Using Claude Code to Audit Exchange Mailbox Delegation

January 9, 2026
Written By Christi Brown

Christi Brown is the founder of AdapToIT, where modern IT strategy meets hands-on execution. With a background in security, cloud infrastructure, and automation, Christi writes for IT leaders and business owners who want tech that actually works—and adapts with them.

Mailbox permissions are one of those things that accumulate over time and never get cleaned up. Someone goes on maternity leave and their manager gets full access. An executive assistant needs send-on-behalf for three VPs. A departing employee’s mailbox gets shared with their replacement “temporarily” and it’s still there two years later.

Then you get a new client, or an auditor asks who has access to what, and you realize nobody has looked at this in years.

I recently used Claude Code to audit mailbox delegation across a client’s Exchange Online environment. Here’s exactly how I did it – the prompt, the output, and the mess we found.

The Problem

Mailbox delegation permissions in Exchange Online come in three flavors:

  • Full Access – Can open and read everything in the mailbox
  • Send As – Can send email that looks like it came from that mailbox
  • Send on Behalf – Can send email “on behalf of” that mailbox

These permissions exist for good reasons. The problem is they pile up. Nobody removes them when they’re no longer needed. And there’s no built-in report in the Exchange admin center that shows you the full picture across all mailboxes.

You can run PowerShell commands to pull this data, but then you’re staring at raw output trying to figure out what’s normal and what’s a problem. That’s where Claude Code helps – it pulls the data AND analyzes it.

What You Need

PowerShell 7

# Windows (run as admin)
winget install --id Microsoft.PowerShell --source winget

Exchange Online Management Module

# In PowerShell 7
Install-Module ExchangeOnlineManagement -Scope CurrentUser

Claude Code

# Requires Node.js 18+
npm install -g @anthropic-ai/claude-code

# Authenticate
claude login

Permissions

You need an account with at least Exchange Administrator role, or a custom role with recipient management permissions. For app-only automation, you’d need Exchange.ManageAsApp with the Exchange Administrator role assigned to the service principal.

Connect to Exchange Online

Before starting Claude Code, connect to Exchange:

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Leave this PowerShell session open. Claude Code will use it to run commands.

The Prompt

Here’s the exact prompt I use. Copy this and adjust the output path for your environment:

I need you to audit mailbox delegation permissions in Exchange Online. The Exchange Online PowerShell session is already connected.

## Data to Collect

Pull the following for ALL user mailboxes (exclude shared mailboxes, room mailboxes, and equipment mailboxes for now):

1. Full Access permissions (Get-MailboxPermission)
   - Exclude NT AUTHORITY\SELF
   - Exclude inherited permissions (IsInherited = False only)

2. Send As permissions (Get-RecipientPermission)
   - Exclude NT AUTHORITY\SELF

3. Send on Behalf permissions (Get-Mailbox | select GrantSendOnBehalfTo)

## Analysis

After collecting the data, analyze it for:

1. Users with Full Access to more than 3 mailboxes - flag as potential over-permissioned accounts
2. Any permissions granted to users who are disabled in Entra ID - these are stale and should be removed
3. Non-admin users with Send As permissions - this is often misconfigured
4. Any mailbox where more than 5 different users have some form of access - flag for review
5. Permissions granted to security groups vs individual users - groups are usually better

## Output Format

Create a report with these sections:

### CRITICAL - Requires Immediate Action
Permissions that are clearly wrong or risky (disabled users, excessive access)

### REVIEW RECOMMENDED  
Permissions that might be legitimate but should be verified with the client

### STATISTICS
- Total mailboxes scanned
- Total delegation permissions found
- Breakdown by permission type

### RAW DATA
Export the full permission list to a CSV at /home/claude/mailbox-permissions.csv with columns:
- Mailbox
- MailboxEmail
- PermissionType (FullAccess/SendAs/SendOnBehalf)
- GrantedTo
- GrantedToEmail
- IsGroup (true/false)

Run the audit now.

What Happens Next

Claude Code will start running PowerShell commands in your connected session. You’ll see it execute:

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | ...
Get-MailboxPermission -Identity $mailbox.PrimarySmtpAddress | ...
Get-RecipientPermission -Identity $mailbox.PrimarySmtpAddress | ...

This takes a while depending on how many mailboxes you have. For a 200-mailbox environment, expect 10-15 minutes.

Example Output

Here’s a sanitized version of what came back for a recent client:

## CRITICAL - Requires Immediate Action

### Disabled Users with Active Permissions
The following disabled Entra ID accounts still have mailbox access:

| Disabled User | Has Access To | Permission Type |
|---------------|---------------|-----------------|
| jsmith@contoso.com | finance@contoso.com | Full Access |
| jsmith@contoso.com | ar@contoso.com | Full Access |
| mwilliams@contoso.com | ceo@contoso.com | Send As |

ACTION: Remove these permissions immediately. These are former employees who can still access mailboxes if their accounts are re-enabled or compromised.

PowerShell to remove:
Remove-MailboxPermission -Identity finance@contoso.com -User jsmith@contoso.com -AccessRights FullAccess -Confirm:$false
Remove-MailboxPermission -Identity ar@contoso.com -User jsmith@contoso.com -AccessRights FullAccess -Confirm:$false
Remove-RecipientPermission -Identity ceo@contoso.com -Trustee mwilliams@contoso.com -AccessRights SendAs -Confirm:$false


## REVIEW RECOMMENDED

### Users with Access to 4+ Mailboxes
These accounts have broad mailbox access. Verify this is intentional:

| User | Mailbox Count | Mailboxes |
|------|---------------|-----------|
| lthompson@contoso.com | 7 | ceo, cfo, coo, hr, finance, legal, exec-team |
| jgarcia@contoso.com | 4 | sales, sales-west, sales-east, marketing |

NOTE: lthompson appears to be an executive assistant based on the mailboxes accessed. jgarcia may be a sales manager. Confirm with client.

### Mailboxes with 5+ Users Having Access
These mailboxes have many people with permissions. May be candidates for conversion to shared mailboxes:

| Mailbox | User Count | Permission Breakdown |
|---------|------------|---------------------|
| info@contoso.com | 8 | 6 Full Access, 2 Send As |
| support@contoso.com | 6 | 4 Full Access, 2 Send On Behalf |
| sales@contoso.com | 5 | 3 Full Access, 2 Send As |

### Individual Permissions vs Groups
Found 47 permissions granted directly to users that could be managed via groups:
- 12 users have individual Full Access to hr@contoso.com (consider HR-Mailbox-Access group)
- 8 users have individual Send As to info@contoso.com (consider Info-SendAs group)


## STATISTICS

- Total user mailboxes scanned: 187
- Total delegation permissions found: 94
- Full Access permissions: 52
- Send As permissions: 28  
- Send on Behalf permissions: 14
- Permissions granted to disabled users: 3
- Permissions granted to groups: 11
- Permissions granted to individuals: 83


## RAW DATA

Full permission export saved to: /home/claude/mailbox-permissions.csv

What To Do With This

The Critical Items – Fix these now. Disabled users with mailbox access is a real security gap. Run the removal commands Claude Code provided or put them in a script.

The Review Items – Schedule a call with the client. Show them what you found and ask:

  • Is lthompson supposed to have access to all those executive mailboxes?
  • Should info@ and support@ be converted to shared mailboxes with proper group membership?
  • Do all 12 of those people still need HR mailbox access?

The Statistics – Put these in your report. Auditors like numbers.

The CSV – Keep this for documentation. When someone asks “who approved this access?” in six months, you’ll have a baseline.

Gotchas and Things That Go Wrong

Session Timeout

Exchange Online sessions time out after a period of inactivity. If Claude Code is processing a lot of mailboxes and the session drops, you’ll get errors. For large environments, either run in batches or keep an eye on it. Ask me how I know.

Throttling

Microsoft throttles Exchange Online PowerShell. If you’re hitting hundreds of mailboxes, you might get temporarily blocked. Claude Code will usually retry, but if you see a lot of “please wait” messages, slow down.

Shared Mailboxes

The prompt above excludes shared mailboxes. If you want those included, remove that filter. Just know you’ll get a lot more results since shared mailboxes are designed to have multiple users.

Groups Don’t Show Members

When permissions are granted to a group, Claude Code reports the group name, not the group members. You’ll need to check group membership separately if you need that detail.

The “Inherited” Confusion

Some permissions show as inherited from the organization level. The prompt filters these out because they’re usually default permissions, not something someone explicitly granted. If you’re missing expected results, try including inherited permissions.

Peer Review

This report still goes to our security team before it hits the client. Claude Code does the heavy lifting on data gathering and pattern identification, but another human validates the findings. The disabled-user permissions were definitely a problem, but the “7 mailboxes” finding needed context that only talking to the client could provide. Maybe that executive assistant legitimately needs all that access. The AI flags it, humans decide what to do about it.

Why This Over Built-In Tools

Microsoft doesn’t have a native report that shows you all delegation types in one view. You can poke around in the Exchange admin center, you can run individual PowerShell commands, but nothing aggregates it and analyzes it like this.

Third-party tools exist but they’re often overkill for a one-time audit or new client assessment. When I just need to know “what’s going on with mailbox permissions in this tenant I’ve never seen before,” Claude Code gets me there faster than spinning up a trial of some auditing platform.

The real beauty is that Claude Code can churn through these audits while I’m working on something else. I’ve basically got a little army of AI minions handling the tedious stuff, which means I can take on more work at once. Very efficient. Very “taking over the world” energy.

Then I remember that actually taking over the world would involve way too many meetings, so I’ll just settle for clearing my ticket queue instead.

Got a specific Exchange audit scenario you want to see covered? Drop it in the comments.

Vibe Coding in the Real World: Building a SaaS Platform Without Being a Developer

The $30 Lie: What AI Really Costs – And Whether It’s Actually Making You Productive

© 2025 AdaptoIT. Adaptive IT solutions for modern business.
hello@adaptoit.com | Los Angeles, CA |

Privacy Policy Terms of Service