Maintaining control over Exchange Online mailbox permissions is not only a cornerstone of good tenant security hygiene but is also crucial for compliance—especially during employee or contractor onboarding, role changes, or offboarding. Gathering all necessary permission data can be time-consuming and complex using Microsoft’s default tools, particularly in large organizations. CoreView provides an enhanced, faster, and more secure alternative for visibility and management.
Microsoft 365 offers methods for reviewing and managing mailbox permissions via both the Exchange Admin Center and PowerShell.
The EAC allows you to view and modify permissions at the individual mailbox or group level:
The EAC does not currently support generating a tenant-wide or consolidated permissions report. Review is available on a per-mailbox basis only.
For a comprehensive, tenant-wide overview—especially in large or complex environments—PowerShell is more flexible and powerful.
Recommended module
Use the latest ExchangeOnlineManagement module. Microsoft has phased out older remote PowerShell methods and recommends the REST-based EXO* cmdlets for better performance, improved security, and future compatibility.
Example:
For large tenants (tens of thousands of mailboxes), retrieving all permission details can be extremely time-consuming and may impact session limits. Use filtering options (e.g.,-Filter
,-RecipientTypeDetails
) to narrow results and optimize performance.
Refer to the official Microsoft documentation on Exchange Online PowerShell V3 cmdlets and module.
Follow these steps to review and manage Exchange mailbox permissions using CoreView:
The data displayed is enriched to expedite the identification of anomalies. You can find details such as recipient type details, company country, and department information of both the delegated mailbox and the delegate. Quite often, during a role change, users can still access mailboxes they should no longer have access to.
Pro TIP - Filter with Type of User with Access = SharedMailbox. This often reveals old or decommissioned user accounts (e.g., user mailboxes migrated to shared) that still have delegate permissions. Removing these helps reduce security risks and eliminates management noise.
These actions provide quick and comprehensive management of mailbox permissions, helping keep this aspect of Microsoft Exchange Online under control.
Operators will only be able to see and manage mailboxes within their V-Tenant-defined scope.