Maintaining control over mailbox permissions is not only considered good tech hygiene for a tenant, but it's also essential from a compliance perspective, especially during employee or contractor onboarding, role changes, or departures. While the default tools provided by Microsoft can make tracking Exchange mailbox permissions time-consuming and challenging to gather all necessary information, CoreView offers a faster and more secure alternative.
1. Using Microsoft 365
For managing Exchange Online mailbox permissions, you can use either the Exchange Admin Center or PowerShell.
The Exchange Admin Center can be used to check existing permissions on individual mailboxes. This can be done by selecting “Mailbox delegation” in the properties of the mailbox or group, and then verifying the delegates. However, it's not possible to obtain a detailed list of all permissions applied to all mailboxes simultaneously.
On the other hand, PowerShell provides comprehensive control over your tenant. You can get a complete overview of permissions applied to your tenant using a combination of the following three main cmdlets:
#Exchange V2 cmdlets
Get-EXOMailbox
Get-EXOMailboxPermission
Get-EXORecipientPermission
Please note that the complete retrieval of all permissions in a large tenant (with over 100K users) can exceed 24 hours.
For more details on the new Microsoft Exchange V2 PowerShell Module, please refer to the following Microsoft documentation.
2. Using CoreView
Follow these steps to review and manage Exchange mailbox permissions using CoreView:
Step 1: Visibility
- Go to the CoreView portal
- Search for “User mailbox” under “Reports”
- Alternatively, go to “Reports > Security > User mailbox security”
- A table showing all delegates will be shown and you can easily filter to find what you are looking for.
The data displayed is enriched to expedite the identification of anomalies. You can find details such as recipient type details, company country, and department information of both the delegated mailbox and the delegate. Quite often, during a role change, users can still access mailboxes they should no longer have access to.
Tip!
Try filtering the table with “Type of User with Access = SharedMailbox”. We suspect you'll uncover a list of anomalies, such as old UserMailboxes that have been migrated to shared (decommissioned users) and are still configured as delegates to other mailboxes. These should be removed to maintain control and eliminate 'background noise' while managing your tenant.
Step 2: Management
- Go to “Actions > Management actions”
- Under the “Filter assistant”, check the “Mailbox” option. This will reveal a list of possible actions.
These actions provide quick and comprehensive management of mailbox permissions, helping keep this aspect of Microsoft Exchange Online under control.
Operators will only be able to see and manage mailboxes within their V-Tenant-defined scope.