Get-RecipientPermission and Get-EXORecipientPermission does not work with Global Reader permission

Peter Hesse 6 Reputation points
2021-03-23T17:41:29.7+00:00

We have created a Global Reader account in order to run some PowerShell scripts to help with maintenance and security reviews.

One of the tools we are running is the CrowdStrike CRT, a reporting tool that examines Azure Active Directory and Exchange Online, and creates lists of hard-to-find or hard-to-expose permissions and settings.

In CRT, one of the commands, "SendAsGranted", runs this command to do Get-EXORecipientPermission against every mailbox in the domain. The specific line is:

$DelegateSendPerms += Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop | Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}  

When running this script as a Global Administrator, it works. When running the script as a Global Reader, it fails.

I ran the command Get-EXORecipientPermission -UserPrincipalName user@keyman .name manually as the Global Reader account and this was the output (after a substantial delay):

Get-EXORecipientPermission : Error while querying REST service. HttpStatusCode=401  
ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call  
Get-RecipientPermission","innererror":{"message":"User is not allowed to call  
Get-RecipientPermission","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}  
At line:1 char:1  
+ Get-EXORecipientPermission -UserPrincipalName user@domain.na ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
+ CategoryInfo : ProtocolError: (:) [Get-EXORecipientPermission], RestClientException  
+ FullyQualifiedErrorId : An error occurred while processing this request.,Microsoft.Exchange.Management.RestApiCl  
ient.GetExoRecipientPermission  

I believe that the Get-EXORecipientPermission (and its original version, Get-RecipientPermission) command should be able to be run as Global Reader, and this should be fixed.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,090 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,196 Reputation points
    2021-03-24T08:38:40.747+00:00

    @Peter Hesse

    I try to add a mailbox into this group and get the same error:
    80975-qa-kyle-13-29-33.png

    Based on testing, it is an expected behavior, here are detailed information about it:

    1. By default, the GlobalReaders group is not assigned any roles. However, it will be a member of the "View-Only Organization Management" role group and will inherit the rights of that group.
      81104-qa-kyle-16-29-56.png
    2. Here are role that contained in the "View-Only Organization Management" group:
      81121-qa-kyle-16-33-10.png
    3. I check on those two roles, the "Get-RecipientPermission" command doesn't contained in them:
      81073-qa-kyle-16-34-34.png

    So, your account doesn't have the permission to run “Get-RecipientPermission” and “Get-EXORecipientPermission”

    Since this group is hosted on AAD, I add the AAD tag on this thread to introduce AAD engineers work on this thread.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

  2. Andy David - MVP 139.8K Reputation points MVP
    2021-03-23T18:07:43.393+00:00

    Yea, I just ran that same query and no issues.

    $DelegateSendPerms += Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop | Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}

    I would send an email to: exocmdletpreview@abdou .microsoft.com and ask them to look into it.

    1 person found this answer helpful.