Need to show mailbox name against each iteration of foreach being run against mailboxes - Powershell


  • Hi all, I'm pretty new to this so apologies in advance if I embarrass myself! I'm trying to get a list of all room mailboxes and whether a service account has Impersonation Rights to it or not. We have a Service Account that has Application Impersonation rights so I'm running the following;

    $Rooms = get-mailbox | where {$_.recipienttypedetails -eq "RoomMailbox"}

    Foreach ($Room in $Rooms) 


    Get-ManagementRoleAssignment -GetEffectiveUsers | Where {$_.RoleAssigneeName -eq "RC SRV"}


    But all I get is;

    Name                           Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserNam
    ----                           ----              ----------------  ----------------  ----------------  ----------------
    impersonationassignmentname    ApplicationImp... RC SRV            User              Direct            RC SRV
    impersonationassignmentname    ApplicationImp... RC SRV            User              Direct            RC SRV
    impersonationassignmentname    ApplicationImp... RC SRV            User              Direct            RC SRV 

    etc, a line for every Resource Mailbox we've got.

    I've tried (among other things) adding 

    $RoomName = $Rooms.Alias
    write-output $RoomName

    But it just lists every room against each output. I'm struggling and would really appreciate some help guys, my own investigating isn't turning much up, mainly because I don't think I know enough about scripting to know what to look for!

    Thanks in advance....

    Friday, December 7, 2018 3:09 PM


  • If you create a management assignment, allowing xyz account the ability to impersonate others, by default, this grants the xyz account that ability across the whole tenant. If you wanted to limit that, you could use the RecipientRestrictionFilter when configuring the management scope itself.

    Therefore, if your service account "rc srv" is in this group, it would follow that it does indeed have impersonation rights on those mailboxes, and a per-resource check wouldn't be necessary.

    If I'm missing something, please elaborate.

    Otherwise, as a different example, let's assume we were looking at a permission that isn't part of a management role assignment, like FullAccess. In this case, we'll assume it's been directly assigned.

    $Rooms = Get-Mailbox -RecipientTypeDetails RoomMailbox -ResultSize unlimited
    $Results = Foreach ($Room in $Rooms) {
         Write-Host "Checking ACL for $Room.Identity" -ForegroundColor Cyan
         Get-MailboxPermission $room.DistinguishedName | Where {
            ($_.IsInherited -eq $false) -and 
            ($_.Deny -eq $false) -and 
            ($_.AccessRights -Match $_.FullAccess) -and
            ($_.User -notmatch "SELF")
    $Results | Select-Object Identity, User, AccessRights

    Please note, that I'm using the -Filter parameter of get-mailbox, as this instructs the server to do the filtering and is therefore faster. Your approach would download 1000 mailboxes (a lot, and not necessary all), for client-side processing.

    Mike Crowley

    My Blog | MikeCrowley.US

    Baseline Technologies | Baseline.Consulting

    Being ignorant is not so much a shame, as being unwilling to learn

    -Ben Franklin

    • Edited by Mike Crowley Monday, December 24, 2018 5:53 PM -ResultSize unlimited
    • Marked as answer by Clu_Less Tuesday, February 26, 2019 2:30 PM
    Monday, December 24, 2018 5:50 PM