Friday, April 14, 2017

Accessing user mailboxes in Office 365

Following least privilege access, by default, even global administrators don’t have access to user mailboxes. This may prevent you from doing bulk administrative operations for your environment. To gain access to perform bulk administration tasks, such as using PowerShell scripts, you’ll need to assign the appropriate rights. This can be done in two places in the web interface.

image

If it is just mailbox access you require then the best place to assign these rights is in the Exchange admin center which you access from the Office 365 Admin center.

image

Select permissions on the left and then Discovery Management on the right. You then select the pen icon above the list of permissions to make changes.

image

At the bottom of the dialog that appears you can add new members to this role as well as view the included roles as shown above, one of which is Mailbox Search.

The description for the Discovery Management permission is:

Discovery Management

Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

Note that it only provides permissions to mailboxes.

image

There is another way to provide rights to mailboxes BUT you’ll also be providing rights to files in SharePoint and OneDrive for Business. If you are following least privileged access best practices, which you should, you shouldn’t use this process if all you need is access to mailboxes.

Here you’ll need to navigate to the Security & Compliance center from the Admin center. You’ll then need to select Permissions on the left and the eDiscovery Manager on the right. You again select the pen icon to add the appropriate users to this role.

The description for this role is: 

eDiscovery Manager

Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations.

Note how this role provides permissions to mailboxes AND files as mentioned.

Once you have given a user permissions to mailboxes you may need to wait a little while (15 minutes typically) for them to fully flow through to all elements. Then you can start making the bulk changes you need.