#FAQFriday – How to add admin account permissions to all mailboxes in Exchange Online?

One of the most common questions I hear when we teach an Office 365 IT Admin class to experienced IT support folks is: “How do I add an admin account to have full access to all Exchange mailboxes in Office 365?”

As a support engineer and a consultant, I want to keep things as easy and fast as possible when it comes to quickly accessing data required to troubleshoot problems.
This is one of my “tools”.

This #FAQFriday blog shows how to log into Exchange Online and add an admin account permissions to all mailboxes in the Exchange Organization of a tenant (note: as with many Office 365 features and PowerShell commands, there are a variety of ways to achieve the same successful result, but this is my favorite way).

In short:

First we are going to log in using the following PowerShell commands (below), then we’ll add the permissions. Then check a couple of the mailbox delegate properties to confirm. These commands below are dependent on a couple factors that are required – Proper permissions to log into the tenant with PowerShell as an admin account, and access to the user accounts and mailboxes, Windows PowerShell and Office 365 module are installed and updated, and the Microsoft Office Sign-In Assistant service is running. Please note: it is recommended that PowerShell is run as an administrator. Global administrator, Exchange administrator, or User Administrator permissions will be needed in order to log in successfully, and complete this task.

Step 1: Log into Office 365 and Exchange Online. Connect-msolservice [enter admin credentials for O365]
Step 2: $usercredential = Get-Credential [enter admin credentials for O365]
Step 3. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Step 4: Import-PSSession $Session
Step 5: Add the full permissions for the admin account to all mailboxes, and wait for it to complete. Cmd: Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User admin@company.com -AccessRights fullaccess -InheritanceType all

Step 6: Check a couple of the user mailboxes under Mailbox Delegation. Check that the admin account has been successfully added on the Full Access mailbox delegation list (shown below).  * This step can also be performed in PowerShell.
Step 7: Troubleshooting, Related Questions & Tips

What kind of errors might be experienced with this?

Login problems?

If you cannot log in, confirm you are using a recent version of Windows PowerShell, and have the Office 365 module installed and updated. Also, check that your Office 365 account has an admin role will sufficient permissions (Global Admin, Exchange Admin or User Admin will suffice) to log into the tenant with PowerShell, and make changes to the accounts.

Confirm that the Microsoft Online Services Sign-In Assistant is running (shown below).
Does this work with all mailbox accounts?

Unfortunately mailboxes with identical properties or duplicate names may cause errors or not get updated, so check the error log for duplicate errors.

How can I add an admin account or user account permissions to one mailbox?

Use the same login sequence to log into Exchange Online (described above).
Add-MailboxPermission -Identity UserMailbox1 -User 'admin' -AccessRights FullAccess -InheritanceType All

How can I add impersonation permissions for one admin or service account to all mailboxes?

Use the same login sequence to log into Exchange Online (described above).
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:admintool

Wondering how to update the permissions for shared mailboxes or resource mailboxes? Stay tuned for future editions of our #FAQFriday blog series!

Related Posts