Grab all Exchange permissions of a user, bulk of users or all users on the tenant.
Tested against O365 Exchange Online.
- MailBox level (assigned by tenant/mailbox administrator)
- SendAs
- SendOnBehalf
- Folder (Top of Information Store, Inbox, Sent Items, Calendar, etc). These are user-assigned permissions.
You can use this module to list out all mailboxes where users gave Read (Owner, FullAccess, etc) permissions to Everyone or similar roles, thereby exposing their mailbox to other members in the organization.
- Use
Windows PowerShell 5.1. - Install the module by invoking it or dot-sourcing it:
iex((iwr https://raw.githubusercontent.com/daniel0x00/Invoke-MailboxAudit/master/Invoke-MailboxAudit.ps1 -UseBasicParsing).content)- Run the cmdlet as shown below.
MFA support:
Does your admin account use multi-factor authentication?
Then load this script under a "Microsoft Exchange Online Remote PowerShell Module" special Windows PowerShell console and use the -MFA switch when using the cmdlet.
PS C:\> $c = Get-Credential
PS C:\> 'user2','user5','mike' | Invoke-MailboxAudit -Credential $c -Verbose | Format-Table -AutoSizeUser GrantedUser AccessType Permission Details
---- ----------- ---------- ---------- -------
[email protected] Default Folder:Inbox (Inbox) Owner
[email protected] Default Folder:Top of Information Store ReadItems, FolderOwner, FolderVisible
[email protected] Default Folder:subIBX - rare& \characters (User Created) DeleteOwnedItems
[email protected] "[email protected]" [SMTP:[email protected]] ForwardRule Enabled If the message:...
user5 [email protected] MailboxPermission FullAccess
user5 [email protected] MailboxPermission FullAccess
[email protected] user5, user2 SendOnBehalf Granted
mike [email protected] MailboxSendAs SendAs
mike [email protected] MailboxSendAs SendAs
[email protected] user2 Folder:Inbox (Inbox) EditorNote: The -Proxy switch forces the cmdlet to use the default proxy settings configured on the computer where the cmdlet runs.
PS C:\> $c = Get-Credential
PS C:\> Import-Csv .\Users.csv | Invoke-MailboxAudit -Credential $c -MFA -Proxy -SkipMailboxPermission -SkipForwardingRules -Folder Inbox,Calendar,SentItems -VerbosePS C:\> $c = Get-Credential
PS C:\> Invoke-MailboxAudit -Credential $c -Identity a* -SkipMailboxPermission -Verbose List all the permissions for all users in the tenant, for the Inbox and Sent Items folders, skipping all child user-created folders as well as forwarding rules
PS C:\> $c = Get-Credential
PS C:\> 97..(97+25) | select @{n='Identity';e={[char]$_+'*'}} | Invoke-MailboxAudit -Credential $c -Proxy -SkipMailboxPermission -SkipUserCreatedFolder -SkipForwardingRule -SkipSendAsPermission -Folder Inbox,SentItems -Verbose