How to review and manage Exchange online mailbox permissions

Modified on Tue, 22 Nov 2022 at 12:31 AM

Keeping Mailbox permissions under control is not only considered good tech hygiene on a tenant, but become a must have from compliance perspective, especially during onboarding, change of role, departure of an employee or a contractor.

The default tools provided by Microsoft make it time-consuming to keep track of Exchange mailbox permissions and piece together all the information you need to get the full picture, CoreSuite offers a faster and secure alternative.


Microsoft 365:

To manage Exchange Online mailbox permissions, you will need to use either the Exchange Admin Center or PowerShell. 


Exchange admin center can be used to check existing permissions on single mailboxes, selecting Mailbox delegation in the properties of the mailbox or group and verifying the delegates. It's not possible to get a detailed list of all permissions applied on all mailboxes at once


PowerShell gives you full power on your tenant and you can get the whole picture of permissions applied on your tenant using a combination of the following 3 main cmdlets (legacy v1 or v2 below):

#Exchange V1 cmdlets
Get-Mailbox
Get-MailboxPermission
Get-RecipientPermission

#Exchange V2 cmdlets
Get-EXOMailbox
Get-EXOMailboxPermission
Get-EXORecipientPermission

An important note on duration, full retrieval of all permissions in a large tenant (100K+ users) can take more than 24 hours to complete 


Here more details from Microsoft documentation on Exchange V1 

Here more details on the new Microsoft Exchange V2 PowerShell Module


CoreView:

Steps to review and manage Exchange mailbox permissions using CoreView:


Visibility

  1. Go to CoreView Portal
  2. Search for "User Mailbox" in the "FILTER REPORTS" textbox 

      3. Or go to Reports --> Security --> User Mailbox Security


    

4. A table showing all delegates will be shown and you can easily filter to find what you are looking for



Note: data shown are enriched to help finding anomalies in a faster way. You can find RecipientTypeDetails, company country and department information of the delegated mailbox and the delegate. Quite often, during change of role, users can still access mailboxes they should not be able to access.


Trick: try to search in the table with filter "Type of user with access =SharedMailbox", we bet you will get a list of anomalies: old UserMailbox migrated to shared (decommissioned users) configured as delegate to other mailboxes. This should be deleted to keep things under control and remove "background noise" while managing your tenant


Management

  • Go to Action Menu --> Management Actions

  • You will find a list of possible actions as shown below

                


            



These actions give fast and complete coverage of permissions management on mailboxes to keep this aspect of Microsoft Exchange Online under control.



Note: operators will be able to see and manage only mailboxes part of their V-Tenant defined scope.



Using CoreSuite you can not only manage every aspect of mailbox permissions, but you can also create, manage, monitor and delete mailbox objects and their configuration easily, always within the scope of your V-Tenant.


CoreSuite is an advanced Microsoft 365 tool offered by CoreView, used for reporting, managing, monitoring, auditing, and automating activities on your tenant to help keeping it under control. It simplify day by day activities, while ensuring a safer and more compliance management through tenant delegation, granular permission contro, license optimization, workflow. 


Visit our main web site for more information.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article