Exchange Onlineでユーザーがどの共有メールボックスの権限を持っているかcsvでリストに出力する方法

Exchange Online：共有メールボックス代理権限チェック（単一ユーザー / 複数ユーザー）

Exchange Online：共有メールボックス代理権限チェック（単一ユーザー / 複数ユーザー）

1. 前提条件

Windows PowerShell 5.x 以上（推奨は PowerShell 7 でも可）
ExchangeOnlineManagement モジュールがインストール済み
Exchange Online に接続できるアカウント（必要権限：対象の共有メールボックスに対する参照権限）
スクリプトは 管理者として実行した PowerShell で実行することを推奨

以下の PowerShell スクリプトを使うと、UPN（PrimarySmtpAddress）に含まれるキーワードで共有メールボックスを絞り込み、指定ユーザー（単一または複数）が持つ FullAccess / SendAs / SendOnBehalf を一覧化できます。

2. 単一ユーザー × 複数キーワード版


# Check-SharedMailboxPermissions_Filtered.ps1 (Single User, Multi-Keyword)

try {
  if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
    Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
  }
  Import-Module ExchangeOnlineManagement -ErrorAction Stop
} catch {
  Write-Host "Failed to load EXO module: $($_.Exception.Message)" -ForegroundColor Red
  exit 1
}

Connect-ExchangeOnline -ShowBanner:$false

$user    = Read-Host "Enter the UPN of the user to check (e.g. user@domain.com)"
$kwInput = Read-Host "Enter keyword(s) to filter Shared Mailboxes by UPN (comma separated, e.g. canada,japan)"
$keywords = $kwInput.Split(",") | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }

Write-Host "Target user: $user" -ForegroundColor Green
Write-Host "Filter keywords: $($keywords -join ', ')" -ForegroundColor Cyan

$allShared = Get-EXOMailbox -ResultSize Unlimited -Filter "(RecipientTypeDetails -eq 'SharedMailbox')" `
              -Properties DisplayName,PrimarySmtpAddress,GrantSendOnBehalfTo

$shared = $allShared | Where-Object {
  $hit = $false
  foreach ($k in $keywords) {
    if ($_.PrimarySmtpAddress -like "*$k*") { $hit = $true; break }
  }
  $hit
}

Write-Host "Matched shared mailboxes: $($shared.Count)" -ForegroundColor Yellow

$results = @()
foreach ($m in $shared) {
  $fa = Get-EXOMailboxPermission -Identity $m.Identity -User $user -ErrorAction SilentlyContinue |
        Where-Object { -not $_.IsInherited -and $_.AccessRights -match 'FullAccess' }
  if ($fa) {
    $results += [pscustomobject]@{ User=$user; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='FullAccess' }
  }

  $sa = Get-EXORecipientPermission -Identity $m.Identity -ErrorAction SilentlyContinue |
        Where-Object { $_.Trustee -eq $user -and $_.AccessRights -contains 'SendAs' }
  if ($sa) {
    $results += [pscustomobject]@{ User=$user; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='SendAs' }
  }

  if ($m.GrantSendOnBehalfTo -match [regex]::Escape($user)) {
    $results += [pscustomobject]@{ User=$user; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='SendOnBehalf' }
  }
}

if ($results) {
  $results | Sort-Object Mailbox, Permission | Format-Table -AutoSize
  $date = Get-Date -Format "yyyyMMdd_HHmmss"
  $safeUser = ($user -replace '[^a-zA-Z0-9]','_')
  $safeKey  = (($keywords -join "_") -replace '[^a-zA-Z0-9]','_')
  $csv = ".\SharedMailboxPermissions_${safeUser}_${safeKey}_$date.csv"
  $results | Export-Csv $csv -NoTypeInformation -Encoding UTF8
  Write-Host "`nSaved CSV: $csv" -ForegroundColor Yellow
} else {
  Write-Host "`nNo delegate permissions found in filtered mailboxes." -ForegroundColor Red
}

Disconnect-ExchangeOnline -Confirm:$false

3. 複数ユーザー × 複数キーワード版


# Check-SharedMailboxPermissions_MultiUser.ps1 (Multi User, Multi-Keyword)

try {
  if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
    Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
  }
  Import-Module ExchangeOnlineManagement -ErrorAction Stop
} catch {
  Write-Host "Failed to load EXO module: $($_.Exception.Message)" -ForegroundColor Red
  exit 1
}

Connect-ExchangeOnline -ShowBanner:$false

$userInput = Read-Host "Enter user UPNs (comma separated, e.g. taro@contoso.com,hanako@contoso.com)"
$users = $userInput.Split(",") | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }

$kwInput = Read-Host "Enter keyword(s) to filter Shared Mailboxes by UPN (comma separated)"
$keywords = $kwInput.Split(",") | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }

Write-Host "Target users: $($users -join ', ')" -ForegroundColor Green
Write-Host "Filter keywords: $($keywords -join ', ')" -ForegroundColor Cyan

$allShared = Get-EXOMailbox -ResultSize Unlimited -Filter "(RecipientTypeDetails -eq 'SharedMailbox')" `
              -Properties DisplayName,PrimarySmtpAddress,GrantSendOnBehalfTo

$shared = $allShared | Where-Object {
  $hit = $false
  foreach ($k in $keywords) {
    if ($_.PrimarySmtpAddress -like "*$k*") { $hit = $true; break }
  }
  $hit
}

Write-Host "Matched shared mailboxes: $($shared.Count)" -ForegroundColor Yellow

$results = @()
foreach ($u in $users) {
  foreach ($m in $shared) {
    $fa = Get-EXOMailboxPermission -Identity $m.Identity -User $u -ErrorAction SilentlyContinue |
          Where-Object { -not $_.IsInherited -and $_.AccessRights -match 'FullAccess' }
    if ($fa) {
      $results += [pscustomobject]@{ User=$u; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='FullAccess' }
    }

    $sa = Get-EXORecipientPermission -Identity $m.Identity -ErrorAction SilentlyContinue |
          Where-Object { $_.Trustee -eq $u -and $_.AccessRights -contains 'SendAs' }
    if ($sa) {
      $results += [pscustomobject]@{ User=$u; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='SendAs' }
    }

    if ($m.GrantSendOnBehalfTo -match [regex]::Escape($u)) {
      $results += [pscustomobject]@{ User=$u; Mailbox=$m.DisplayName; SMTP=$m.PrimarySmtpAddress; Permission='SendOnBehalf' }
    }
  }
}

if ($results) {
  $results | Sort-Object User, Mailbox, Permission | Format-Table -AutoSize
  $date = Get-Date -Format "yyyyMMdd_HHmmss"
  $safeUsers = (($users -join "_") -replace '[^a-zA-Z0-9]','_')
  $safeKey   = (($keywords -join "_") -replace '[^a-zA-Z0-9]','_')
  $csv = ".\SharedMailboxPermissions_${safeUsers}_${safeKey}_$date.csv"
  $results | Export-Csv $csv -NoTypeInformation -Encoding UTF8
  Write-Host "`nSaved CSV: $csv" -ForegroundColor Yellow
} else {
  Write-Host "`nNo delegate permissions found for these users in filtered mailboxes." -ForegroundColor Red
}

Disconnect-ExchangeOnline -Confirm:$false

4. 注意点

共有メールボックス数が多い場合は処理時間が長くなります。必ずキーワードでフィルタリングしてください。
結果が0件でも、Inherited 権限や管理者権限を通じた間接的アクセスが存在する可能性があります。
CSVファイルはスクリプト実行ディレクトリに保存されます。
Exchange Online PowerShell コマンドは随時更新されるため、将来のバージョンで動作しなくなる場合があります。
このスクリプトは参照専用であり、権限変更は行いません。