Removing existing mailbox permission is one of the important Exchange management task. We can use the Remove-MailboxPermission cmdlet to remove Full Access permission from user mailbox or shared mailbox. We can use the Remove-RecipientPermission cmdlet to remove Send as permissions. To perform this task, your account should already have the server roles Organization Management and Recipient Management.
Note: Before proceed, based on your environment connect Exchange Online Remote Powershell or Exchange Management Shell (On-Premises).
Remove Full Access Permission
The following command removes the full access permission for the user “[email protected]” from the mailbox “[email protected]”.
Remove-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess -InheritanceType All -Confirm:$false
Identity – The identity (ex: Name, UPN, etc.. ) of the mailbox where you are removing Full Access permission.
User – This parameter specifies the user mailbox that will get permissions removed.
Remove Send As Permission
The following command removes the send as permission for the user “[email protected]” from the mailbox “[email protected]”.
Remove-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs
Identity – The identity (ex: Name, UPN, etc.. ) of the mailbox where you are removing Send As permissions.
Trustee – The trustee parameter specifies the user or group from whom you’re removing the permission.
Remove full access and send as permissions from all shared mailboxes:
The below commands retrieve all shared mailboxes and remove both permissions from all shared mailboxes for the single user mailbox “[email protected]”.
$user = "[email protected]" $sharedmbxs = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName $i = 1 $totalmbxs = $sharedmbxs.Count foreach ($mbx in $sharedmbxs) { Write-Progress -activity "Processing user $($mbx.DisplayName)" -status "$i out of $totalmbxs completed" Remove-MailboxPermission -Identity $mbx.Identity -User $user -AccessRights FullAccess -InheritanceType All -Confirm:$false Remove-RecipientPermission -Identity $mbx.Identity -Trustee $user -AccessRights SendAs -Confirm:$false $i++ }
Remove permission from shared mailboxes for multiple users:
For bulk users removal, you can keep the user mailbox identities in CSV file. Consider the CSV file “O365Users.csv” which contains user name (or upn) of users with the column header UserName.
$users = Import-Csv 'C:\O365Users.csv'
$sharedmbxs = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Select Identity,Alias,DisplayName
foreach ($user in $users) {
foreach ($mbx in $sharedmbxs) {
Write-Progress -activity "Processing user $($user.UserName) - shared mailbox $($mbx.DisplayName)" -status "Processing....."
Remove-MailboxPermission -Identity $mbx.Identity -User $user.UserName -AccessRights FullAccess -InheritanceType All -Confirm:$false
#Remove-RecipientPermission -Identity $mbx.Identity -Trustee $user.UserName -AccessRights SendAs -Confirm:$false
}
}
Your csv content should be in below format :
UserName "[email protected]" "[email protected]" "[email protected]"
Remove permission for multiple users from multiple mailboxes:
In some cases, you may need to delete access for a set of users from multiple mailboxes. In this case, you can keep both the user and mailbox identities in CSV file. Consider the CSV file “remove-permissions.csv” which contains user and mailbox identities under the column header UserName and Mailbox.
Import-CSV 'C:\remove-permissions.csv'| ForEach {
Write-Progress -activity "Processing mailbox $($_.Mailbox) - user $($_.UserName)" -status "Processing..."
Remove-MailboxPermission -Identity $_.Mailbox -User $_.UserName -AccessRights FullAccess -InheritanceType All -Confirm:$false
Remove-RecipientPermission -Identity $_.Mailbox -Trustee$_.UserName -AccessRights SendAs -Confirm:$false
}
Your csv content should be in below format :
Mailbox, UserName "[email protected]", "[email protected]" "[email protected]", "[email protected]" "[email protected]", "[email protected]" "[email protected]", "[email protected]"
So what do you do if you want to remove ALL the permissions from a single mailbox and Get-MailboxPermission -identity “[email protected]” | Remove-MailboxPermission does not work in Powershell? Do you still need to type out a csv of all the users with permission? That seems completely counter-intuitive to automation.
Thank you sharing the information. It was really useful to save the time. What I have noticed, that with these Powershell commands Send As rights are not removed. Could you please update the command. Thanks in advance.