Desperate office worker having problems tracking mailbox permissions for Outlook on the Exchange Online server.

A new employee has joined your company! Aside from adding them in Active Directory, this too means creating a new Exchange mailbox for the fresh hire. Easy enough. Personal mailboxes are fairly straightforward. The tricky part comes later, when it's time to check which additional mailboxes and folders a user has been given access to.

The default tools provided by Microsoft make it difficult and time-consuming to keep track of Exchange mailbox permissions and piece together all the information you demand to get the full picture. Read our guide to learn everything well-nigh mailbox permission management with PowerShell and the Exchange Admin Center (EAC), including how a dedicated access management solution can assist y'all simplify the reporting process.

How to Bank check Substitution Mailbox Permissions

To manage Substitution mailbox permissions, y'all will need to apply either the Exchange Admin Heart (EAC, formerly known every bit the Substitution Management Console) or PowerShell. Since 2016, a cantankerous-platform, open source version of PowerShell (PowerShell Core) is available for Windows, macOS and Linux aslope the traditional Windows PowerShell.

Managing Mailbox Permissions with PowerShell

Let's assume yous're an admin trying to give an employee access to some other mailbox or add an entire group to a shared mailbox. To accomplish this task using PowerShell, you would connect to Commutation Online PowerShell and apply a cmdlet such equally Add-MailboxPermission. For example, you might assign the Ship Equally permission to a user in order to allow them to respond as if their messages were coming from the email address in question. A user with access to some other mailbox is also known as a consul.

While this arroyo is effective for minor adjustments, the text-based interface rapidly runs into limitations when it comes to larger changes to delegation, such every bit irresolute settings for multiple groups or switching effectually many individual delegates. For changes at this scale, the Admin Center generally proves more constructive.

Managing Mailbox Permissions using EAC

To adjust Substitution mailbox permissions using the Admin Center, navigate to Recipients > Mailboxes. You can apply Ctrl to select multiple mailboxes at once, which will also bring up the Majority Edit carte on the right side of the page.

Mailbox permissions are accessible via More options at the bottom of the Bulk Edit panel. You can at present view existing permissions or add new ones. Additional Data is bachelor in Microsoft's official documentation here, but the most important distinction is between the three main permission types used in Exchange:

  • Full Admission: This permission allows the consul to open the mailbox and view or edit contents, only does not permit the consul to transport messages from the mailbox.

  • Send As: The Ship Equally permission allows delegates to transport messages as if they were sent straight from the mailbox in question, only does not requite them access to the contents of the mailbox.

  • Send on Behalf: Similar to Ship Equally, Send on Behalf allows a delegate to send messages from the mailbox or group they have the permission for, merely whatsoever emails sent this way will bear witness that they were sent by the consul on behalf of the mailbox. It does non give them access to the contents of the mailbox. If delegates are given both the Send As and Send on Behalf permission, Send As volition take priority.

Check Mailbox Permissions using PowerShell

Using the Get-Mailbox and Become-MailboxPermission cmdlets (in combination with the correct fix of parameters) also makes it possible to cheque, for case, which mailboxes a specific user has admission to or which mailboxes take a delegate with the Full Access permission. Yous can find some ideas for scripts in this blogpost.

Note: While this is a reasonable arroyo for companies with fewer than 20 employees, running custom searches in PowerShell and manually exporting the results would consume an excessive corporeality of time for larger organizations. Tracking mailbox permissions for a larger number of staff requires a dedicated reporting tool.

Tracking Substitution Mailboxes and Active Directory Accounts

As we've already established, PowerShell can exist used to figure out which permissions accept been assigned for a specific mailbox or folder. In theory, you could and so employ the EAC to draw connections betwixt Substitution mailboxes and user accounts in Active Directory.

This could be necessary if, for example, you demand to effigy out the level of admission an Advertizement user has in a specific Exchange mailbox or need a list of all mailbox permissions that a specific user business relationship has.

Tracking Outdated and Unnecessary Mailbox Permissions

In nearly organizations, users have more than access rights than they really need for their job. This applies to Exchange mailbox permissions just as much as it does to file server permissions or third party accounts. Put simply, the root cause of this gradual build-up of excess privileges is the fact that users constantly receive new permissions, but old and outdated permissions aren't removed in time.

Let's say a new member joins the sales squad and is given total access to several shared mailboxes: for incoming leads, communicating with distributors, etc. So far, so good. They need access to those mailboxes to do their task. But a few months later on, they switch to the product team and receive all the access rights associated with their new role. Only nobody remembers to revoke the mailbox permissions they no longer need.

Without a standardized process for user admission reviews, one-time privileges tend to fall through the cracks. Users often forget about them, or don't feel like bothering IT over something that's non causing any impairment, right? Wrong!

In reality, unnecessary permissions pose a significant security adventure. They increase the risk and possible scope of information theft from within and can be exploited by hackers, malware or ransomware to access additional parts of your network. This is also why nigh cybersecurity standards now crave access rights to exist assigned in accordance with the need-to-know or Least-Privilege-Principle.

Shared Mailboxes & Nested Groups

When information technology comes to fighting unnecessary permissions, there'south an of import distinction to be made between private users who have been given access to additional mailboxes and shared mailboxes that are managed via groups. While unnecessary permissions assigned to users are far from ideal, at to the lowest degree admins tin use PowerShell to effigy out who in their organisation can admission mailboxes besides their ain (using the methods described above).

With shared mailboxes, it'due south non quite equally unproblematic. These mailboxes are commonly used to allow multiple users to receive and answer to emails that are relevant to more one person (for example, if multiple staff members are assigned to one client). Access to shared mailboxes is typically managed using groups, which adds an extra layer of complexity to permission reporting: Yous can utilise PowerShell to encounter which groups take access to a shared mailbox, only then you lot have to effigy out which users are function of that group.

Important: Please note the distinction between shared mailboxes and distribution groups, which provide another option for distributing messages among multiple users in Exchange Online.


IT admin trying to figure out how many users are part of a security group with access to a shared mailbox.

Commutation Mailbox Permissions per User

The fact that permissions assigned through groups are not readily transparent means that reporting options for Substitution using the default tools are quite limited. Simply as you cannot see which users are assigned to a shared mailbox, yous also cannot tell which mailboxes an individual user has access to, only which groups they are a member of.

To get the complete picture and generate a full study of every users effective admission level in Exchange Online using the default Microsoft tools, you would have to manually comb through every grouping on your server.

Substitution Mailbox Permissions: Compliance Risks

The reporting limitations for Exchange Online are a bigger problem than you might think. The lack of transparency makes it easy to miss outdated and unnecessary permissions, giving users access to mailboxes they accept no business accessing. And retrieve, access to mailboxes, especially Full Access, doesn't just mean seeing incoming emails. It means access to the entire electronic mail history, to calendar entries, shared files and attachments, etc.

Aside from the increased gamble of information theft and insider threats, backlog privileges on the postal service server are likewise a thorny issue when it comes to achieving compliance with standards such every bit SOX, HIPAA, ISO 27001, the NIST Cybersecurity Framework and so on. Nigh cybersecurity regulations at present require businesses to enforce the principle of least privilege, i.eastward. to limit access rights for staff to just what is absolutely necessary.

Managing Substitution Mailbox Permissions with tenfold

Businesses tin can avoid the risk of compliance breaches and the effort involved in manually checking mailbox permissions using Identity Access Direction software with an interface to Active Directory. IAM solutions help companies both automate and rigorously certificate routine tasks involved with user management and permissions. This includes creating new user accounts, assigning the right attributes in AD and automatically calculation users to the correct security groups, distribution groups and shared mailboxes based on their role and section.

Cheers to its out-of-the-box plugin for Commutation (Online), tenfold's comprehensive reporting tools provide you lot with a clear overview of all effective permissions on your mail server, including detailed reports on which users accept access to a specific mailbox or folder. tenfold automatically breaks downwardly AD groups and visualizes group membership through a tree diagram.

[Gratuitous Trial] Sign Up At present for a Free tenfold Trial!

The free trial version allows you to experience tenfold's full range of features. Run across how piece of cake user and access management can be with our efficient and user-friendly platform: Sign upwardly today!

[Free Trial] Sign Up Now for a Costless tenfold Trial!

The free trial version allows you to feel tenfold's full range of features. See how easy user and access management tin be with our efficient and user-friendly platform: Sign upwardly today!

Commutation Mailbox Management Fabricated Easy!

The advantages of tenfold extend far beyond its reporting tools. For example, the Exchange®Mailbox Lifecycle Plugin makes managing mailboxes fast and piece of cake. Whenever a new employee joins your company, tenfold automatically creates a new mailbox for them and gives them access to folders and mailboxes based on their position within the company. The same is true for any arrangement connected to tenfold : your local AD and file server, Azure Active Directory, tertiary party applications, etc.

If an employee switches to some other part or department downwardly the line, tenfold automatically moves their mailbox to the correct mailbox database. If a staff member leaves your arrangement, tenfold automatically closes their mailbox and sets up the required redirects to forward all incoming emails.

Additionally, tenfold provides various handy features that address common mailbox problems, such equally the ability to prepare an Outlook out-of-function message for some other user, in example a colleague forgot to gear up upward their automatic response before going on vacation. There is even an selection to ascertain auto-filled templates for out-of-office messages in order to set a compatible response.

Exchange Mailbox Permissions at a Glance

Trouble in Exchange Solution in tenfold
Mailboxes must be created manually (no provisioning) User creation is in AD and Exchange is fully automated (automatic provisioning)
Administrators take to go through PowerShell to run into access rights tenfold provides automatic and clear reports on who has admission to what
No group breakdown to individual members tenfold automatically breaks down groups and visualizes group membership through a tree diagram
No self-service (requesting new access rights is complicated) Users can request additional access rights themselves via self-service
No workflows Data owners receive user requests made in the self-service and tin ostend or pass up these equally function of a workflow

[Gratis WHITE PAPER] Best practices for access management in Microsoft®environments.

Read our white paper to acquire how to best handle access rights in Microsoft® environments.

[FREE WHITE Newspaper] Best practices for access direction in Microsoft®environments.

Read our white paper to learn how to all-time treat access rights in Microsoft® environments.