fbpx

Blog

Back

Grant Full Access to all mailboxes in Office 365

22 Feb 2013 by Emma Robinson

Cogmotive Reports is now Radar Reporting! Same great reporting application, but a brand new name and look. Find out more here.
Want to save this blog for later? Download it now.
Here’s a quick way to give Administrator accounts full access to all users mailboxes in your Office 365 environment.
Pro-Tip: Use our Office 365 reports to see which users have full access to particular mailboxes!

Create a Security Group which will contain your Admin accounts

  • Log in to the Microsoft Office 365 Portal.
  • Click Distribution Groups under Manage Outlook and Exchange Settings.
  • Click the New button.
  • Type a name and alias for your group, something like Tenant_Admins
  • Tick the box that says Make this group a security group
  • Add your tenant administrators (or people who you want to have access to all users mailboxes) as members of this group.
  • Save the group

New Security Group for Administrators

New Security Group for Administrators


It might be worth hiding this group from the Address Book so your administrators don’t get hassled with emails from your users.
You can do that by double clicking the group and ticking the Hide this group from the shared address book box.
Hide Group from Address List

Hide Group from Address List

Grant this group Full Access permissions to all users mailboxes

Now we need to give this group full access to all users mailboxes. We need to do this in PowerShell. The cmdlet below will give all members of the group we created above full access to all User Mailboxes.
Firstly, connect to Office 365 using PowerShell as an administrator.
Now, run the following cmdlet. But remember to replace the bold bit with the security group you created above.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User tenant_admins@yourdomain.onmicrosoft.com -AccessRights FullAccess -InheritanceType all

It should do something like this:

PS C:\Users\burns_000\Desktop> Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User tenant_admins@powershell.onmicrosoft.com - AccessRights FullAccess -InheritanceType all
Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
alan                 EURPRD06\Tenant A... {FullAccess}                                                False       False
dan                  EURPRD06\Tenant A... {FullAccess}                                                False       False
steve                EURPRD06\Tenant A... {FullAccess}                                                False       False
PS C:\Users\burns_000\Desktop>

So what if we want to remove these permissions?
Easy, just change the second cmdlet from Add-MailboxPermission to Remove-MailboxPermission

PS C:\Users\burns_000\Desktop> Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Remove-MailboxPermission -User tenant_admins@yourdomain.onmicrosoft.com -AccessRights FullAccess-InheritanceType all
Confirm
Are you sure you want to perform this action?
Removing mailbox permission "alan" for user "tenant_admins@cogmotive.onmicrosoft.com" with access rights
"'FullAccess'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): a
PS C:\Users\burns_000\Desktop>

Important things to remember

All the users inside the Tenant Admins will now have access to look inside all your users mailboxes.
You will need to re-run the first cmdlet each time you add a new mailbox to make sure that the permissions apply.
If you found this blog post useful, and want to refer to it again, why not download it as a PDF?

Related Posts

These other blog posts may be of interest to you:

whois: Andy White Freelance WordPress Developer London