How to Grant an Exchange Online Administrator Full Access to All Mailboxes with PowerShell

05/07/2014

Why would you ever do that you might ask. My use case was to create an admin tool as a webpage with the Office 365 API tools, that would allow the administrator to see statistics for all exchange mailboxes. Statistics that could could be days with most booked meetings, or the most common email recipients.

With the Office 365 API tools you can only get access to the resources that the currently logged in user have access to, so if you want to do statistics across mailboxes, well then you need a user that have such access. And the only way that I know to to achieve that is by delegate full access to the mailboxes, this can be done from the GUI in the Exchange Administration portal, but if you have many mailboxes that is not a viable way.
mailbox-delegation.

So powershell to the rescue.

First step is to login with your exchange admin from a windows powershell run the following commands.

$livecred = Get-Credential

Next step is to get the Exchange commandlets.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $livecred -Authentication Basic -AllowRedirection

And then we need to import them into our session

Import-PSSession $Session

Finally we can run the command that grants users of the Organization Management, full access to all mailboxes.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User "Organization Management" -AccessRights fullaccess -InheritanceType all -AutoMapping $False

The documentation for the powershell script can be found here: http://help.outlook.com/en-us/140/gg709759.aspx.

Now it’s possible with the standard rest endpoints to get any users calendar or mailbox items. Like so for the calendar

https://outlook.office365.com/EWS/OData/Users('[email protected]')/Calendar

Or this for the inbox

https://outlook.office365.com/EWS/OData/Users('[email protected]')/Inbox

Where you replace [email protected] with a user from your organization.