Keeping Mailbox permissions under control is not only considered good tech hygiene on a tenant, but become a must have from compliance perspective, especially during onboarding, change of role, departure of an employee or a contractor.
The default tools provided by Microsoft make it time-consuming to keep track of Exchange mailbox permissions and piece together all the information you need to get the full picture, CoreSuite offers a faster and secure alternative.
To manage Exchange Online mailbox permissions, you will need to use either the Exchange Admin Center or PowerShell.
Exchange admin center can be used to check existing permissions on single mailboxes, selecting Mailbox delegation in the properties of the mailbox or group and verifying the delegates. It's not possible to get a detailed list of all permissions applied on all mailboxes at once
PowerShell gives you full power on your tenant and you can get the whole picture of permissions applied on your tenant using a combination of the following 3 main cmdlets (legacy v1 or v2 below):
#Exchange V1 cmdlets Get-Mailbox Get-MailboxPermission Get-RecipientPermission #Exchange V2 cmdlets Get-EXOMailbox Get-EXOMailboxPermission Get-EXORecipientPermission
An important note on duration, full retrieval of all permissions in a large tenant (100K+ users) can take more than 24 hours to complete
Here more details from Microsoft documentation on Exchange V1
Here more details on the new Microsoft Exchange V2 PowerShell Module
Steps to review and manage Exchange mailbox permissions using CoreView:
- Go to Analyze tap on the top pane
- Search for "User Mailbox" in the "FILTER REPORTS" textbox or go to Security Reports > User mailbox security
- A table showing all delegates will be shown and you can easily filter to find what you are looking for
Note: data shown are enriched to help finding anomalies in a faster way. You can find RecipientTypeDetails, company country and department information of the delegated mailbox and the delegate. Quite often, during change of role, users can still access mailboxes they should not be able to access.
Trick: try to search in the table with filter "Type of user with access =SharedMailbox", we bet you will get a list of anomalies: old UserMailbox migrated to shared (decommissioned users) configured as delegate to other mailboxes. This should be deleted to keep things under control and remove "background noise" while managing your tenant
- Go to the Manage tab on the top pane.
- You will find a list of possible actions like:
- Copy permissions from
- Copy permissions to
- Grant access to mailboxes
- Grant access to users
- Grant full access to manager
- Grant send on behalf of to mailbox
- Manage send as permissions
- Remove access rights from mailbox
- Remove mailbox permission rights
These actions give fast and complete coverage of permissions management on mailboxes to keep this aspect of Microsoft Exchange Online under control.
Note: operators will be able to see and manage only mailboxes part of their V-Tenant defined scope.
Using CoreSuite you can not only manage every aspect of mailbox permissions, but you can also create, manage, monitor and delete mailbox objects and their configuration easily, always within the scope of your V-Tenant.
CoreSuite is an advanced Microsoft 365 tool offered by CoreView, used for reporting, managing, monitoring, auditing, and automating activities on your tenant to help keeping it under control. It simplify day by day activities, while ensuring a safer and more compliance management through tenant delegation, granular permission contro, license optimization, workflow.
Visit our main web site for more information.
Was this article helpful?
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
We apprciate your effort and will try to fix the article