Want to save this blog for later? Download it now.

Here’s a quick way to give Administrator accounts full access to all users mailboxes in your Office 365 environment.

Pro-Tip: Use our Office 365 reports to see which users have full access to particular mailboxes!

Create a Security Group which will contain your Admin accounts

  • Log in to the Microsoft Office 365 Portal.
  • Click Distribution Groups under Manage Outlook and Exchange Settings.
  • Click the New button.
  • Type a name and alias for your group, something like Tenant_Admins
  • Tick the box that says Make this group a security group
  • Add your tenant administrators (or people who you want to have access to all users mailboxes) as members of this group.
  • Save the group
New Security Group for Administrators

New Security Group for Administrators

It might be worth hiding this group from the Address Book so your administrators don’t get hassled with emails from your users.

You can do that by double clicking the group and ticking the Hide this group from the shared address book box.

Hide Group from Address List

Hide Group from Address List

Grant this group Full Access permissions to all users mailboxes

Now we need to give this group full access to all users mailboxes. We need to do this in PowerShell. The cmdlet below will give all members of the group we created above full access to all User Mailboxes.

Firstly, connect to Office 365 using PowerShell as an administrator.

Now, run the following cmdlet. But remember to replace the bold bit with the security group you created above.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User tenant_admins@yourdomain.onmicrosoft.com -AccessRights FullAccess -InheritanceType all

It should do something like this:

PS C:\Users\burns_000\Desktop> Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User tenant_admins@powershell.onmicrosoft.com - AccessRights FullAccess -InheritanceType all

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
alan                 EURPRD06\Tenant A... {FullAccess}                                                False       False
dan                  EURPRD06\Tenant A... {FullAccess}                                                False       False
steve                EURPRD06\Tenant A... {FullAccess}                                                False       False


PS C:\Users\burns_000\Desktop>

So what if we want to remove these permissions?

Easy, just change the second cmdlet from Add-MailboxPermission to Remove-MailboxPermission

PS C:\Users\burns_000\Desktop> Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Remove-MailboxPermission -User tenant_admins@yourdomain.onmicrosoft.com -AccessRights FullAccess-InheritanceType all

Confirm
Are you sure you want to perform this action?
Removing mailbox permission "alan" for user "tenant_admins@cogmotive.onmicrosoft.com" with access rights
"'FullAccess'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): a
PS C:\Users\burns_000\Desktop>

Important things to remember

All the users inside the Tenant Admins will now have access to look inside all your users mailboxes.

You will need to re-run the first cmdlet each time you add a new mailbox to make sure that the permissions apply.

If you found this blog post useful, and want to refer to it again, why not download it as a PDF?

Related Posts

These other blog posts may be of interest to you:

13 Comments

  • What is the default “AccessRights” if you choose to reverse the permissions back from “FullAccess”?

  • The default permission is “No access”

  • To reverse the permissions back you would still use -AccessRights FullAccess except you would lead with the Remove-MailboxPermission as stated in the post because you are Removing the FullAccess permission. If you replace FullAccess with someting like NoAccess you would be trying to remove the NoAccess permission from the mailboxes. It’s a double negative. Almost like dividing by zero. And you could end up breaking the universe…

    • Thanks for the clarification Nanganator – I misunderstood James’ comment. We don’t want people breaking the universe!

  • Hi Alan
    I think this is a great command to give Full Access to an Admin group. At the beginning, when an org first moves to Office 365, it is a good way to apply the permissions all mailboxes. Office 365 Wave 15 now allows us to apply the permission to individual mailboxes using the GUI. With a little discipline when creating a new mailbox, we can add the Tenant Admin group and avoid having to run the command for everyone again.
    The new GUI setting is available while editing or creating the mailbox, under the delegation menu.
    I post this to add to your discussion with your readers because I know you are well aware of the setting.

    • Good point Darrell, thanks for pointing it out!

      Wave 15 lets us do a lot of administration tasks that were lacking in the previous version. I go into more detail in this blog post.

  • Thanks for the post!

    Some layout updates, as of August 2015 –
    * Log into the Office 365 Portal
    * Choose the grey “Admin” icon
    * Under the “Admin” menu at the bottom left choose “Exchange”
    * Under the “recipients” category choose “groups”
    * Click the “+” (new) button/dropdown and choose “Security Group”
    * (as above) Name/Alias the group
    * Edit it again after creating to see hide-from-adddress-lists checkbox

    The cmdlet worked like a charm!

  • Thanks! You saved me a lot of time ūüôā

  • Need help, ASAP
    I applied everything and worked fine but I do not see the mailboxes from our users. Where can I go and see their inboxes and their contents?
    BTW I fully finished the Powershell and worked fine.
    Please help me this is urgent.

    Thanks

  • Please finish the process all the way,
    what should we do next ? how to see the mailboxes and have access to them
    where would be the location of all users mailboxes, I do not get it ,,,
    Need help

  • In on-site Exchange implementations you can add Full Access permissions for a user or group at the Mailbox Database level. This causes any new mailboxes to inherit the permissions, so the command never has to be run again. Is it not possible to add Full Access permissions to the entire Mailbox Database with Office 365?

    • I am trying to find this answer too. With Exchange on-premise – you can add the admin/group to the Exchange Org group which gave you full mailbox rights to current and any new mailboxes created or like the above add at the DB level. Apparently there is not way or I haven’t found a way to add via the EAC and/or the Organization Management RBAC role does NOT give rights to view mailboxes. MS needs to fix this as in large org’s where you are adding hundreds of new mailboxes a week or even a day it is not acceptable or efficient to have to run the PS command every day/week, etc. C’mon MS, why take this feature away?

  • I know this web site presents quality depending articles and extra material, is there
    any other web page which provides these kinds of stuff in quality?

Leave a Comment

Your email address will not be published. Required fields are marked *