How to check mailbox delegation permissions
Getting a list of mailbox permissions such as Full access, Send As, and Send On Behalf is a common if not basic need for Exchange admins, especially if you are planning to migrate to Office 365 and need to list delegates – i.e. Mail Enabled Users within your organization that have been granted specific access and rights to interact with another end-user’s mailbox. Today, your boss has asked you to send to each user a list of all the accounts that have Full Access and Send on Behalf permissions on their mailbox.
Let’s examine the different options.
Checking a mailbox to find all the delegates with Exchange Admin Center (EAC)
In EAC you can view Mailbox delegation permissions by clicking each mailbox. That can will do the job until you need to view permissions of multiple mailboxes. Unfortunately, the EAC interface is not designed to view multiple mailboxes’ permission at a time.
Then the next option is to use PowerShell.
Extract mailbox delegation permissions with PowerShell
Microsoft Exchange provide the Get-MailboxPermission and Get-RecipientPermission cmdlets that can be used to query the permissions on a mailbox in Exchange on-premise and Exchange Online. However, the syntax of commands may differ depending on the environment. At the end of the day you need a script to only retain the information required, without the SELF permissions and inherited permissions you are not concerned about. For example, this script will retrieve all on-premise mailboxes with permissions granted to other users to Send On Behalf and this one lets you export Office 365 Mailbox Permissions Report to CSV.
This is all good but remains one serious problem, how are you going to send an individual report to each single user with information concerning them?
Get non-owner permissions with Promodag Reports
Promodag Reports includes a report that can help you achieve this task: Recipient Delegate Permissions.
First and foremost, it works for both on-premise and Office 365 environments: no more worries about scripts and command syntax, the tool supports all on-premise versions of Exchange from 2007 to 2019 along with Exchange Online.
Secondly, the user-friendly interface allows to select the permissions you need to report on:
|Permission||What the delegate is allowed to do|
|Full Access||Open this mailbox and behave as the mailbox owner|
|Send As||Send email from this mailbox. The message will appear to have been sent by the mailbox owner|
|Send on behalf||Send email on behalf of this mailbox. The From line in any message sent by a delegate indicates that the message was sent by the delegate on behalf of the mailbox owner|
You can also list mailboxes on which a Deliver and Redirect server-side rule is enabled.
The most interesting feature is that you can automatically generate an individual report for each user, and have it emailed to them! You can respond to your boss’ request in a few clicks. Problem solved.
A new article about our Permissions on Mailbox Folders report is on the way. Stay tuned!
Stay on top of permission audit with our Exchange reporting tool
Try Promodag Reports Free for 45 Days