Microsoft 365 Mailbox Delegation
In Exchange Online you can grant permission on any user's mailbox to other users to enable them to access the mailbox (the Full Access permission), or send email messages that appear to come from the mailbox (the Send As or Send on Behalf permissions). The users who are assigned these permissions on other mailboxes are called delegates.
This article will explain how to grant permissions to users on other users' mailboxes, generate a report on all mailbox delegates, and audit the activities of mailbox delegates using M365 Manager Plus.
Reports on mailbox delegates
M365 Manager Plus provides a detailed report called Mailboxes with Delegates, which provides a list of all mailboxes that have been delegated to users, with details on the permissions assigned, mailbox type, and more.
Steps to generate the Mailboxes with Delegates report
- Go to the Reports tab.
- Select Mailbox Reports under Exchange Online category from the left pane.
- You can find Mailboxes with Delegates report under the Account Status Reports.
Note: You can schedule, email, and export the report in PDF, CSV, HTML, or XLSX format.
Manage mailbox delegates
Using M365 Manager Plus' simple and powerful GUI, you can add, remove, or modify mailbox permissions for multiple users, on multiple mailboxes, at once.
Steps to delegate mailbox permissions
- Go to the Management tab.
- Select Mailbox Management under Exchange Online from the left pane.
- Choose Mailbox Delegation under Exchange Mailbox Limit category.
- In the Mailbox Delegation page, choose the permissions you wish to manage (Send As, Send on Behalf, or full access), choose whether you want to add or remove those permissions, and using + icon select the users to whom the permissions must be provided or removed. [Refer the image below]
- In the Find Mailboxes to Modify section, enter the names of mailboxes manually, or use the CSV Import option to upload the list of mailboxes that must be delegated.
- Click Apply. You will now be able to see the summary of the action performed. This can be emailed or exported in different formats such as PDF, HTML, CSV, or XLSX.
With mailbox delegation made much easier, it is important that you can keep track of such actions. The Mailbox Permission Changes report lists all the permission changes to mailboxes. It provides up-to-date details on who changed which permission on which mailbox.
Steps to generate Mailbox Permission Changes report
- Go to the Reports tab.
- Choose Security Reports under Other Services category from the left pane.
- You can find Mailbox Permission Changes report under Admin Activities Reports.
Audit activities of mailbox delegates
M365 Manager Plus provides a default audit profile called Activities by Mailbox Delegates which provides one click access to the required audit data.
Note: Auditing must be enabled for mailboxes to view the audit log. Hence identify the auditing disabled mailboxes and enable mailbox auditing.
Steps to view the default audit profile
- Go to the Audit tab.
- In the left pane, choose Exchange Online → Exchange Activity → Activities by Mailbox Delegates.
- Choose the Delegate Activity tab found at the top of the data table.
You can also create a new audit profile yourself using these steps.
Steps to create an audit profile
- Go to the Admin tab.
- Select Audit Configuration → Audit Profiles in the left pane.
- Click Add Profile.
- In the profile configuration page,
- Provide a profile name (Eg: Audit Mailbox delegates) and description of your choice.
- Choose Exchange Online from the Microsoft 365 Service drop-down list.
- Choose Exchange Online Activities from the Category drop-down list.
- Select the actions that must be audited from the Actions drop-down list. Multiple actions can be selected.
- Select Target Callers (one who performs the action). You can either select All or click Custom to select users of your choice.
- Select the Target Objects (object on which the action must be performed). You can either select All or click Custom to select users of your choice.
- NOTE: Both Target Callers and Target Objects can either be users, groups or both.
- When you select custom users/groups for both Target Callers and Target Objects, you can select the desired Target Criteria, which is explained below.
- Click Add.
- Now you will be taken to the Configure Profile page, where you can see the profile you created (Audit Mailbox Delegates) listed in the table along with other profiles. Click View Report in the Reports column to view the consolidated report.
The profile you have created now, shows all the mailbox activities. To view the activities of delegates alone, you have to filter the data based on logon type. For delegates, the logon type value is 2. You can save this filter setting as a new view so that you don't have to configure the filter settings everytime.
Note: Target Criteria:
Callers AND Targets: The report will be generated when both the target and caller of the selected action matches with any of the selected targets and callers respectively.
Callers OR Targets: The report will be generated when either the target or caller of the selected action matches with the selected targets or callers respectively.
Steps to create a view for Audit Mailbox Delegates
- After you click the View Report [Refer step (5) of the previous section], click the filter icon found at the top of the data table.
- Configure the filter condition as shown in the image below.
- Click Generate.
- The result will show the activities of mailbox delegates. Click Save to save this filter setting with a custom name. (Eg: Activities by delegates)
- You can access the view you have created in the audit tab. eg: Audit tab → Audit Mailbox Delegates form the left pane → Activities by delegates tab.
For more details on the feature offered by M365 Manager Plus, click here.