Managing permissions in Exchange Online is a routine but critical task for Microsoft 365 admins. While the Exchange Admin Center (EAC) allows you to review access on a per-mailbox basis, it quickly becomes inefficient when you need to answer questions like:
- Who has access to a specific shared mailbox?
- Which shared mailboxes does a particular user have access to?
The first question can be solved easily in the GUI, but the second one requires a much more time-consuming, manual process. This is where PowerShell comes to the rescue.
The Script
I’ve put together a PowerShell script that covers both scenarios:
- Mailbox mode – Enter a shared mailbox and list users with Full Access, Send As, or Send on Behalf permissions.
- User mode – Enter a user’s email address and return all shared mailboxes where the user has been granted these permissions.
The script connects to Exchange Online and uses Get-Mailbox, Get-MailboxPermission, and Get-RecipientPermission to gather the data. It also checks the GrantSendOnBehalfTo property for delegated send-on-behalf rights.
It outputs the results in a simple table, sorted for readability.
Example Usage
- Check who has access to a shared mailbox
|
1 |
./Exchange-Check-Mailbox-Permissions.ps1 -Mode "User" -Identity "user@contoso.com" |
This will return all users with Full Access, Send As, or Send on Behalf permissions for shared@contoso.com.
- Check which mailboxes a user can access
|
1 |
./Exchange-Check-Mailbox-Permissions.ps1 -Mode "User" -Identity "user@contoso.com" |
This will list all shared mailboxes where user@contoso.com has Full Access, Send As, or Send on Behalf rights.
This scenario is especially useful when other departments ask IT:
“Can you tell me which mailboxes this user has access to?”
Instead of clicking through dozens of mailboxes, this script gives you the answer in a single run.
Notes on Performance
Keep in mind that in environments with a large number of shared mailboxes, the User mode may take several minutes to complete. The script has to iterate through every shared mailbox in the tenant to verify if the specified user has permissions.
Why It’s Useful
- Save time compared to manual checks in the Exchange Admin Center
- Get a complete picture of mailbox access across your tenant
- Useful for audits and security reviews
- Helpful when troubleshooting issues with delegated access
- Provides a solid base for automation – for example, you can easily extend it to generate a daily permission report across all shared mailboxes. I’ll cover how to build such a scheduled report in one of my upcoming blog posts.
This script has already saved me countless hours when dealing with shared mailbox access requests. If you frequently get asked either “who has access” or “which mailboxes this user can access”, this tool will quickly become one of your go-to PowerShell snippets and a starting point for more advanced reporting.
Script Source
The complete script is available on the Azure365Addict GitHub.
Feel free to download, customize it to your specific needs, and improve your mailbox management processes.
If you have any questions or need further assistance, feel free to reach out!
Happy scripting!
