifier) for each of the users who have permissions.

Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |FT  Identity,  @{name=" Users that have Full Access ";expression={(Get-User $_.User).Name}},AccessRights

In the following screenshot, we can see the results.

The output that displayed in the PowerShell console is more understandable. We can see that the output includes a “new column header” named: Users who have Full Access and we can see the user name that has mailbox permission to John’s mailbox.

But there is still additional improvement that we can use. In the screenshot, we can see that there is a “large space” between the columns. In case that the PowerShell screen is not wide enough we could “lose” some information. So is there any option to reduce the space between the columns? And the answer is: “Yes” (go to the next step)

Step 4 – Using AutoSize option

In this step, we will use the AutoSize parameter for diminishing the space between the result columns.

Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |FT  Identity,@{name="Users that have Full Access";expression={(Get-User $_.User).Name}},AccessRights -AutoSize

In the following screenshot, we can see the results.

Step 5 – Filter out only Full Access mailbox permissions

As mentioned before, the term “Mailbox permissions” include a variety of different types of permissions. The most common person is Full Access but sometimes there is an implementation of a different kind of mailbox permissions.

When we use the PowerShell cmdlets: Get-MailboxPermission , the results will include all the available mailbox permissions that users have for the mailbox.

In case that we want display only Full Access mailbox permission, we can filter out the results by using the Where parameter

($_.AccessRights -like “*FullAccess*”)

Get-MailboxPermission John  | Where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |Select Identity,  @{name="User";expression={(Get-User $_.User).Name}},AccessRights

Additional scenarios for displaying mailbox permissions

In the former section, we review a scenario in which we would like to get information about a mailbox permission that other users have on a specific user. In the following section, we will review additional scenarios that relate to the task of displaying mailbox permissions.

Display list of mailboxes that a user has Full Access permissions.

In the former section, we review a scenario in which we would like to get information about a mailbox permission that other users have on a specific user.

In the following scenario, we would like to get information about a permission that a specific user has on other or additional mailboxes.

For example: we would like to get information about the mailboxes that the user administrator has Full Access mailbox permission.

To accomplish this task, in the first part of the PowerShell, we use the command

Get-Mailbox for getting all lists of all the existing mailboxes. In the second part, we use the command: Get-MailboxPermission and add the user name. The PowerShell command will review all the arrays of mailboxes, check on which mailboxes the admin user has mailbox permission and displays the results. The rest of the PowerShell command is used for improving the results that will be displayed by the

Get-MailboxPermission command.

Get-Mailbox | Get-MailboxPermission  -User "Admin" |Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

Display a list of recipient’s that have Full Access permission on other recipient’s

In the following scenario, we will like to get a list of all the users who other user has a mailbox permission to their mailbox.

$a = Get-Mailbox 
$a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } |Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

Display permission for more the one mailbox

The task: we would like to get information about a user who has mailbox permissions to more than one user. In our example, we would like to know who have mailbox permission to the John + Alice’s mailbox. We can add each of the user names separated by a comma.

"John," “Alice" | ForEach {Get-MailboxPermission -Identity $_}

To improve the look of the displayed result we will enhance the basic PowerShell command for removing non relevant information.

"John”, “Alice" | ForEach { Get-MailboxPermission -Identity $_ |  Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } }  |Select Identity,@{name="User";expression={(Get-User $_.User).Name}},AccessRights

In the last section we will review the way that we have for removing mailbox permissions. The PowerShell command that we use for removing or revoking mailbox permissions is:
Remove-MailboxPermission.

Remove Mailbox permissions scenarios.

Scenario 1 – Remove mailbox permission form a user mailbox

Let’s start with a basic example: we want to remove the Full Access mailbox permissions that Alice have on John mailbox

Remove-MailboxPermission John -User Suzan -AccessRights FullAccess

By default, the PowerShell cmdlets for removing mailbox permission will display a warning message: “Are you sure you want to perform this action?”

In case that we are running a script that creates a bulk task such as removing a mailbox permission that many users have on a specific mailbox the “conformation process” could be quite Exhausting.

To be able to avoid fr0m the confirmation process, we can add the parameter: Confirm:$False

Remove-MailboxPermission John -User Suzan -AccessRights FullAccess -Confirm:$False

Scenario 2 – Remove mailbox permission from a collection of mailboxes

This scenario could be used when a specific user such as help desk team member or administrator has a Full Access mailbox permission to many mailboxes.
In case that we want to remove the mailbox permission that user has we will need first to get a list of all the existing mailboxes. Then we will need to check the specific user have a Full Access mailbox permission on the mailbox, and the last step will be – remove these permissions.

$Mailboxes = Get-Mailbox 

ForEach ($member in $Mailboxes)
{
Remove-MailboxPermission $member.name -AccessRights FullAccess 
-user Admin 
}

The command that we use based on the variable that we named: $Mailboxes. The variable value includes a list of all the existing mailbox type such as: user mailbox, room mailbox and so on.

In case that we need to remove the Full mailbox permission form a specific mailbox type, we can add the filter option to the variable.

Scenario 3: Remove Full Access permissions only form user mailboxes (Filter user mailboxes)

$Mailboxes = Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') 

ForEach ($member in $Mailboxes)
{
Remove-MailboxPermission $member.name -AccessRights FullAccess -user Admin 
}

Scenario 4: Remove Full Access permissions only form Room mailboxes (Filter Room mailboxes)

$Mailboxes  = Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox') 

ForEach  ($member in $Mailboxes  )
{
Remove-MailboxPermission $member.name -AccessRights FullAccess -user Admin 
}