<# .SYNOPSIS Audit mailbox delegate access permissions across Exchange environment .DESCRIPTION Reports on SendAs, SendOnBehalf, and FullAccess permissions for all mailboxes. Useful for security audits, compliance reviews, and migration planning. .PARAMETER OutputFolder Destination folder for CSV reports. Default: .\MailboxPermissions- .PARAMETER MailboxFilter Optional filter for specific mailboxes. Default: all on-premises mailboxes .PARAMETER IncludeInherited Include inherited permissions in the report (default: $false) .NOTES ⚠️ AI-GENERATED SCRIPT - UNTESTED This script was generated by Claude AI and has not been tested in production. Review and test thoroughly in a non-production environment before use. - Run in Exchange Management Shell with appropriate RBAC permissions - Can take significant time with large mailbox counts - Tested compatibility: Exchange 2013/2016/2019 (not validated) .EXAMPLE .\Get-MailboxPermissions.ps1 .EXAMPLE .\Get-MailboxPermissions.ps1 -OutputFolder "D:\Reports\Permissions" -IncludeInherited $true #> [CmdletBinding()] param( [string]$OutputFolder = (Join-Path -Path (Get-Location) -ChildPath ("MailboxPermissions-" + (Get-Date -Format "yyyyMMdd-HHmm"))), [string]$MailboxFilter = "*", [bool]$IncludeInherited = $false ) function NowTag { (Get-Date).ToString("yyyy-MM-dd HH:mm:ss") } Write-Host "[$(NowTag)] ⚠️ AI-GENERATED SCRIPT - UNTESTED" -ForegroundColor Yellow Write-Host "[$(NowTag)] Starting mailbox permissions audit..." -ForegroundColor Green # Create output folder New-Item -ItemType Directory -Path $OutputFolder -Force | Out-Null # Get all on-premises mailboxes Write-Host "[$(NowTag)] Retrieving mailboxes..." $mailboxes = Get-Mailbox -Filter $MailboxFilter -ResultSize Unlimited -ErrorAction SilentlyContinue | Where-Object { $_.RecipientTypeDetails -notmatch "^Remote" -and $_.Database } $mbCount = ($mailboxes | Measure-Object).Count Write-Host "[$(NowTag)] Found $mbCount mailboxes to audit" # Collections $fullAccessPerms = @() $sendAsPerms = @() $sendOnBehalfPerms = @() $current = 0 foreach ($mb in $mailboxes) { $current++ $pct = [int](($current / $mbCount) * 100) Write-Progress -Activity "Auditing Mailbox Permissions" -Status "Processing $($mb.DisplayName) ($current/$mbCount)" -PercentComplete $pct # FullAccess permissions try { $fullAccess = Get-MailboxPermission -Identity $mb.Identity -ErrorAction SilentlyContinue | Where-Object { $_.User -notlike "NT AUTHORITY\*" -and $_.User -notlike "S-1-5-*" -and $_.AccessRights -like "*FullAccess*" -and ($IncludeInherited -or -not $_.IsInherited) } foreach ($perm in $fullAccess) { $fullAccessPerms += [PSCustomObject]@{ Mailbox = $mb.DisplayName PrimarySmtpAddress = $mb.PrimarySmtpAddress User = $perm.User AccessRights = ($perm.AccessRights -join ", ") IsInherited = $perm.IsInherited Deny = $perm.Deny } } } catch { Write-Host "[$(NowTag)] ERROR getting FullAccess for $($mb.DisplayName): $_" -ForegroundColor Red } # SendAs permissions try { $sendAs = Get-ADPermission -Identity $mb.DistinguishedName -ErrorAction SilentlyContinue | Where-Object { $_.ExtendedRights -like "*Send-As*" -and $_.User -notlike "NT AUTHORITY\*" -and $_.User -notlike "S-1-5-*" -and ($IncludeInherited -or -not $_.IsInherited) } foreach ($perm in $sendAs) { $sendAsPerms += [PSCustomObject]@{ Mailbox = $mb.DisplayName PrimarySmtpAddress = $mb.PrimarySmtpAddress User = $perm.User IsInherited = $perm.IsInherited Deny = $perm.Deny } } } catch { Write-Host "[$(NowTag)] ERROR getting SendAs for $($mb.DisplayName): $_" -ForegroundColor Red } # SendOnBehalf permissions if ($mb.GrantSendOnBehalfTo -and $mb.GrantSendOnBehalfTo.Count -gt 0) { foreach ($user in $mb.GrantSendOnBehalfTo) { $sendOnBehalfPerms += [PSCustomObject]@{ Mailbox = $mb.DisplayName PrimarySmtpAddress = $mb.PrimarySmtpAddress User = $user } } } } Write-Progress -Activity "Auditing Mailbox Permissions" -Completed # Export results Write-Host "[$(NowTag)] Exporting results..." $fullAccessFile = Join-Path $OutputFolder "FullAccess-Permissions.csv" $sendAsFile = Join-Path $OutputFolder "SendAs-Permissions.csv" $sendOnBehalfFile = Join-Path $OutputFolder "SendOnBehalf-Permissions.csv" $summaryFile = Join-Path $OutputFolder "Permissions-Summary.txt" if ($fullAccessPerms.Count -gt 0) { $fullAccessPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $fullAccessFile Write-Host "[$(NowTag)] FullAccess permissions: $fullAccessFile" } else { Write-Host "[$(NowTag)] No FullAccess permissions found" } if ($sendAsPerms.Count -gt 0) { $sendAsPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendAsFile Write-Host "[$(NowTag)] SendAs permissions: $sendAsFile" } else { Write-Host "[$(NowTag)] No SendAs permissions found" } if ($sendOnBehalfPerms.Count -gt 0) { $sendOnBehalfPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendOnBehalfFile Write-Host "[$(NowTag)] SendOnBehalf permissions: $sendOnBehalfFile" } else { Write-Host "[$(NowTag)] No SendOnBehalf permissions found" } # Summary $summary = @" Mailbox Permissions Audit Summary Generated: $(Get-Date) Mailboxes Audited: $mbCount FullAccess Permissions: $($fullAccessPerms.Count) SendAs Permissions: $($sendAsPerms.Count) SendOnBehalf Permissions: $($sendOnBehalfPerms.Count) Output Folder: $OutputFolder "@ $summary | Out-File -FilePath $summaryFile -Encoding UTF8 Write-Host "`n$summary" Write-Host "[$(NowTag)] Audit complete!" -ForegroundColor Green