Skip to content

Remove a single user's permissions from all mailboxes in Office 365

Longest title in history?

A while back we were doing some troubleshooting and we added an administrator's account to have read permissions on all of our mailboxes. Mailboxes permissions came up as a topic yesterday in a conversation I was having and I remembered I had meant to clean this up. I could have gone about this a bunch of different ways, but ultimately I wanted to create a script in case I ever needed it again.

Below is the script I came up with - and yes, I'm sure you could do better with less code and cleaner.

[code language="powershell"] # A Script to remove an admin account that has permissions to all mailboxes in Office 365 # # For troubleshooting we added permissions to all mailboxes for a user account. # This script removes those permissions. # # # Created 2/28/2018 Brandon Steili # Updates:

#################### # Variables: # -- accountToRemove: This is the account userAlias you're wanting to remove. # -- usersToSkip: These are the userAlias(s) of the user accounts you still want the # account to have permissions to. # -- domain: Should be self explanatory, but make sure it the correct one! #

$accountToRemove = "admin" $usersToSkip = "admin","user1","user2","user3" $domain = "foo.com"

#################### # # Beware, below here be pirates. # (Nothing to edit below) #

## Are we logged in to Office 365? do{ $Failed = $false Try { $OrgName = (Get-OrganizationConfig).Name } Catch { $Failed = $true Write-Host "*********************************************" Write-Host "*********************************************" Write-Host "Your PowerShell session is not connected to Exchange Online." Write-Host "Let's fix that." Write-Host "*********************************************" Write-Host "*********************************************" Start-Sleep -m 1250 $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session \(ErrorActionPreference='SilentlyContinue' # and the loop will now retry } } while (\)Failed)

# Set a couple variables for later \(count = (\)usersToSkip.count -1) $UPN = $accountToRemove + '@' + $domain

# Get all the mailboxes $mailboxes = Get-Mailbox -resultsize Unlimited

# Walk through all the mailboxes foreach ($mailbox in $mailboxes) { $id = 0 $found = $FALSE

# Loop through the accounts we want to ignore. If # we find an account to ignore we're going to flag it while ($id -le $count) { \(userAlias = \(usersToSkip\[\)id\] if (\)mailbox.alias -eq $userAlias) { $found = $TRUE } $id++ }

# If we didn't find one of our accounts to ignore...

if (!$found) { $MBidentity = $mailbox.identity # Now verify that the user we're removing has permissions to this mailbox. # Otherwise we just get an error and nothing happens but I like cleaner output. if (Get-MailboxPermission $MBidentity | where { $_.User -like \(UPN} | ft @{Name="Identity";expression={(\)_.Identity -split "/")[-1]}}, User -AutoSize) { # Verified that there were permissions for the admin on this account, so remove them. write-host "Removing $UPN from $MBidentity" Remove-MailboxPermission $MBidentity -AccessRights FullAccess -User \(UPN -Inheritance 'ALL' -Confirm:\)false } } else { write-host "SKIPPED -- this was a mailbox requested to skip -- NO ACTION TAKEN" } } [/code]

Here's a link to a text version in my Google Drive (rename to .ps1 after download): https://goo.gl/bjtXhc