Auditing Non-Owner Mailbox Access in Exchange Online with PowerShell
Auditing Non-Owner Mailbox Access in Exchange Online with PowerShell
Section titled “Auditing Non-Owner Mailbox Access in Exchange Online with PowerShell”Overview
Section titled “Overview”Maintaining strict control over mailbox permissions is crucial for safeguarding sensitive information within an organization. Non-owner access to mailboxes can pose security risks if not properly monitored. This article presents a PowerShell script that audits non-owner access permissions across all mailboxes in Exchange Online.
The script helps administrators identify instances where non-owners have access to mailboxes, allowing for a thorough review of permissions and ensuring that access rights are aligned with organizational policies.
Security Monitoring Features
Section titled “Security Monitoring Features”| Feature | Capability | Business Value |
|---|---|---|
| Comprehensive Permission Audit | Scans all user mailboxes for non-owner access rights | Identifies potential security risks and unauthorized access |
| Access Right Classification | Filters out standard self-access permissions | Focuses on genuine security concerns rather than normal operations |
| Detailed Permission Reporting | Captures user, rights, deny status, and inheritance | Provides complete visibility into mailbox permission structure |
| Export Capability | Generates CSV reports for compliance documentation | Supports audit trails and security reviews |
Implementation Script
Section titled “Implementation Script”# Connect to Exchange OnlineConnect-ExchangeOnline
# Function to check non-owner access permissionsfunction Check-NonOwnerAccess { # Get all mailboxes $mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
# Prepare an array to hold the non-owner access information $nonOwnerAccessInfo = @()
foreach ($mailbox in $mailboxes) { $mailboxPermissions = Get-MailboxPermission -Identity $mailbox.Identity
foreach ($permission in $mailboxPermissions) { if ($permission.User -ne $mailbox.Identity -and $permission.User -ne "NT AUTHORITY\SELF" -and $permission.AccessRights -ne "FullAccess") { $nonOwnerAccessInfo += [PSCustomObject]@{ Mailbox = $mailbox.PrimarySmtpAddress NonOwner = $permission.User AccessRights = $permission.AccessRights Deny = $permission.Deny InheritanceType = $permission.InheritanceType } } } }
return $nonOwnerAccessInfo}
# Check the non-owner access permissions$nonOwnerAccessResults = Check-NonOwnerAccess
# Display the non-owner access information$nonOwnerAccessResults | Format-Table -AutoSize
# Optionally export to CSV$nonOwnerAccessResults | Export-Csv -Path "NonOwnerAccessResults.csv" -NoTypeInformationWrite-Output "Non-owner access results exported to NonOwnerAccessResults.csv"
# Disconnect from Exchange OnlineDisconnect-ExchangeOnline -Confirm:$falseSecurity Analysis
Section titled “Security Analysis”Critical Finding: Regular non-owner access audits help prevent data breaches and ensure compliance with data protection regulations.
Interpretation Guidelines
Section titled “Interpretation Guidelines”Access Rights to Monitor
Section titled “Access Rights to Monitor”- ReadAccess: Ability to read email content
- WriteAccess: Ability to modify email content
- DeleteAccess: Ability to remove emails
Action Required When Issues Found
Section titled “Action Required When Issues Found”- Verify Legitimate Access: Confirm business justification for each permission
- Document Exceptions: Maintain records of approved non-owner access
- Remove Unnecessary Permissions: Revoke access that is no longer required
- Implement Monitoring: Set up alerts for future permission changes