Script to Get Office 365 Mailbox Folder Permissions

Introduction

This script could be used to get Office 365 mailbox folder permissions. It will try to connect Windows PowerShell to Office 365 automatically if the connection is not established.

Scenarios

In a real world, IT Administrators may want to get mailbox folder permissions due to variety of reasons. If an organization has thousands of mailboxes, it’s impossible to get permissions from these mailboxes one by one. IT administrators need a script to complete this task.

Script

This script contains one advanced function, Get-OSCMsolMailboxFolderPermission. You can use this script in following ways:

Method 1:

  1. Download the script and copy it to a Windows 7 computer.
  2. Open the script file with Notepad or any other script editors.
  3. Scroll down to the end of the script file, and then add the example command which you want to run.
  4. Save the file then run the script in Windows PowerShell.

Method 2:

  1. Rename scriptname.ps1 to scriptname.psm1 (PowerShell Module file)
  2. Run Import-Module cmdlet to import this module file in Exchange Management Shell.
     Import-Module filepath\scriptname.psm1  
PowerShell
Edit|Remove
Function Get-OSCMsolMailboxFolderPermission 
{ 
    [CmdletBinding()] 
    Param 
    ( 
        #Define parameters 
        [Parameter(Mandatory=$false,Position=1)] 
        [System.Management.Automation.PSCredential]$Credential, 
        [Parameter(Mandatory=$true,Position=2)] 
        [string]$MailboxFilter, 
        [Parameter(Mandatory=$true,Position=3)] 
        [string]$FolderName, 
        [Parameter(Mandatory=$false,Position=4)] 
        [switch]$DisconnectSession 
    ) 
    Process 
    { 
        $reports = @() 
        #Connect Windows PowerShell to Office 365 
        Try 
        { 
            #If session does not exist, create a new session. 
            $existingSession = Get-PSSession -Verbose:$false | Where-Object {$_.ConfigurationName -eq "Microsoft.Exchange"} 
            if ($existingSession -eq $null) { 
                $verboseMsg = $Messages.CreatingSession 
                $pscmdlet.WriteVerbose($verboseMsg) 
                $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange ` 
                -ConnectionUri "https://ps.outlook.com/powershell" -Credential $Credential ` 
                -Authentication Basic -AllowRedirection 
                #If session is newly created, import the session. 
                Import-PSSession -Session $O365Session -Verbose:$false | Out-Null 
                $existingSession = $O365Session 
            } else { 
                $verboseMsg = $Messages.FoundExistingSession 
                $pscmdlet.WriteVerbose($verboseMsg) 
            } 
        } 
        Catch 
        { 
            $pscmdlet.WriteError($Error[0]) 
        } 
        if ($existingSession -ne $null) { 
            #Get mailboxes 
            $mailboxes = Get-Mailbox -Filter $MailboxFilter -ResultSize unlimited 
            #If mailboxes exists, use Get-MailboxFolderPermission to retrieve permissions.  
            if ($mailboxes -ne $null) { 
                foreach ($mailbox in $mailboxes) { 
                    $mailboxAlias = $mailbox.Alias 
                    $mailboxDisplayName = $mailbox.DisplayName 
                    $permissions = Get-MailboxFolderPermission -Identity "$mailboxAlias`:\$FolderName" 
                    if ($permissions -ne $null) { 
                        foreach ($permission in $permissions) { 
                            $report = New-Object PSObject 
                            $report | Add-Member -MemberType NoteProperty -Name "MailboxAlias" -Value $mailboxAlias 
                            $report | Add-Member -MemberType NoteProperty -Name "MailboxDisplayName" -Value $mailboxDisplayName 
                            $report | Add-Member -MemberType NoteProperty -Name "FolderName" -Value $permission.FolderName 
                            $report | Add-Member -MemberType NoteProperty -Name "User" -Value $permission.User 
                            $report | Add-Member -MemberType NoteProperty -Name "AccessRights" -Value $permission.AccessRights 
                            $reports +$report 
                        } 
                    } else { 
                        $report = New-Object PSObject 
                        $report | Add-Member -MemberType NoteProperty -Name "MailboxAlias" -Value $mailboxAlias 
                        $report | Add-Member -MemberType NoteProperty -Name "MailboxDisplayName" -Value $mailboxDisplayName 
                        $report | Add-Member -MemberType NoteProperty -Name "FolderName" -Value "N/A" 
                        $report | Add-Member -MemberType NoteProperty -Name "User" -Value "N/A" 
                        $report | Add-Member -MemberType NoteProperty -Name "AccessRights" -Value "N/A" 
                        $reports +$report 
                    } 
 
                } 
            } else { 
                $warningMsg = $Messages.CannotFindMBXWithSpecifiedFilter 
                $warningMsg = $warningMsg -replace "Placeholder01",$MailboxFilter 
                $pscmdlet.WriteWarning($warningMsg) 
            } 
            #Disconnect Windows PowerShell from Office 365 
            if ($DisconnectSession) { 
                Remove-PSSession -Session $existingSession -Verbose:$false 
            } 
            #Return the result 
            return $reports 
        } 
    } 
} 
 

Examples

Example 1: Displays help about Grant-OSCMsolMailboxPermission
Command: Get-Help Get-OSCMsolMailboxFolderPermission -Full
Screenshot:

 

Example 2: Returns the list of user permissions for John Doe's Calendar mailbox folder. (Windows PowerShell has already connected to Office 365.)
Command:
 Get-OSCMsolMailboxFolderPermission -MailboxFilter 'DisplayName -eq "John Doe"' -FolderName "Calendar" -Verbose
Screenshot:

Example 3: Returns the list of user permissions for John Doe's Calendar mailbox folder. If Windows PowerShell has not connected to Office 365, you should use Get-Credential to get a credential object.
Command:
 $cred = Get-Credential admin@example01.onmicrosoft.com
 Get-OSCMsolMailboxFolderPermission -Credential $cred -MailboxFilter 'DisplayName -eq "John Doe"' -FolderName "Calendar" -Verbose
Screenshot:

Example 4: Returns the list of user permissions of Calendar folder for specific mailboxes which alias starts with "J".
Command: Get-OSCMsolMailboxFolderPermission -MailboxFilter 'Alias -like "J*"' -FolderName "Calendar" -Verbose
Screenshot:

Example 5: Returns the list of user permissions of SpecialEvents folder under Calendar folder for specific mailboxes which alias starts with "J". If the folder does not exist in some mailboxes, error messages will be displayed and "N/A" will appear in the final report.
Command:
 Get-OSCMsolMailboxFolderPermission -MailboxFilter 'Alias -like "J*"' -FolderName "Calendar\SpecialEvents" -Verbose
Screenshot:

Example 6: Returns the list of user permissions of Calendar folder for specific mailboxes which alias starts with "J". Then use Export-Csv to save the reports in a .csv file. After that, Windows PowerShell will be disconnected from Office 365.
Command: Get-OSCMsolMailboxFolderPermission -MailboxFilter 'DisplayName -like "j*"' -FolderName "Calendar" -DisconnectSession -Verbose | Export-Csv -Path "C:\Scripts\reports.csv" -NoTypeInformation
Screenshot:

Additional Resources

Technical Resources:

Windows PowerShell Advanced Function
http://technet.microsoft.com/en-us/library/dd315326.aspx 

Use Windows PowerShell in Exchange Online
http://help.outlook.com/en-us/140/cc546278.aspx

Reference to Available PowerShell Cmdlets in Exchange Online
http://help.outlook.com/en-us/140/dd575549.aspx

Get-MailboxFolderPermission
http://technet.microsoft.com/en-us/library/dd335061.aspx