Remove a single user’s permissions from all mailboxes in Office 365

Longest title in history?

A while back we were doing some troubleshooting and we added an administrator’s account to have read permissions on all of our mailboxes. Mailboxes permissions came up as a topic yesterday in a conversation I was having and I remembered I had meant to clean this up. I could have gone about this a bunch of different ways, but ultimately I wanted to create a script in case I ever needed it again.

Below is the script I came up with – and yes, I’m sure you could do better with less code and cleaner.

# A Script to remove an admin account that has permissions to all mailboxes in Office 365
#
# For troubleshooting we added permissions to all mailboxes for a user account.
# This script removes those permissions.
#
#
# Created 2/28/2018 Brandon Steili
# Updates:

##########################
# Variables:
# -- accountToRemove: This is the account userAlias you're wanting to remove.
# -- usersToSkip: These are the userAlias(s) of the user accounts you still want the
# account to have permissions to.
# -- domain: Should be self explanatory, but make sure it the correct one!
#
##########################

$accountToRemove = "admin"
$usersToSkip = "admin","user1","user2","user3"
$domain = "foo.com"

##########################
#
# Beware, below here be pirates.
# (Nothing to edit below)
#
##########################

## Are we logged in to Office 365?
do{
$Failed = $false
Try {
$OrgName = (Get-OrganizationConfig).Name
}
Catch
{
$Failed = $true
Write-Host "*********************************************"
Write-Host "*********************************************"
Write-Host "Your PowerShell session is not connected to Exchange Online."
Write-Host "Let's fix that."
Write-Host "*********************************************"
Write-Host "*********************************************"
Start-Sleep -m 1250
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
$ErrorActionPreference='SilentlyContinue' # and the loop will now retry
}
}
while ($Failed)

# Set a couple variables for later
$count = ($usersToSkip.count -1)
$UPN = $accountToRemove + '@' + $domain

# Get all the mailboxes
$mailboxes = Get-Mailbox -resultsize Unlimited

# Walk through all the mailboxes
foreach ($mailbox in $mailboxes) {
$id = 0
$found = $FALSE

# Loop through the accounts we want to ignore. If
# we find an account to ignore we're going to flag it
while ($id -le $count) {
$userAlias = $usersToSkip[$id]
if ($mailbox.alias -eq $userAlias) {
$found = $TRUE
}
$id++
}

# If we didn't find one of our accounts to ignore...

if (!$found) {
$MBidentity = $mailbox.identity
# Now verify that the user we're removing has permissions to this mailbox.
# Otherwise we just get an error and nothing happens but I like cleaner output.
if (Get-MailboxPermission $MBidentity | where { $_.User -like $UPN} | ft @{Name="Identity";expression={($_.Identity -split "/")[-1]}}, User -AutoSize)
{
# Verified that there were permissions for the admin on this account, so remove them.
write-host "Removing $UPN from $MBidentity"
Remove-MailboxPermission $MBidentity -AccessRights FullAccess -User $UPN -Inheritance 'ALL' -Confirm:$false
}
} else {
write-host "SKIPPED -- this was a mailbox requested to skip -- NO ACTION TAKEN"
}
}

Here’s a link to a text version in my Google Drive (rename to .ps1 after download):
https://goo.gl/bjtXhc