Copying Exchange Full Access and Send As permissions to other users

/ Harm Veenstra

I was working on a user provisioning script for a customer, and he asked if I could copy all Shared Mailbox permissions of a template user to the new user. (It was something that was quickly forgotten during the user creation process) Sure, because PowerShell 🙂 In this blog post, I will show you how to retrieve Full Access permissions and copy them (Including Send As) to another user.

Table Of Contents
show

How does the script work?

You can run the script with three parameters:

  • -SourceUser: this is the email address of the user who already has the correct permissions on the Shared Mailboxes
  • -TargetUser: you can use one email address or more (Separated by a comma) to specify the users who should get the same permissions on the Shared Mailboxes as the SourceUser.
  • -Automapping: This is a $true or $false parameter (Boolean) that enables or disables the Automapping feature of Exchange (If enabled, Outlook will automatically add the mailbox). The default value in the script is $true.

After specifying the parameters, -SourceUser and -TargetUser are required, it will try and connect to Exchange Online (It will install the necessary ExchangeOnlineManagement module if needed) and run through all Shared Mailboxes and check if the SourceUser has access and copy it to the TargetUser(s).

Note: I always add both Full Access and Send As permissions when delegating access to Shared Mailboxes

Running the script

In the example below, I ran the script to copy all the permissions of the user adeleV@4lkspb.onmicrosoft.com to the users HenriettaM@4lkspb.onmicrosoft.com and LynneR@4lkspb.onmicrosoft.com. 

.\Copy-EOL-SharedMailbox-Permissions.ps1 -SourceUser AdeleV@4lkspb.onmicrosoft.com -TargetUser HenriettaM@4lkspb.onmicrosoft.com, LynneR@4lkspb.onmicrosoft.com

The screen output will be like this:

If you re-run the script, or some permissions were already present, it will display that as a warning:

The script

Below are the contents of the script. Copy it to c:\scripts\Copy-EOL-SharedMailbox-Permissions.ps1, for example. 

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)][string]$SourceUser,
    [Parameter(Mandatory = $true)][string[]]$TargetUser,
    [Parameter(Mandatory = $false)][bool]$Automapping = $true
)

#Check for Exchange Online Management Module
if (Get-Module -Name ExchangeOnlineManagement -ListAvailable) {
    Write-Host ("Exchange Online PowerShell module was found, continuing script" ) -ForegroundColor Green
}
else {
    Write-Host ("Exchange Online PowerShell module was not found, installing and continuing script") -ForegroundColor Green
    try {
        Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force:$true -Confirm:$false -ErrorAction Stop
    }
    catch {
        Write-Warning ("Error installing Exchange Online PowerShell Module, exiting...")
        return
    }
}
#Connect to Exchange Online
Write-Host ("Connecting to Exchange Online, please enter the correct credentials") -ForegroundColor Green
try {
    Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
    Write-Host ("Connected to Exchange Online, continuing script...") -ForegroundColor Green
}
catch {
    Write-Warning ("Error connecting to Exchange Online, exiting...") 
    return
}

#Check if Source and TargetUser are valid
try {
    Get-Mailbox -Identity $SourceUser -ErrorAction Stop | Out-Null
    Write-Host ("Source user {0} is valid, continuing..." -f $SourceUser) -ForegroundColor Green
}
catch {
    Write-Warning ("Source user {0} is not valid, exiting..." -f $SourceUser)
    return
}

foreach ($user in $TargetUser) {
    try {
        Get-Mailbox -Identity $user -ErrorAction Stop | Out-Null
        Write-Host ("Source user {0} is valid, continuing..." -f $user) -ForegroundColor Green
    }
    catch {
        Write-Warning ("Source user {0} is not valid, exiting..." -f $user)
        return
    }
}

#Retrieve all Shared mailboxes that the source user has permissions on
Write-Host ("Retrieving all Shared Mailboxes that {0} has Full Access and Send As permissions on and adding them to the TargetUser(s)" -f $SourceUser) -ForegroundColor Green
$sharedmailboxes = Get-Mailbox | Where-Object RecipientTypeDetails -eq SharedMailbox | Sort-Object Name
foreach ($mailbox in $sharedmailboxes) {
    Write-Host ("- Checking Shared Mailbox {0} for permissions" -f $mailbox.Name)
    foreach ($user in $TargetUser) {
        if ((Get-MailboxPermission $mailbox).user -contains $SourceUser) {
            if ((Get-MailboxPermission $mailbox).user -contains $user) {
                Write-Warning ("Specified user {0} already has access, skipping..." -f $user)
            }
            else {
                try {
                    Add-MailboxPermission -Identity $mailbox -User $user -AccessRights FullAccess -InheritanceType All -AutoMapping $Automapping -Confirm:$false -ErrorAction Stop | Out-Null
                    Add-RecipientPermission -Identity $mailbox.PrimarySmtpAddress -Trustee $user -AccessRights SendAs -Confirm:$false -ErrorAction Stop | Out-Null
                    Write-Host ("- Added Full Access and Send As permissions on {0} for {1}" -f $mailbox, $user) -ForegroundColor Green
                }
                catch {
                    Write-Warning ("Error setting Full Access and Send As permissions on {0}" -f $mailbox.Name)
                }
            }
        }
    }
}

Download the script(s) from GitHub here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.