This PowerShell script retrieves and displays the delegated permissions for a specified mailbox (SendAs, SendOnBehalf, FullAccess) or group (SendAs, SendOnBehalf, Members) in Exchange Online.

Get-AllMailboxDelegation.ps1

<#
.NOTES
Script: Get-AllMailboxDelegation.ps1
Author: ergosteur/Matthieu + Copilot
Date: 28 May 2024
Version: 1.0

.SYNOPSIS
This script retrieves and displays the delegated permissions for a specified mailbox or group in Exchange Online.

.DESCRIPTION
The script takes an Identity as a parameter, which can be the UserPrincipalName or Alias of a mailbox or group. It retrieves the recipient details for this Identity and displays them. It then checks the specified flags (SendAsPermissions, FullAccessPermissions, SendOnBehalfPermissions, AllFolderPermissions) and retrieves the corresponding permissions for the recipient. For group mailboxes, it retrieves the group owners and members instead of Full Access permissions. If the AllFolderPermissions flag is set, it retrieves the folder permissions for all folders in the mailbox.

.PARAMETER Identity
The UserPrincipalName or Alias of the mailbox or group to retrieve permissions for.

.PARAMETER SendAsPermissions
If set to true (default), the script retrieves the SendAs permissions for the recipient.

.PARAMETER FullAccessPermissions
If set to true (default), the script retrieves the Full Access permissions for the recipient (or the group owners and members for group mailboxes).

.PARAMETER SendOnBehalfPermissions
If set to true (default), the script retrieves the Send on Behalf permissions for the recipient.

.PARAMETER AllFolderPermissions
If set to true (false by default), the script retrieves the folder permissions for all folders in the mailbox.

.EXAMPLE
.\ScriptName.ps1 -Identity "[email protected]" -SendAsPermissions $true -FullAccessPermissions $true -SendOnBehalfPermissions $true -AllFolderPermissions $false

This example retrieves the SendAs, Full Access, and Send on Behalf permissions for the mailbox with the UserPrincipalName "[email protected]".
#>


param (
    [Parameter(Mandatory=$true)]
    [string]$Identity,
    [bool]$SendAsPermissions = $true,
    [bool]$FullAccessPermissions = $true,
    [bool]$SendOnBehalfPermissions = $true,
    [bool]$AllFolderPermissions = $false
)

$fgColor = "Cyan"
$bgColor = "Black"

# Get the mailbox's recipient details
$mailboxRecipientDetails = Get-Recipient -Identity $Identity
Write-Host "`nGetting delegated permissions for the following recipient object:" -ForegroundColor $fgColor -BackgroundColor $bgColor
$mailboxRecipientDetails | Format-Table -AutoSize -Property Name,Alias,PrimarySmtpAddress,RecipientTypeDetails,DistinguishedName

# Get SendAs permissions
if ($SendAsPermissions) {
    Write-Host "SendAs permissions:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    Get-RecipientPermission -Identity $mailboxRecipientDetails.Name | Format-Table -AutoSize
}

# Get Send on Behalf permissions
if ($SendOnBehalfPermissions) {
    Write-Host "`nSend on Behalf permissions:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    if ($mailboxRecipientDetails.RecipientTypeDetails -eq "GroupMailbox") {
        (Get-UnifiedGroup -Identity $Identity).GrantSendOnBehalfTo | ForEach-Object {
            Get-User -Identity $_ -Filter "Name -eq '$_'" | Select-Object
        } | Format-Table -Property Name,UserPrincipalname,DisplayName,RecipientType,DistinguishedName -AutoSize
    } else {
        (Get-Mailbox -Identity $Identity).GrantSendOnBehalfTo
    }
}

# Get Full Access permissions (skip for group mailbox)
if (($FullAccessPermissions) -and -NOT ($mailboxRecipientDetails.RecipientTypeDetails -eq "GroupMailbox")) {
    Write-Host "`nFull Access permissions:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    Get-MailboxPermission -Identity $Identity | Where-Object { $_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false } | Format-Table -AutoSize
}

# Get group owners and members instead of Full Access permissions (only for group mailbox)
if (($FullAccessPermissions) -and ($mailboxRecipientDetails.RecipientTypeDetails -eq "GroupMailbox")) {
    Write-Host "`nGroup owners:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    Get-UnifiedGroupLinks -Identity $Identity -LinkType Owners | Format-Table -Property Name,Alias,PrimarySmtpAddress,DisplayName,RecipientType,DistinguishedName -AutoSize

    Write-Host "`nGroup members:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    Get-UnifiedGroupLinks -Identity $Identity -LinkType Members | Format-Table -Property Name,Alias,PrimarySmtpAddress,DisplayName,RecipientType,DistinguishedName -AutoSize
}

# Get Folder permissions for all folders
if ($AllFolderPermissions) {
    Write-Host "`nFolder permissions:" -ForegroundColor $fgColor -BackgroundColor $bgColor
    $folders = (Get-MailboxFolderStatistics -Identity $Identity).Name
    foreach ($folder in $folders) {
        Write-Host "`n$folder permissions:" -ForegroundColor $fgColor -BackgroundColor $bgColor
        Get-MailboxFolderPermission -Identity "$($Identity):\$folder" | Format-Table -AutoSize
    }
}