How to Grant an Exchange Online Administrator Full Access to All Mailboxes with PowerShell


Why would you ever do that you might ask. My use case was to create an admin tool as a webpage with the Office 365 API tools, that would allow the administrator to see statistics for all exchange mailboxes. Statistics that could could be days with most booked meetings, or the most common email recipients.

With the Office 365 API tools you can only get access to the resources that the currently logged in user have access to, so if you want to do statistics across mailboxes, well then you need a user that have such access. And the only way that I know to to achieve that is by delegate full access to the mailboxes, this can be done from the GUI in the Exchange Administration portal, but if you have many mailboxes that is not a viable way.

So powershell to the rescue.

First step is to login with your exchange admin from a windows powershell run the following commands.

$livecred = Get-Credential

Next step is to get the Exchange commandlets.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $livecred -Authentication Basic -AllowRedirection

And then we need to import them into our session

Import-PSSession $Session

Finally we can run the command that grants users of the Organization Management, full access to all mailboxes.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User "Organization Management" -AccessRights fullaccess -InheritanceType all -AutoMapping $False

The documentation for the powershell script can be found here:

Now it’s possible with the standard rest endpoints to get any users calendar or mailbox items. Like so for the calendar'[email protected]')/Calendar

Or this for the inbox'[email protected]')/Inbox

Where you replace [email protected] with a user from your organization.