Permission Audit - (Rooms, Equipment & Shared Mailboxes)

1. <#
2. .SYNOPSIS
3.   Get all the permissions for User, Room, Equipment and Shared mailboxes for your o365 Tenant
4. .DESCRIPTION
5.   Great for documenting and auditing o365 Exchange Permissions
6.  
7. .PARAMETER  <None>
8.    
9. .INPUTS
10.   <None>
11. .OUTPUTS
12.   <Outputs to C:\bin unless you edit the Initialisations section >
13. .NOTES
14.   Version:        1.0.2
15.   Author:         <Jared Heinrichs>
16.   Creation Date:  <10/01/2019>
17.   Purpose/Change: Audit my o365 Exchange Environment
18.  
19. .EXAMPLE
20.   <Just run the Powershell script!>
21. #>
22.  
23. #---------------------------------------------------------[Initialisations]--------------------------------------------------------
24.  
25. # UserName of the o365 Admin account that the audit will be performed under.
26. [string]$O365Credential = "email.address@domain.com"
27.  
28. <# --------------[ $Mailbox Types ] -------------------------
29. An Array of Mailboxes to audit.
30. Options that can be used:
31.     DiscoveryMailbox
32.     EquipmentMailbox
33.     GroupMailbox
34.     LegacyMailbox
35.     LinkedMailbox
36.     LinkedRoomMailbox
37.     RoomMailbox
38.     SchedulingMailbox
39.     SharedMailbox
40.     TeamMailbox
41.     UserMailbox
42. #>
43.  
44. $MailboxTypes = @(
45.   “RoomMailbox”,
46.   “SharedMailbox”,
47.   “EquipmentMailbox”,
48.   "UserMailbox"
49. )
50.  
51. <#--------------[ $ReportFolder Examples ] -------------------------
52.  
53.       "C:\bin\" or
54.       "C:\Reports\o365Auditing\"
55.       etc...
56.  
57.  Notice in each of the examples, a trailing '\' was used.
58.  This is required for the script to run!
59.  
60. -----------------------------------------------------------------
61. ReportFolder = "C:\bin\" #<----- Make Sure to have trailing "\"
62. #>
63. $ReportFolder = "C:\bin\"
64.  
65. #---------------------------------------------------------[Functions]--------------------------------------------------------------
66.  
67. Function Connect-EXOnline {
68.   param (
69.     [String]$UserName
70.   )
71.  
72.   $credentials = Get-Credential -Credential $UserName
73.   Write-Output "Getting the Exchange Online cmdlets"
74.  
75.   $Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
76.     -ConfigurationName Microsoft.Exchange -Credential $credentials `
77.     -Authentication Basic -AllowRedirection
78.   Import-PSSession $Session
79. }
80.  
81. Function Disconnect-EXOnline {
82.   $session = Get-PSSession
83.   foreach ($id in $session) {
84.     if ($id.ConfigurationName -eq 'Microsoft.Exchange') {
85.       Remove-PSSession $session      
86.     }
87.   }
88. }
89.  
90. Function Get-MailboxPermissions {
91.   param (
92.     [string]$MailBoxName,
93.     [Boolean]$AccountDisabled
94.   )
95.    
96.   #Get Permissions for Mailbox Granted by End user
97.   $MailBoxPermissions = Get-Mailbox $MailBoxName |
98.     ForEach-Object {
99.       Get-MailboxFolderPermission $($_.PrimarySmtpAddress)
100.     } |
101.     Select-Object Identity, User, AccessRights
102.        
103.   #Get Permissions for Calendar granted by End User
104.   $MailBoxPermissions += Get-Mailbox $MailBoxName |
105.     ForEach-Object {
106.       Get-MailboxFolderPermission $($_.PrimarySmtpAddress + ":\Calendar")
107.     } |
108.     Select-Object Identity, User, AccessRights
109.  
110.   #Get Permissions for Mailbox Granted by an Administrator
111.   $MailBoxPermissions += get-mailbox $MailBoxName |
112.     Get-MailboxPermission |
113.     Where-Object {
114.       ($_.AccessRights -eq "FullAccess") -and
115.       ($_.User -notlike "S-1-5*") -and
116.       ($_.User -notlike "NAMPRD02*") -and
117.       ($_.User -notlike "NT AUTH*") } |
118.     Select-Object Identity, User, AccessRights
119.    
120.   [array]$MailboxPermissionsArray = $null
121.   Foreach ($item in $MailBoxPermissions) {
122.     $obj = New-Object -TypeName psobject
123.     $obj | Add-Member -MemberType NoteProperty -Name Identity -Value $item.identity
124.     $obj | Add-Member -MemberType NoteProperty -Name User -Value $item.user
125.     $obj | Add-Member -MemberType NoteProperty -Name AccessRights -Value $item.AccessRights
126.     $obj | Add-Member -MemberType NoteProperty -Name AccountDisabled -Value $AccountDisabled
127.     $MailboxPermissionsArray += $obj
128.   }
129.  
130.   #Clear out Variables
131.   $MailBoxPermissions = $null
132.   $accountDisabled = $null
133.    
134.   #By clearing the above variables above, only the data in $MailboxPermissionsArray is returned
135.   return $MailboxPermissionsArray
136. }
137.  
138. #============================================================================================
139. #Start o365 Mailbox Permission Auditing
140. #============================================================================================
141.  
142. Clear-Host
143. Connect-EXOnline -Credential $O365Credential
144. Clear-Host
145.  
146. #Cycle through all the Mailbox Types (one at a time) as defined above in the Initialisations section
147. foreach ($MailboxType in $MailboxTypes) {
148.   Write-Host "===================================="
149.   Write-Host "Gathering Mailbox Type: $MailboxType"
150.   Write-Host "===================================="
151.  
152.   #Get All Room Mailboxesof Type ==| $MailboxType |==
153.   $Mailbox = Get-Mailbox -RecipientTypeDetails $MailboxType | Select-Object Name, Alias, PrimarySmtpAddress, AccountDisabled
154.  
155.   [array]$MailBoxPermissions = $null
156.  
157.   #Go through all the mailboxes in the Mailbox type that was selected.
158.   #Get all permissions for that mailbox
159.   foreach ($item in $Mailbox) {
160.     Write-Host 'Getting' $item.Name 'Permissions'
161.     $MailBoxPermissions += Get-MailboxPermissions -MailBoxName $item.Name -AccountDisabled $item.AccountDisabled
162.   }
163.  
164.   #Export the Mailbox Permissions    
165.   $ReportFile = $ReportFolder + $MailboxType + '.csv'
166.   Write-Host "Exporting Report to: $ReportFile"
167.   $MailBoxPermissions | Sort-Object Identity | Export-Csv $ReportFile -NoTypeInformation
168.   Write-Host "Export Complete."
169. }
170.  
171. Disconnect-EXOnline