Menu Home

How to Grant an Exchange Online Administrator Full Access to All Mailboxes with PowerShell

Why would you ever do that you might ask. My use case was to create an admin tool as a webpage with the Office 365 API tools, that would allow the administrator to see statistics for all exchange mailboxes. Statistics that could could be days with most booked meetings, or the most common email recipients.

With the Office 365 API tools you can only get access to the resources that the currently logged in user have access to, so if you want to do statistics across mailboxes, well then you need a user that have such access. And the only way that I know to to achieve that is by delegate full access to the mailboxes, this can be done from the GUI in the Exchange Administration portal, but if you have many mailboxes that is not a viable way.
mailbox-delegation.

So powershell to the rescue.

First step is to login with your exchange admin from a windows powershell run the following commands.
$livecred = Get-Credential
Next step is to get the Exchange commandlets.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $livecred -Authentication Basic -AllowRedirection
And then we need to import them into our session
Import-PSSession $Session
Finally we can run the command that grants users of the Organization Management, full access to all mailboxes.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User "Organization Management" -AccessRights fullaccess -InheritanceType all -AutoMapping $False
The documentation for the powershell script can be found here: http://help.outlook.com/en-us/140/gg709759.aspx.

Now it’s possible with the standard rest endpoints to get any users calendar or mailbox items. Like so for the calendar
https://outlook.office365.com/EWS/OData/Users('davida@sjkpdev07.onmicrosoft.com')/Calendar
Or this for the inbox
https://outlook.office365.com/EWS/OData/Users('davida@sjkpdev07.onmicrosoft.com')/Inbox
Where you replace davida@sjkpdev07.onmicrosoft.com with a user from your organization.

Categories: Programming

Tagged as:

Simon J.K. Pedersen

Leave a Reply

Your email address will not be published. Required fields are marked *