Overview
The following level / scope of mailbox delegations can be configured:
-
Mailbox permissions: to allow items viewing at the mails box level (but not the right to send emails).
-
Recipient
SendAs
permissions: to delegate the right to send emails from the mailbox (that transparently appear to come from the specified mailbox to the recipients). -
Recipient
SendOnBehalf
permissions: to delegate the right to send emails on behalf of the mailbox (and will appear as such to the receiving recipients). -
Folder-level permissions: to delegate the rights to interact with items at the mailbox’s folder level.
Mailbox access rights / permissions
Mailboxes are securable objects with a set of possible access rights / permissions.
The available access rights are:
-
ChangeOwner
: change the owner of the mailbox. -
ChangePermission
: change the permissions on the mailbox. -
DeleteItem
: delete the mailbox. -
ExternalAccount
: indicates the account isn’t in the same domain. -
FullAccess
: open the mailbox, access its contents, but can’t send mail. -
ReadPermission
: read the permissions on the mailbox.
The permissions defined on that level allow for emails viewing at the mailbox
scope but do not allow sending emails (which is defined through the recipient
SendAs
and SendOnBehalf
permissions).
# Retrieves the access rights defined on the given mailbox.
Get-MailboxPermission -Identity <EMAIL>
# Lists the mailbox permissions with Full Access, ChangeOwner, ChangePermission, or ExternalAccount access rights.
Get-Mailbox -Resultsize Unlimited | Get-MailboxPermission | Where-Object { ($_.Accessrights -like "FullAccess" -or $_.Accessrights -like "ChangeOwner" -or $_.Accessrights -like "ChangePermission" -or $_.Accessrights -like "ExternalAccount") } | Format-List
Recipient (or SendAs
) access right / permission
Recipient, or SendAs
, permission does not allow for emails viewing but
allow a user, or group members, to send messages that appear to come from the
specified mailbox. The email received from the mailbox owner or through a
SendAs
delegation are indistinguishable by the receiving end-user.
Note that the Get-EXORecipientPermission
/ Get-RecipientPermission
is not
included by default in the cmdlets allowed for the
View-Only Organization Management
role group.
# Lists the mailboxes with the SendAs reciptient permission.
Get-Mailbox -Resultsize Unlimited | Get-EXORecipientPermission | Where-Object { ($_.Accessrights -like "SendAs") }
Folder-level permissions
Permissions / access rights can also be defined at the folder-level in mailboxes, to grant delegate the rights to interact with items at the mailbox’s folder level.
The following individual permissions are available:
-
None
: The user has no access to view or interact with the folder or its contents. -
CreateItems
: The user can create items within the specified folder. -
CreateSubfolders
: The user can create subfolders in the specified folder. -
DeleteAllItems
: The user can delete all items in the specified folder. -
DeleteOwnedItems
: The user can only delete items that they created from the specified folder. -
EditAllItems
: The user can edit all items in the specified folder. -
EditOwnedItems
: The user can only edit items that they created in the specified folder. -
FolderContact
: The user is the contact for the specified public folder. -
FolderOwner
: The user is the owner of the specified folder. The user can view the folder, move the folder and create subfolders. The user can’t read items, edit items, delete items or create items. -
FolderVisible
: The user can view the specified folder, but can’t read or edit items within the specified public folder. -
ReadItems
: The user can read items within the specified folder.
The following roles, that group individual permissions, are available:
-
Author
: CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems. -
Contributor
: CreateItems, FolderVisible. -
Editor
: CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems. -
NonEditingAuthor
: CreateItems, DeleteOwnedItems, FolderVisible, ReadItems. -
Owner
: CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems. -
PublishingAuthor
: CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems. -
PublishingEditor
: CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems. -
Reviewer
: FolderVisible, ReadItems.
# Retrieves the folder-level permission for the specified mailbox.
Get-Mailbox -Identity <EMAIL> | Get-MailboxFolderPermission | Select-Object *
# Enumerates, for all the mailboxes, the folder-level permission allowing access to Anonymous or Default.
$MailBoxes = Get-Mailbox -Resultsize Unlimited
ForEach ($MailBox in $MailBoxes) {
$Permissions = Get-MailboxFolderPermission $MailBox |
Where-Object { (($_.User -like 'Anonymous') -or ($_.User -like 'Default')) -and $_.AccessRights -ne 'None' }
ForEach ($Permission in $Permissions) {
[PSCustomObject]@{
MailBoxIdentity = $MailBox.Identity
MailBoxPrimarySmtpAddress = $MailBox.PrimarySmtpAddress
FolderName = $Permission.FolderName
DelegateUser = $Permission.User
DelegateRights = $Permission.AccessRights
DelegateIsValid = $Permission.IsValid
}
}
}
View on GitHub