Office

Retrieve user friendly list of users who have full access to a particular mailbox in Office365

By on Thursday, August 16, 2012

We had a request to provide a list of users who have Full access to a mailbox in Office 365. The get-mailboxpermission is pretty straightforward, but the results show the Windows username as opposed to the descriptive name for the user. The following script should provide the information needed. Note that the first 3 lines connect to Microsoft Online (you will be prompted for username and password) – the last two are the magic ones. Replace “User name” with the users first and last name ie “Andy Helsby” in my case

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

$userlist = Get-Mailbox "user name" | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "Fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authorityself*") }
$userlist | foreach {get-mailbox $_.user}

If I can work it out, I’ll update the script later to provide a report for all mailboxes – in the meantime this works for 1 mailbox at a time.

Funnily enough, this report didn’t actually help the reason we were asked for the report – that was because the user had issues connecting to someone else’s mailbox. It turns out that the Microsoft Online password had been changed and outlook was using the cached credentials. By removing the stored passwords in the control panel, Outlook prompted for the password and everything started working.

4
Related Posts

Comments

  1. Vandrey Trindade

    Hi,

    I found this post on Google… Got a solution to make it work for all users:

    First:

    $userlist = Get-Mailbox

    Second:

    foreach ($user in $userlist.name){Get-MailboxPermission $user | Where-Object { ($_.AccessRights -eq “Fullaccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “*nt authorityself*”)} | Export-Csv C:\FullAccess.csv -NoTypeInformation -Encoding UTF8 -Append}

    Then it’ll save, in a CSV file, the accounts that have another users with full access permission. Hope you like it. Enjoy!

  2. Post
    Author
    Andy

    Thanks Vandry – when I was doing this, I wasn’t up to speed with looping through collections. It still confuses me sometimes but that was the basic trick.

  3. Vandrey Trindade

    No problem Andy.

    The only thing that I wanted now is to show the DisplayName of the user who has “Full Access” to the account.
    The LAMPRD80\user176485950-4847363-40404 stuff is not pretty =p

  4. Post
    Author
    Andy

    Yes – in my case with only a few users it was easy enough to work out. Interestingly, my original issue can be made to work for all mailboxes by splitting the lines –

    $userlist = Get-Mailbox
    $userlist | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq “Fullaccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “*nt authorityself*”) }
    $userlist | foreach {get-mailbox $_.user}

    I also keep the first 3 lines as start-office365managment.ps1 Now anytime I need to do office365 work, i just do a ./start and hit tab 😉
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.