Auditing Non-Owner Mailbox Access in Exchange Online with PowerShell
Maintaining strict control over mailbox permissions is crucial for safeguarding sensitive information within an organization. Non-owner access to mailboxes can pose security risks if not properly monitored.
The script helps administrators identify instances where non-owners have access to mailboxes, allowing for a thorough review of permissions and ensuring that access rights are aligned with organizational policies.
Script
Section titled “Script”# Connect to Exchange OnlineConnect-ExchangeOnline
# Function to check non-owner access permissionsfunction Check-NonOwnerAccess { # Get all mailboxes $mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
# Prepare an array to hold the non-owner access information $nonOwnerAccessInfo = @()
foreach ($mailbox in $mailboxes) { $mailboxPermissions = Get-MailboxPermission -Identity $mailbox.Identity
foreach ($permission in $mailboxPermissions) { if ($permission.User -ne $mailbox.Identity -and $permission.User -ne "NT AUTHORITY\SELF" -and $permission.AccessRights -ne "FullAccess") { $nonOwnerAccessInfo += [PSCustomObject]@{ Mailbox = $mailbox.PrimarySmtpAddress NonOwner = $permission.User AccessRights = $permission.AccessRights Deny = $permission.Deny InheritanceType = $permission.InheritanceType } } } }
return $nonOwnerAccessInfo}
# Check the non-owner access permissions$nonOwnerAccessResults = Check-NonOwnerAccess
# Display the non-owner access information$nonOwnerAccessResults | Format-Table -AutoSize
# Optionally export to CSV$nonOwnerAccessResults | Export-Csv -Path "NonOwnerAccessResults.csv" -NoTypeInformation
Write-Output "Non-owner access results exported to NonOwnerAccessResults.csv"
# Disconnect from Exchange OnlineDisconnect-ExchangeOnline -Confirm:$false