Grant Delegate Permissions to Other Microsoft 365 Mailboxes Using PowerShell
Microsoft 365 allows some users to access other mailbox through delegation. Admins can delegate the permissions to another mailbox based on the organization’s requirements,
- Full access – Allows modifying content and reading email from another mailbox
- Send as –Allows sending emails from another mailbox
- Send-on behalf – Allows sending emails on behalf of another mailbox
Mailbox permission can be set either through Admin Center or PowerShell. Since UI is suitable for small organizations, most admins prefer PowerShell. PowerShell cmdlets Set-Mailbox, Add-MailboxPermission, and Add-RecipientPermission help to set mailbox delegations.
To set mailbox permissions, you must connect to Exchange Online PowerShell and follow the below steps based on the required permission.
The Full Access permission allows to open, view, add or remove the content of the delegated mailbox. Additionally, delegated user can create task and calendars in the Shared mailbox. To assign full access permission to Exchange Online mailbox, you can use the Add-MailboxPermission cmdlet as follows.
Add-MailboxPermission –identity [email protected] -User [email protected] -AccessRights FullAccess
This example assigns the user Mark Full Access permission to John’s mailbox.
To grant the admin account full access to all the mailboxes, you can use the below code snippet.
Get-Mailbox –ResultSize Unlimited | Add-MailboxPermission –User [email protected] -AccessRights FullAccess
Similarly, to remove full access mailbox permissions using PowerShell, you can use the Remove-MailboxPermission cmdlet.
Note: The delegated mailbox should not be hidden from the address lists. If it is hidden, the delegate can’t open the respective mailbox.
The SendAs permission allows a user to send emails to recipients that appear to come from the delegated mailbox or shared mailbox.
Add-RecipientPermission [email protected] -AccessRights SendAs –Trustee [email protected]
The above example grants the user John SendAs permission for the shared mailbox Helpdesk. Now, John can send emails to other users that appear to come directly from the Helpdesk mailbox.
Set Send as Permission for Bulk Mailboxes (input CSV)
To allow multiple users to send email from a specific mailbox, you can delegate send as permission using CSV file input.
The CSV file should contain the UPN of the mailboxes that need access.
$MailboxIds= Import-CSV <Path> Foreach($MailboxId in $MailboxIds) { Add-RecipientPermission [email protected] -AccessRights SendAs -Trustee $MailboxId.UPN }
The above code provides Send As access to users in the CSV file to the Helpdesk mailbox.
Allow a Specific User to Send Emails From Multiple Mailboxes (input CSV)
To grant access to multiple mailboxes, you can use the below code snippet.
The CSV file should contain the UPN of the mailboxes to be delegated.
$MailboxIds=Import-CSV <Path> Foreach{$MailboxId in $MailboxIds) { Add-RecipientPermission $MailboxId.UPN -AccessRights SendAs –Trustee [email protected] }
This example allows John to send emails from mailboxes in the CSV file.
The Send on Behalf permission allows the delegate to send emails from another mailbox but the from address shows the delegate’s name. For example, (<Delegate> on behalf of <Mailbox>).
To grant Send on Behalf permission for a mailbox, you can use the Set-Mailbox with GrantSendOnBehalfTo param.
Set-Mailbox [email protected] -GrantSendOnBehalfTo [email protected]
This command grants Mark send on behalf permission to John’s mailbox.
You can also grant permission to multiple users by giving their mailbox names as a comma separates values.
Set-Mailbox [email protected] -GrantSendOnBehalfTo @{[email protected],[email protected]}
The above example does not overwrite the existing permission. Instead, it will add the respective users to existing permission. So, now Mark, Tony, and Bob can send emails on behalf of John.
To manage mailbox permissions, admins need to monitor mailboxes and their delegates. To view the mailbox delegates, you need to use multiple PowerShell cmdlets like Get-Mailbox, Get-MailboxPermission, Get-RecipientPermission, etc.
You can also use the pre-built script to export mailbox permissions report to CSV.
I have mentioned a few highlights of the script below.
- The script display only “Explicitly assigned permissions” to mailboxes, which means it will ignore “SELF” permission that each user had on their mailbox and inherited permission.
- Exports output to CSV file.
- The script can be executed with MFA enabled account too.
- You can choose to either “export permissions of all mailboxes” or “pass an input file” to get the permissions of specific mailboxes alone.
- Output file stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User with Access, and Admin Roles. You can include more attributes easily by modifying the script.
- Allows you to filter the output using your desired permissions like Send-as, Send-on-behalf, or Full access.
- Output can be filtered based on user/all mailbox type.
- Allows you to filter permissions on the admin’s mailbox. So, you can view administrative users’ mailbox permission alone.
Thus, you can efficiently export the mailbox access details with the above PS script. Also, mailbox folders can be delegated to users which requires constant monitoring. To view the folder permission details, you can export the mailbox folder permission report. However, delegating mailbox permissions to other users is extremely dangerous 😈 if you unintentionally provide delegation to inappropriate users.
So, it is highly necessary to keep track of mailbox access and delegations regularly to avoid any suspicious mailbox permission misuse. Sadly, the statistics on mailbox management provided by Microsoft 365 admin centers are insufficient 😕. Also, it may not be possible for users to write PS scripts who are not familiar with PowerShell cmdlets for tracking mailbox access permissions.
But fret not! AdminDroid provides top-notch mailbox delegation reports for your Exchange Online environment. 💡
The ‘Access to Other Mailboxes‘ report offers details about users who have permission to other mailboxes, permission type, mailbox type, email addresses of the delegated users, and much more.
In addition to the above, the AdminDroid Exchange Online reporting tool 📑extends the hand to give more insights to govern mailbox access permissions. Below is the list of mailbox permission reports that help admins get the mailbox access details at their fingertips. 🤞
Mailbox Delegation Reports:
- Mailboxes Permission Summary
- Guests’ Mailboxes Permission Summary
- Mailboxes Permission Detail
- Full Permission Access Mailboxes
- Mailboxes with SendOnBehalf and SendAs Permissions
- User Mailboxes with Read Permission
- Guest’s Access to Other Mailboxes
Admin’s Mailbox Delegation Reports:
- Admin’s Access to Other Mailboxes
- Admins Mailboxes with Send-As Permissions
- Send On Behalf Rights on Admins’ Mailboxes
- Admins Mailboxes with Full Access Permissions
Also, the AdminDroid Exchange Online auditing tool 🔍 provides extensive insights into mailbox permission changes, mailbox access, mailbox activities, mailbox management, etc.
With its intuitive interface and powerful reporting, AdminDroid offers a comprehensive Exchange Online dashboard 📊 that encapsulates all mailbox activities and offers a bird’s eye view of your Exchange Online environment.
No need to wait anymore! Get started today and explore the full capabilities of the AdminDroid Exchange Online management tool.
“Utilize AdminDroid 📍to simplify your Microsoft 365 management effectively and securely!”
I hope this blog will help you manage mailbox permissions in the Exchange Online environment. If you have any queries, reach us through the comment section.