Delegate mailbox access on Microsoft 365
The Graph API access keys allow access to the mailbox service for the admin.
In order to access a user's mailbox, an additional step has to be performed to delegate access to the admin id for which the Graph API access key has been generated.
This has to be done for all users whose data needs to be exported or for all users where data has to be uploaded.
NOTE: The admin ID must have a valid license - a basic license is sufficient. (License application takes about an hour to come into effect)
OPTION 1: Delegate access one user at a time
Login to Microsoft 365 admin center account and navigate to https://admin.microsoft.com.
Http link: https://admin.microsoft.com
(a) Select Users
(b) Click on Active users
(c) Select any licensed user whose account access has to be delegated
(d) Click on the Mail tab for the selected user
(e) Click on Read and manage permissions
(a) Click on Add permissions
(a) Select the user who will get delegated access
(b) Click on Add
NOTE: Delegation takes about an hour to come into effect.
OPTION 2: Delegate access for all or selected users
Login to the M365 Admin Panel
Navigate to Exchange > Recipients > Mailboxes
(A) Select All users
(B) Click on Mailbox delegation
(C) Select the user ID for which we have generated the Graph API credentials
(D) Select Full access
(E) Save
Note: Post operation, it can take upto an hour for the delegation to be completed.
Bulk Operations using the power shell
Delegating access for all
1) Open Window power shell with administrative mode
2) Download packets of Connect-ExchangeOnline
(link to refer ;- https://www.sharepointdiary.com/2021/11/connect-to-exchange-online-using-powershell.html)
Type Command- Install-Module -Name ExchangeOnlineManagement
Now Type command- Import-Module ExchangeOnlineManagement (Module will be imported)
To connect on exchange Admin ID
Connect-ExchangeOnline -UserPrincipalName o365@connectserver.onmicrosoft.com
Assing delegate user from which we have generated Microsoft graph API key.
$DelegateUser = "o365@connectserver.onmicrosoft.com"
Get all mailboxes username list from tenant environment in filed string name mailbox.
$Mailboxes = Get-Mailbox -ResultSize Unlimited
Run below CMD to Loop through each mailbox and add full access permission.
Note :- Keep CMD terminal on if user list is more till it get completed and network connectivity should be proper other wise terminal will get disconnect and script will get kill in between.
foreach ($Mailbox in $Mailboxes) {
try {
Add-MailboxPermission -Identity $Mailbox.PrimarySmtpAddress -User $DelegateUser -AccessRights FullAccess -InheritanceType All -AutoMapping $false
Write-Host "Full access granted to $DelegateUser for mailbox $($Mailbox.PrimarySmtpAddress)"
}
catch {
Write-Host "Error granting access to mailbox $($Mailbox.PrimarySmtpAddress): $_"
}
}
Disconnect Exchange
Disconnect from Exchange Online
Removing delegation access
1) Open Window power shell with administrative mode
2) Download packets of Connect-ExchangeOnline
(link to refer ;- https://www.sharepointdiary.com/2021/11/connect-to-exchange-online-using-powershell.html)
Type Command- Install-Module -Name ExchangeOnlineManagement
Now Type command- Import-Module ExchangeOnlineManagement (Module will be imported)
Now type the command: Connect-ExchangeOnline
Given the credentials of the admin id.
3) Define the power shell script as follows
$mailboxes = "User1","User2"$mailboxes | ForEach-Object{$mailbox = $_Remove-MailboxPermission -Identity $mailbox -User "User to whom delegation has been given" -AccessRights FullAccess -InheritanceType All}
Notes:
- User ids have to be enclosed in double quotes
- "User1", "User2", etc. are the ids from which the delegation has to be removed
- "User to whom delegation has been given" is the user to whom the access has been given
Example:
$mailboxes = "archive@mithi.biz","user@mithi.biz"
$mailboxes | ForEach-Object{
$mailbox = $_
Remove-MailboxPermission -Identity $mailbox -User "admin@connectserver.onmicrosoft.com" -AccessRights FullAccess -InheritanceType All}
4) On execution, you will be prompted to confirm the operation. Click Yes
5) Verify that the access has been removed using the Admin Center