How to review and manage Exchange Online mailbox permissions

  • Last update on May 28th, 2025

Maintaining control over Exchange Online mailbox permissions is not only a cornerstone of good tenant security hygiene but is also crucial for compliance—especially during employee or contractor onboarding, role changes, or offboarding. Gathering all necessary permission data can be time-consuming and complex using Microsoft’s default tools, particularly in large organizations. CoreView provides an enhanced, faster, and more secure alternative for visibility and management.

1. Using Microsoft 365 tools

Microsoft 365 offers methods for reviewing and managing mailbox permissions via both the Exchange Admin Center and PowerShell.

a. Exchange Admin Center (EAC)

The EAC allows you to view and modify permissions at the individual mailbox or group level:

  • In the EAC, select a mailbox and navigate to “Mailbox delegation”.
  • Here, you can assign or review Full Access, Send As, and Send on Behalf permissions.

The EAC does not currently support generating a tenant-wide or consolidated permissions report. Review is available on a per-mailbox basis only. 

 

b. PowerShell 

For a comprehensive, tenant-wide overview—especially in large or complex environments—PowerShell is more flexible and powerful.

Recommended module

Use the latest ExchangeOnlineManagement module. Microsoft has phased out older remote PowerShell methods and recommends the REST-based EXO* cmdlets for better performance, improved security, and future compatibility.

Example:

# Connect to Exchange Online (prompt for credentials)
Connect-ExchangeOnline

# Retrieve all mailboxes
Get-EXOMailbox

# Get permissions assigned directly to all mailboxes (e.g., FullAccess)
Get-EXOMailboxPermission -ResultSize Unlimited

# Get recipient-level permissions (SendAs)
Get-EXORecipientPermission -ResultSize Unlimited

#Get Send on Behalf permissions
Get-Mailbox | fl UserPrincipalName,GrantSendOnBehalfTo

For large tenants (tens of thousands of mailboxes), retrieving all permission details can be extremely time-consuming and may impact session limits. Use filtering options (e.g., -Filter, -RecipientTypeDetails) to narrow results and optimize performance.

 

Refer to the official Microsoft documentation on Exchange Online PowerShell V3 cmdlets and module

2. Using CoreView

Follow these steps to review and manage Exchange mailbox permissions using CoreView:

Step 1: Visibility

  • Log in to the CoreView app
  • Search for “User mailbox” under “Reports
  • Alternatively, go to “Reports > Security > User mailbox security
  • A table showing all delegates will be shown and you can easily filter to find what you are looking for.

The data displayed is enriched to expedite the identification of anomalies. You can find details such as recipient type details, company country, and department information of both the delegated mailbox and the delegate. Quite often, during a role change, users can still access mailboxes they should no longer have access to.

Pro Tip

Filter with Type of User with Access = SharedMailbox. This often reveals old or decommissioned user accounts (e.g., user mailboxes migrated to shared) that still have delegate permissions. Removing these helps reduce security risks and eliminates management noise.

 

Step 2: Management

  • Go to “Actions > Management actions
  • Under the “Filter assistant”, check the “Mailbox” option. This will reveal a list of possible actions.

These actions provide quick and comprehensive management of mailbox permissions, helping keep this aspect of Microsoft Exchange Online under control.

Operators will only be able to see and manage mailboxes within their V-Tenant-defined scope.