Script to Export Mailbox Permissions in Exchange Online to CSV
Exchange Online Mailbox Permissions Export Script
Section titled “Exchange Online Mailbox Permissions Export Script”Overview
Section titled “Overview”This PowerShell script performs comprehensive auditing of mailbox permissions across your Exchange Online environment. By retrieving all mailboxes and their associated permissions, excluding self-permissions (NT AUTHORITY\SELF), and performing intelligent data joins, this script creates detailed permission reports perfect for security audits, compliance reviews, and access management analysis.
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Comprehensive Permission Scan | Retrieves permissions for all mailboxes organization-wide | Provides complete visibility into access rights |
| Self-Permission Filtering | Excludes NT AUTHORITY\SELF permissions automatically | Reduces noise in audit reports |
| Data Join Operations | Performs left joins between mailboxes and permissions | Creates consolidated, readable permission reports |
| CSV Export Functionality | Exports detailed reports to specified CSV path | Enables further analysis and documentation |
| Contact Information Mapping | Includes PrimarySmtpAddress for user identification | Improves report readability and user mapping |
Script Configuration
Section titled “Script Configuration”Prerequisites
Section titled “Prerequisites”- Exchange Online PowerShell module installed
- Exchange Administrator or appropriate permissions
- Join-Object module (if not built-in)
- Sufficient disk space for export files
Required Variables
Section titled “Required Variables”$ExportPath = 'C:\Users\xxxxar\Desktop\perm.csv' # Output file pathImplementation Script
Section titled “Implementation Script”# Define export path for the permissions report$ExportPath = 'C:\Users\xxxxar\Desktop\perm.csv'
# Retrieve all mailboxes in the organization$mailboxes = Get-Mailbox -ResultSize unlimited
# Initialize array to store mailbox permissions$MailboxPermission = @()
# Collect permissions for each mailboxforeach ($mailbox in $mailboxes) { $MailboxPermission += $mailbox | Get-MailboxPermission}
# Configure join parameters for data consolidation$param =@{ LeftObject = $MailboxPermission | Where-Object user -ne "NT AUTHORITY\SELF" ; RightObject = $mailboxes | Select-Object @{Name="Identity";Expression={$_.Id}},PrimarySmtpAddress ; On = 'Identity' ; JoinType = 'Left' ;}
# Perform left join to consolidate mailbox and permission data$output = Join-Object @param
# Format output with custom property names$output = $output| Select-Object @{N="PermissionNoMailbox";E={$_.PrimarySmtpAddress}}, @{N="AccessRights";E={$_.AccessRights | Out-String}}, User
# Export results to CSV file$output | Export-Csv -Path $ExportPath -ForceExecution Process
Section titled “Execution Process”1. Data Collection Phase
Section titled “1. Data Collection Phase”- Retrieves all mailboxes using
Get-Mailbox -ResultSize unlimited - Collects mailbox permissions for each mailbox using
Get-MailboxPermission - Filters out self-permissions to reduce report noise
2. Data Processing Phase
Section titled “2. Data Processing Phase”- Creates join parameters for intelligent data consolidation
- Performs left join operation between mailbox and permission data
- Maps PrimarySmtpAddress for user identification and readability
3. Export Phase
Section titled “3. Export Phase”- Formats output with custom property names for clarity
- Exports consolidated data to CSV file at specified path
- Generates audit-ready report for compliance and analysis
Export Data Structure
Section titled “Export Data Structure”CSV Output Columns
Section titled “CSV Output Columns”| Column Name | Description | Business Value |
|---|---|---|
| PermissionNoMailbox | Primary SMTP address of mailbox owner | Enables user identification and contact |
| AccessRights | Permission levels assigned (FullAccess, etc.) | Shows exact access capabilities |
| User | User or group granted permissions | Identifies who has access to each mailbox |
Sample Output Format
Section titled “Sample Output Format”PermissionNoMailbox,AccessRights,Useruser1@company.com,"FullAccess",admin@company.comuser2@company.com,"FullAccess",helpdesk@company.comshared@company.com,"FullAccess,ReadPermission",team@company.comBusiness Applications
Section titled “Business Applications”Security Auditing
Section titled “Security Auditing”- Identify excessive permissions across mailbox infrastructure
- Detect unauthorized access configurations
- Review delegation practices for compliance requirements
Compliance Management
Section titled “Compliance Management”- Generate audit reports for regulatory compliance
- Document access controls for internal and external auditors
- Track permission changes over time for security monitoring
Access Management
Section titled “Access Management”- Review current permission assignments for cleanup opportunities
- Identify orphaned permissions from departed employees
- Optimize delegation models for better security posture
Best Practices
Section titled “Best Practices”Report Generation
Section titled “Report Generation”- Schedule regular exports for ongoing monitoring
- Use timestamped filenames for historical tracking
- Store reports securely with appropriate access controls
Data Analysis
Section titled “Data Analysis”- Review permissions quarterly for security hygiene
- Investigate unusual permission patterns immediately
- Document business justifications for non-standard permissions
Performance Optimization
Section titled “Performance Optimization”- Run during off-peak hours for large organizations
- Consider batch processing for very large mailbox counts
- Monitor script execution for timeout issues in complex environments
Security Considerations
Section titled “Security Considerations”Data Protection
Section titled “Data Protection”- Handle permission reports as sensitive security data
- Implement appropriate access controls on exported files
- Secure transmission when sharing reports with auditors
Privacy Compliance
Section titled “Privacy Compliance”- Ensure compliance with data protection regulations
- Minimize data retention for permission reports
- Document processing purposes for GDPR/CCPA compliance
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides essential visibility into mailbox permissions across your Exchange Online environment, enabling effective security auditing, compliance management, and access control optimization.
Ideal for: Security administrators, compliance officers, and IT managers who need to regularly audit and document mailbox access permissions for security, compliance, or operational purposes.
$ExportPath = ‘C:\Users\xxxxar\Desktop\perm.csv’
$mailboxes = Get-Mailbox -ResultSize unlimited $MailboxPermission = @() foreach ($mailbox in $mailboxes) { $MailboxPermission += $mailbox | Get-MailboxPermission } $param =@{ LeftObject = $MailboxPermission | Where-Object user -ne “NT AUTHORITY\SELF” ; RightObject = $mailboxes | Select-Object @{Name=“Identity”;Expression={$_.Id}},PrimarySmtpAddress ; On = ‘Identity’ ; JoinType = ‘Left’ ; }
$output = Join-Object @param $output = $output| Select-Object @{N=“PermissionNoMailbox”;E={$.PrimarySmtpAddress}}, @{N=“AccessRights”;E={$.AccessRights | Out-String}}, User $output | Export-Csv -Path $ExportPath -Force