Introduction
In Microsoft 365 environments, managing mailbox permissions is crucial for compliance, security, and collaboration. This blog post explains how to use a simple PowerShell script to check whether a specific user has ‘Full Access’ and ‘Send As’ permissions on shared mailboxes. We’ll walk through the script line by line, explain what each part does, and show what the results look like. This guide is ideal for IT admins looking to automate mailbox permission audits.
Prerequisites
Before running the script, make sure you meet the following requirements:
– You must be connected to Exchange Online PowerShell.
– The user account running the script must have permission to view mailbox permissions.
– A CSV file containing shared mailbox email addresses is required.
PowerShell Script Overview
Here is the complete script to check if a user has Full Access and Send As permissions on shared mailboxes:
# Set the user email address to check
$userToCheck = "UserEmailAddress"
# Input CSV with shared mailbox addresses
$inputCsv = "C:\Users\Desktop\SharedMailboxesDetails.csv"
# Output CSV for results
$outputCsv = "C:\Users\Desktop\Information.csv"
# Import shared mailboxes
$mailboxes = Import-Csv -Path $inputCsv
# Array to store results
$results = @()
foreach ($mailbox in $mailboxes) {
$mailboxEmail = $mailbox.SMBEmailAddress
# Check Full Access
$hasFullAccess = Get-MailboxPermission -Identity $mailboxEmail -ErrorAction SilentlyContinue | Where-Object {
$_.User -eq $userToCheck -and $_.AccessRights -contains "FullAccess"
}
# Check Send As
$hasSendAs = Get-RecipientPermission -Identity $mailboxEmail -ErrorAction SilentlyContinue | Where-Object {
$_.Trustee -eq $userToCheck -and $_.AccessRights -contains "SendAs"
}
# Store result
$results += [PSCustomObject]@{
Mailbox = $mailboxEmail
FullAccess = if ($hasFullAccess) { "Yes" } else { "No" }
SendAs = if ($hasSendAs) { "Yes" } else { "No" }
}
}
# Export to CSV
$results | Export-Csv -Path $outputCsv -NoTypeInformation
Write-Host "✅ Report exported to $outputCsv"Line-by-Line Script Explanation
- **$userToCheck = “UserEmailAddress”**
Defines the email address of the user whose permissions you want to check. - **$inputCsv = “…”**
Specifies the path to the input CSV file that contains shared mailbox email addresses. - **$outputCsv = “…”**
Defines where the script will save the results as a CSV file. - **Import-Csv -Path $inputCsv**
Reads the shared mailbox email addresses from the input CSV file. - **foreach ($mailbox in $mailboxes)**
Loops through each mailbox in the CSV. - **$mailbox.SMBEmailAddress**
Extracts the email address from each row in the CSV file. - **Get-MailboxPermission**
Checks if the specified user has Full Access permission. - **Get-RecipientPermission**
Checks if the user has Send As permission on the shared mailbox. - **$results += [PSCustomObject]@{…}**
Builds a result object for each mailbox with permission status. - **Export-Csv**
Exports the final result to a CSV file for easy reporting. - **Write-Host**
Displays a confirmation message once the script is done.
Sample Output
After running the script, the output CSV file might look like this:
Mailbox,FullAccess,SendAs
shared1@domain.com,Yes,No
shared2@domain.com,No,Yes
shared3@domain.com,Yes,Yes
Conclusion
This PowerShell script is a handy tool for checking mailbox permissions across your organization. It helps you quickly audit which users have Full Access or Send As rights on shared mailboxes. Make sure you customize the paths and user values to suit your environment. Automating such tasks not only saves time but also ensures compliance with your organization’s security policies.
