A new employee has joined your company! Aside from adding them in Active Directory, this also means creating a new Exchange mailbox for the fresh hire. Easy enough. Personal mailboxes are fairly straightforward. The tricky part comes later, when it’s time to check which additional mailboxes and folders a user has been given access to.
The default tools provided by Microsoft make it difficult and time-consuming to keep track of Exchange mailbox permissions and piece together all the information you need to get the full picture. Read our guide to learn everything about mailbox permission management with PowerShell and the Exchange Admin Center (EAC), including how a dedicated access management solution can help you simplify the reporting process.
To manage Exchange mailbox permissions, you will need to use either the Exchange Admin Center (EAC, formerly known as the Exchange Management Console) or PowerShell. Since 2016, a cross-platform, open source version of PowerShell (PowerShell Core) is available for Windows, macOS and Linux alongside the traditional Windows PowerShell.
Managing Mailbox Permissions with PowerShell
Let’s assume you’re an admin trying to give an employee access to another mailbox or add an entire group to a shared mailbox. To accomplish this task using PowerShell, you would connect to Exchange Online PowerShell and use a cmdlet such as Add-MailboxPermission. For example, you might assign the Send As permission to a user in order to allow them to respond as if their messages were coming from the email address in question. A user with access to another mailbox is also known as a delegate.
While this approach is effective for minor adjustments, the text-based interface quickly runs into limitations when it comes to larger changes to delegation, such as changing settings for multiple groups or switching around many individual delegates. For changes at this scale, the Admin Center generally proves more effective.
Managing Mailbox Permissions using EAC
To adjust Exchange mailbox permissions using the Admin Center, navigate to Recipients > Mailboxes. You can use Ctrl to select multiple mailboxes at once, which will also bring up the Bulk Edit menu on the right side of the page.
Mailbox permissions are accessible via More options at the bottom of the Bulk Edit panel. You can now view existing permissions or add new ones. Additional Information is available in Microsoft’s official documentation here, but the most important distinction is between the three main permission types used in Exchange:
Full Access: This permission allows the delegate to open the mailbox and view or edit contents, but does not allow the delegate to send messages from the mailbox.
Send As: The Send As permission allows delegates to send messages as if they were sent directly from the mailbox in question, but does not give them access to the contents of the mailbox.
Send on Behalf: Similar to Send As, Send on Behalf allows a delegate to send messages from the mailbox or group they have the permission for, but any emails sent this way will show that they were sent by the delegate on behalf of the mailbox. It does not give them access to the contents of the mailbox. If delegates are given both the Send As and Send on Behalf permission, Send As will take priority.
Check Mailbox Permissions using PowerShell
Using the Get-Mailbox and Get-MailboxPermission cmdlets (in combination with the right set of parameters) also makes it possible to check, for example, which mailboxes a specific user has access to or which mailboxes have a delegate with the Full Access permission. You can find some ideas for scripts in this blogpost.
Note: While this is a reasonable approach for companies with fewer than twenty employees, running custom searches in PowerShell and manually exporting the results would consume an excessive amount of time for larger organizations. Tracking mailbox permissions for a larger number of staff requires a dedicated reporting tool.
Tracking Exchange Mailboxes and Active Directory Accounts
As we’ve already established, PowerShell can be used to figure out which permissions have been assigned for a specific mailbox or folder. In theory, you could then use the EAC to draw connections between Exchange mailboxes and user accounts in Active Directory.
This could be necessary if, for example, you need to figure out the level of access an AD user has in a specific Exchange mailbox or need a list of all mailbox permissions that a specific user account has.
Tracking Outdated and Unnecessary Mailbox Permissions
In most organizations, users have more access rights than they actually need for their job. This applies to Exchange mailbox permissions just as much as it does to file server permissions or third party accounts. Put simply, the root cause of this gradual build-up of excess privileges is the fact that users constantly receive new permissions, but old and outdated permissions aren’t removed in time.
Let’s say a new member joins the sales team and is given full access to several shared mailboxes: for incoming leads, communicating with distributors, etc. So far, so good. They need access to those mailboxes to do their job. But a few months later, they switch to the product team and receive all the access rights associated with their new role. Only nobody remembers to revoke the mailbox permissions they no longer need.
Without a standardized process for user access reviews, old privileges tend to fall through the cracks. Users often forget about them, or don’t feel like bothering IT over something that’s not causing any harm, right? Wrong!
In reality, unnecessary permissions pose a significant security risk. They increase the chance and possible scope of employee data theft and can be exploited by hackers, malware or ransomware to access additional parts of your network. This is also why most cybersecurity standards now require access rights to be assigned in accordance with the need-to-know or Least-Privilege-Principle.
Shared Mailboxes & Nested Groups
When it comes to fighting unnecessary permissions, there’s an important distinction to be made between individual users who have been given access to additional mailboxes and shared mailboxes that are managed via groups. While unnecessary permissions assigned to users are far from ideal, at least admins can use PowerShell to figure out who in their organization can access mailboxes besides their own (using the methods described above).
With shared mailboxes, it’s not quite as simple. These mailboxes are commonly used to allow multiple users to receive and respond to emails that are relevant to more than one person (for instance, if multiple staff members are assigned to one client). Access to shared mailboxes is typically managed using groups, which adds an extra layer of complexity to permission reporting: You can use PowerShell to see which groups have access to a shared mailbox, but then you have to figure out which users are part of that group.
Important: Please note the distinction between shared mailboxes and distribution groups, which provide another option for distributing messages among multiple users in Exchange Online.
Exchange Mailbox Permissions per User
The fact that permissions assigned through groups are not readily transparent means that reporting options for Exchange using the default tools are quite limited. Just as you cannot see which users are assigned to a shared mailbox, you also cannot tell which mailboxes an individual user has access to, only which groups they are a member of.
To get the complete picture and generate a full report of every users effective access level in Exchange Online using the default Microsoft tools, you would have to manually comb through every group on your server.
Exchange Mailbox Permissions: Compliance Risks
The reporting limitations for Exchange Online are a bigger problem than you might think. The lack of transparency makes it easy to miss outdated and unnecessary permissions, giving users access to mailboxes they have no business accessing. And remember, access to mailboxes, especially Full Access, doesn’t just mean seeing incoming emails. It means access to the entire email history, to calendar entries, shared files and attachments, etc.
Aside from the increased risk of data theft and insider threats, excess privileges on the mail server are also a thorny issue when it comes to achieving compliance with standards such as SOX, HIPAA, ISO 27001, the NIST Cybersecurity Framework and so on. Most cybersecurity regulations now require businesses to enforce the principle of least privilege, i.e. to limit access rights for staff to only what is absolutely necessary.
Managing Exchange Mailbox Permissions with tenfold
Businesses can avoid the risk of compliance breaches and the effort involved in manually checking mailbox permissions using Identity Access Management software with an interface to Active Directory. IAM solutions help companies both automate and rigorously document routine tasks involved with user management and permissions. This includes creating new user accounts, assigning the right attributes in AD and automatically adding users to the correct security groups, distribution groups and shared mailboxes based on their role and department.
Thanks to its out-of-the-box plugin for Exchange (Online), tenfold’s comprehensive reporting tools provide you with a clear overview of all effective permissions on your mail server, including detailed reports on which users have access to a specific mailbox or folder. tenfold automatically breaks down AD groups and visualizes group membership through a tree diagram.
[Free Trial] Sign Up Now for a Free tenfold Trial!
The free trial version allows you to experience tenfold’s full range of features. See how easy user and access management can be with our efficient and user-friendly platform: Sign up today!
The advantages of tenfold extend far beyond its reporting tools. For example, the Exchange®Mailbox Lifecycle Plugin makes managing mailboxes fast and easy. Whenever a new employee joins your company, tenfold automatically creates a new mailbox for them and gives them access to folders and mailboxes based on their position within the company. The same is true for any system connected to tenfold: your local AD and file server, Azure Active Directory, third party applications, etc.
If an employee switches to another office or department down the line, tenfold automatically moves their mailbox to the correct mailbox database. If a staff member leaves your organization, tenfold automatically closes their mailbox and sets up the required redirects to forward all incoming emails.
Additionally, tenfold provides various handy features that address common mailbox problems, such as the ability to set up an Outlook out-of-office message for another user, in case a colleague forgot to set up their automatic response before going on vacation. There is even an option to define auto-filled templates for out-of-office messages in order to set a uniform response.
Exchange Mailbox Permissions at a Glance
Problem in Exchange
Solution in tenfold
Mailboxes must be created manually (no provisioning)
User creation is in AD and Exchange is fully automated (automatic provisioning)
Administrators have to go through PowerShell to see access rights
tenfold provides automated and clear reports on who has access to what
No group breakdown to individual members
tenfold automatically breaks down groups and visualizes group membership through a tree diagram
No self-service (requesting new access rights is complicated)
Users can request additional access rights themselves via self-service
Data owners receive user requests made in the self-service and can confirm or reject these as part of a workflow
[FREE WHITE PAPER]
Best practices for access management in Microsoft® environments.
Read our white paper to learn how to best handle access rights in Microsoft® environments.