Powershell for O365 GUI: permissions

Question

Background:

It seems someone has set user-mailbox permissions using the O365 GUI (not exchange online GUI):

Issue:

This means I can't use the normal exchange-powershell method to check mailbox permissions... like we can if set using Exchange Online Admin Center GUI or Add-MailboxPermission:

Import-PSSession ( New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential (Get-Credential myname@myco.com ) )
Get-MailboxPermission SharedUser@myco.com

^^ This does not return the permissions set in O365 GUI. Only Exchange Online.

Question:

What is the correct commandlet to manage the permissions set using the O365 GUI ?

Previous work:

I have tried looking at the MSOL-User commandlets also, as these seem to use O365 rather than exchange online... but they don't have one relating to permissions.

Also I have previously checked mailboxfolderpermission.

More Clarifications:

StaffMember@myco.com can see SharedUser@myco.com's mailbox in outlook.
This is also represented in:
Office 365 control panel / GUI > Users > SharedUser > Mail Settings > Mailbox Permissions
These permissions do NOT seem to show in Exchange Admin Center or exchange powershell.

Can you add screenshots of O365 Portal, EAC and what you enter in PowerShell and what you receive? Of course hide the sensitive data but in the way that we can distinguish shareduser from staffmember — Robert Dyjas

Robert Dyjas Robert Dyjas · Accepted Answer · 2018-10-09T07:46:27

There are three types of permissions you can set over the mailbox: FullAccess, SendAs and SendOnBehalf. Each of them can be checked/managed using different cmdlets:

FullAccess (Read and manage in O365 GUI) can be viewed using Get-MailboxPermission and managed using Add-MailboxPermission/Remove-MailboxPermission
SendAs can be viewed using Get-RecipientPermission and managed using Add-RecipientPermission/Remove-RecipientPermission
SendOnBehalf can be viewed using Get-Mailbox and managed usingSet-Mailbox (parameter GrantSendOnBehalfTo)

Clarifying the question from comments:

Unfortunately Get-RecipientPermission says "applied to: Exchange online" and I am specifically talking about Office365 which seems to be a different set of cmdlets. Other-User had full access to shared-user's mailbox, yet Get-MailboxPermission shared-user showed nothing about the Other-User.

The fact that permissions can be set via O365 portal doesn't mean that the permissions are not set in Exchange Online. Office 365 user objects (the ones you can access via Get-MsolUser) cannot have FullAccess/SendAs/SendOnBehalf set on them, only mailboxes can have them.

When you set the permission (let's say you add Read and manage over shared-user to other-user) via O365 portal, the change should reflect on the Exchange Admin Center (when you check shared-user you'll see other-user in Full Access field) and in Get-MailboxPermission shared-user. Not sure what happened that you haven't seen these permissions but check these three first. It might be some delay in synchronization too.

Powershell for O365 GUI: permissions

1 Answers