Link to home
Start Free TrialLog in
Avatar of nav2567
nav2567Flag for United States of America

asked on

list permission of each O365 mailbox using PowerShell

Hello,

I am trying to use the below script to list other other user(s) who have permission of each mailbox.  

The base O365 PS cmdlet I use is for example: get-mailboxpermission -identity user1@abc.com and I get

Identity             User                 AccessRights                                                                                                                                                                                         IsInherited Deny
--------             ----                 ------------                                                                                                                                                                                         ----------- ----  
user1       NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                                                                                                                                                         False       False
user1         user2@abc.com      {FullAccess}                                                                                                                                                                                         False       False

************************************************************************************************************************************************************************

$datapath = "C:\scripts\results.csv"
$result = @()

Get-MsolUser -All | ForEach-Object {  
    $UPN = $_.userprincipalname
    $getmailboxpermission = get-mailboxpermission -identity $UPN

    [PSCustomObject]([ordered]@{
        Permission = $getmailboxpermission
       })
} | export-csv -NoTypeInformation -path $datapath

When I incorporate the cmdlet into the above script, I am just getting something like this in the Permission column.  

Permission
System.Object[]
Microsoft.Exchange.Management.RecipientTasks.MailboxAcePresentationObject
System.Object[]
Microsoft.Exchange.Management.RecipientTasks.MailboxAcePresentationObject
System.Object[]

Please advise.  Thanks!

Avatar of oBdA
oBdA

That happens because you stuffed the results into a new object with a single property.
Can't test it at the moment, but you should be able to feed the results from Get-MsolUser directly to Get-MailboxPermission; from there, you can export the results pretty much directly.
Try it like this:
$datapath = "C:\scripts\results.csv"
Get-MsolUser -All |
	Get-MailboxPermission |
	Select-Object -Property Identity, User, @{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny |
	Export-Csv -NoTypeInformation -Path $datapath

Open in new window

Avatar of nav2567

ASKER

Thanks, oBdA!

I need to add more queries in my script such as department, title, forwarding address and so on and adding get-mailbox, get-msoluser...

Is it possible for you to incorporate your cmdlet "Get-MailboxPermission |
   Select-Object -Property Identity, User, @{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny " into my sample script?


$datapath = "C:\scripts\results.csv"
$result = @()

Get-MsolUser -All | ForEach-Object {  
    $UPN = $_.userprincipalname
    $getmailboxpermission = get-mailboxpermission -identity $UPN

    [PSCustomObject]([ordered]@{
        Permission = $getmailboxpermission
       })
} | export-csv -NoTypeInformation -path $datapath


How do you envision this? As you can see from your output example, the permissions come as a complex object that contains an array, and each array item itself contains, aside from the trustee, multiple permissions as well as the Inherited and Deny flags. How is that supposed to be squeezed in a meaningful way into a single cell of the csv export you're trying to get?
Identity User              AccessRights                 IsInherited Deny
-------- ----              ------------                 ----------- ----  
user1    NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False
user1    user2@abc.com     {FullAccess}                 False       False

Open in new window

Avatar of nav2567

ASKER

Ok, oBdA.  I get it and I am with you now.  

I will let you know my test result.

I appreciate for your help!!!
Avatar of nav2567

ASKER

Hi oBdA, I am getting this error when running the script.  When you get a chance, please advise again.  Thanks!

User generated image
Then try it like this:
$datapath = "C:\scripts\results.csv"
Get-MsolUser -All |
	ForEach-Object {Get-MailboxPermission -Identity $_.UserPrincipalName} |
	Select-Object -Property Identity, User, @{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny |
	Export-Csv -NoTypeInformation -path $datapath

Open in new window

Avatar of nav2567

ASKER

The script went well but all of the sudden I am seeing this.  I am going to try this again on another computer.

User generated image
The Get-MsolUser might run into a timeout, depending on the speed of Get-MailboxPermission and the number of accounts involved.
If that error wasn't a one-off, try this:
$datapath = "C:\scripts\results.csv"
$msolUsers = Get-MsolUser -All
$msolUsers |
	ForEach-Object {Get-MailboxPermission -Identity $_.UserPrincipalName} |
	Select-Object -Property Identity, User, @{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny |
	Export-Csv -NoTypeInformation -path $datapath

Open in new window

Avatar of nav2567

ASKER

It works, thanks.  
User generated imageOne last question I would like to learn regarding this question if you dont mind.  If I want to add a column that shows me whether the mailboxes in the identity is a shared or a user mailbox, do you think the below would work?

$datapath = "C:\scripts\results.csv"
Get-MsolUser -All |
    ForEach-Object {Get-MailboxPermission -Identity $_.UserPrincipalName} {get-mailbox -identity $_UserPrincipalName} |
    Select-Object -Property Identity, RecipientType, User ,@{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny |
    Export-Csv -NoTypeInformation -path $datapath

$datapath = "C:\Ed - JHMC\PS\O365\getuserpermission\results.csv"
Get-MsolUser -All |
    ForEach-Object {Get-MailboxPermission -Identity $_.UserPrincipalName} {get-mailbox -identity $_UserPrincipalName} |
    Select-Object -Property Identity, RecipientType, User ,@{n='AccessRights'; e={$_.AccessRights -join ', '}}, IsInherited, Deny |
    Export-Csv -NoTypeInformation -path $datapath
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nav2567

ASKER

Thank you so much!!!