Help CenterMaintaining strict control over mailbox permissions is crucial for safeguarding sensitive information within an organization. Non-owner access to mailboxes can pose security risks if not properly monitored. This article presents a PowerShell script that audits non-owner access permissions across all mailboxes in Exchange Online.
The script helps administrators identify instances where non-owners have access to mailboxes, allowing for a thorough review of permissions and ensuring that access rights are aligned with organizational policies.
Here is the script:
# Connect to Exchange Online
Connect-ExchangeOnline# Function to check non-owner access permissionsfunction Check-NonOwnerAccess {# Get all mailboxes$mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited# Prepare an array to hold the non-owner access information$nonOwnerAccessInfo = @()foreach ($mailbox in $mailboxes) {$mailboxPermissions = Get-MailboxPermission -Identity $mailbox.Identityforeach ($permission in $mailboxPermissions) {if ($permission.User -ne $mailbox.Identity -and $permission.User -ne "NT AUTHORITY\SELF" -and $permission.AccessRights -ne "FullAccess") {$nonOwnerAccessInfo += [PSCustomObject]@{Mailbox = $mailbox.PrimarySmtpAddressNonOwner = $permission.UserAccessRights = $permission.AccessRightsDeny = $permission.DenyInheritanceType = $permission.InheritanceType}}}}return $nonOwnerAccessInfo}# Check the non-owner access permissions$nonOwnerAccessResults = Check-NonOwnerAccess# Display the non-owner access information$nonOwnerAccessResults | Format-Table -AutoSize# Optionally export to CSV$nonOwnerAccessResults | Export-Csv -Path "NonOwnerAccessResults.csv" -NoTypeInformationWrite-Output "Non-owner access results exported to NonOwnerAccessResults.csv"# Disconnect from Exchange OnlineDisconnect-ExchangeOnline -Confirm:$false