Auditing Non-Owner Mailbox Access in Exchange Online with PowerShell

Maintaining strict control over mailbox permissions is crucial for safeguarding sensitive information within an organization. Non-owner access to mailboxes can pose security risks if not properly monitored. This article presents a PowerShell script that audits non-owner access permissions across all mailboxes in Exchange Online.

The script helps administrators identify instances where non-owners have access to mailboxes, allowing for a thorough review of permissions and ensuring that access rights are aligned with organizational policies.

Here is the script:

Connect to Exchange Online

Connect-ExchangeOnline

Function to check non-owner access permissions

function Check-NonOwnerAccess {

Get all mailboxes

$mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited

Prepare an array to hold the non-owner access information

$nonOwnerAccessInfo = @()

foreach ($mailbox in $mailboxes) { $mailboxPermissions = Get-MailboxPermission -Identity $mailbox.Identity

foreach ($permission in $mailboxPermissions) { if ($permission.User -ne $mailbox.Identity -and $permission.User -ne “NT AUTHORITY\SELF” -and $permission.AccessRights -ne “FullAccess”) { $nonOwnerAccessInfo += [PSCustomObject]@{ Mailbox = $mailbox.PrimarySmtpAddress NonOwner = $permission.User AccessRights = $permission.AccessRights Deny = $permission.Deny InheritanceType = $permission.InheritanceType } } } }

return $nonOwnerAccessInfo }

Check the non-owner access permissions

$nonOwnerAccessResults = Check-NonOwnerAccess

Display the non-owner access information

$nonOwnerAccessResults | Format-Table -AutoSize

Optionally export to CSV

$nonOwnerAccessResults | Export-Csv -Path “NonOwnerAccessResults.csv” -NoTypeInformation Write-Output “Non-owner access results exported to NonOwnerAccessResults.csv”

Disconnect from Exchange Online

Disconnect-ExchangeOnline -Confirm:$false