In this post, I am going to share PowerShell commands to get all shared mailboxes and find users who have delegated permissions (Full Access or Send as) in the shared mailboxes. Actually, shared mailboxes do not have members, but nowadays Microsoft itself calls users as members who have been granted Full Access permission to the shared mailbox. Reference post: Add or remove members from a shared mailbox.
List shared mailboxes
You can find and list shared mailboxes using the Get-Mailbox cmdlet by passing the input “SharedMailbox” for the RecipientTypeDetails parameter.
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Select-Object Identity,Alias,DisplayName
Get shared mailboxes and users who have permissions
After retrieving mailboxes, we can use the cmdlet Get-MailboxPermission to get the available permissions configured for the users in every mailbox.
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxPermission |
Select-Object Identity,User,AccessRights
By default, the Get-MailboxPermission command lists built-in and system account rights along with users’ permission. To exclude those entries, we can use the Where-Object command to filter rights only for mailbox user accounts.
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxPermission |
Select-Object Identity,User,AccessRights | Where-Object {($_.user -like '*@*')}
Export shared mailboxes and users with permissions
The below PowerShell commands export shared mailboxes and their users’ permission details to a CSV file.
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxPermission |
Select-Object Identity,User,AccessRights | Where-Object {($_.user -like '*@*')} |
Export-CSV "C:\Temp\SharedMailboxes.csv" -NoTypeInformation -Encoding UTF8
Export shared mailbox user details
The above commands get only the email address (UserPrincipalName) of the users who are members of the shared mailboxes. To retrieve the user’s other details (such as display name, department, etc), we need to use another command and get user details. In Azure AD, you can use the Get-AzureADUser cmdlet and use the Get-ADUser command in On-Premises AD.
$Result = @()
$MailboxPermissions = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxPermission |
Select-Object Identity,User,AccessRights | Where-Object {($_.user -like '*@*')}
$totalmps = $MailboxPermissions.Count
$i = 0
$MailboxPermissions | ForEach-Object {
$MP = $_
$i++
Write-Progress -activity "Processing $MP.Identity - $MP.User" -status "$i out of $totalmps completed"
#Get user details.
$UserObj = Get-AzureADUser -ObjectId $MP.User
$Result += New-Object PSObject -property $([ordered]@{
SharedMailbox = $MP.Identity
UserName = $UserObj.Displayname
UserUPN = $MP.User
AccessRights = $MP.AccessRights
})
}
$Result | Export-CSV "C:\Temp\SharedMailboxes.csv" -NoTypeInformation -Encoding UTF8
Good grief, it’s so hard to find a straight answer to a simple inquiry. Thank you!
Nice post. Exactly what I want.
Thank You
How can I filter for the User name not just their email? I have tried using first.last,Samaccountname,displayname, etc…