Example:
Get-MailboxPermissions -Identity "<user>"
Shows permissions with IsInherited=True
Where would this permission be inherited from in Exchange online?
In on premise exchange I would use Get-MailboxDatabase
and/or Get-ADPermission
but these are unavailable in Exchange online.
There is a permission we want to remove, but can't because it's inherited:
WARNING: An inherited access control entry has been specified: [Rights: ReadControl, ControlType: Allow] and was ignored on object "CN=<user>,OU=<organization>,OU=Microsoft Exchange Hosted Organizations,DC=<server>,DC=PROD,DC=OUTLOOK,DC=COM".
Best Answer
When you run the Get-MailboxPermission in Exchange Online, it can list all users who have mailbox level permission to the specific mailbox. For example:
For the
IsInherited=True
results, we can check the User column. Some permissions are interited from some role groups in AD and Exchange organization such as Administrator, Domain Admins, Organization Management, Enterprise Admins and so on.These permissions are generally configured be default. In Exchange Admin Center, you can click Permissions > Admin Roles to view the role group.