How to Discover and enumerate Exchange Online SendAs and SendOnBehalfOf Permissions

In Exchange Online (part of Microsoft 365), Send on Behalf and Send As are two distinct permissions that control how users can send emails on behalf of others.

1. Send on Behalf Permission

• Functionality: Allows a user to send an email on behalf of another user. When the recipient receives the email, it shows that the email was sent "on behalf of" the original mailbox owner.
• Example Display: If User A has been granted "Send on Behalf" permissions by User B, an email sent by User A on behalf of User B will appear to the recipient as "User A on behalf of User B."
• Use Case: Commonly used when assistants, team members, or support staff need to communicate on behalf of their manager or team lead but should indicate that they are the actual sender.
• Setup: Can be configured in the Exchange Admin Center (EAC) or with PowerShell (Set-Mailbox cmdlet) by an administrator.

2. Send As Permission

• Functionality: Allows a user to send an email as if they are the mailbox owner. The email appears as if it was sent directly by the mailbox owner, without showing that another user sent it on their behalf.
• Example Display: If User A has "Send As" permissions for User B’s mailbox, an email sent by User A from User B’s mailbox will appear to the recipient as if it was sent directly by User B, with no mention of User A.
• Use Case: Useful when a group or shared mailbox needs a single “identity,” such as a support or info mailbox, where messages should come directly from the shared address without indicating who actually sent it.
• Setup: Also configured in the Exchange Admin Center (EAC) or with PowerShell by an admin. For shared or group mailboxes, "Send As" is often assigned so emails appear to come directly from the mailbox itself.

Assigning Send As or Send on Behalf of permissions is not that difficult and most admins assign those rights via Exchange Control Panel. However, when you need to enumerate which users have SendOnBehalfOf permissions assigned to, this becomes a problem as there is no reverse enumeration in Exchange Online or PowerShell. What I mean is that you can go to a mail user and see who they delegate send as or send on behalf of too, but not who delegates those permissions to them.

The following script will find all mailbox with SendOnBehalfOf permissions within the Exchange Online tenant

#this outputs all SendOnBehalfOf permissions in Exchange Online Tenant
#First 3 commands are to install module and connect with Exchange Admin creds, make sure you got correct creds
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
# Define the user you want to check for "Send on Behalf Of" permissions
$sendOnBehalfUser = "[email protected]"

# Define the output file path, make sure you have a folder called C:\Temp
$outputFile = "C:\Temp\SendOnBehalfResults.txt"

# Initialize the output file with a header
"Mailboxes that ${sendOnBehalfUser} can send on behalf of:" | Out-File -FilePath $outputFile

# Retrieve all mailboxes with no result size limit
$mailboxes = Get-Mailbox -ResultSize Unlimited

# Loop through each mailbox and check if [email protected] is in the GrantSendOnBehalfTo list
foreach ($mailbox in $mailboxes) {
    # Get the GrantSendOnBehalfTo property for the current mailbox
    $sendOnBehalfList = (Get-Mailbox -Identity $mailbox.Identity | Select-Object -ExpandProperty GrantSendOnBehalfTo)

    # Check each entry in GrantSendOnBehalfTo for a match
    foreach ($entry in $sendOnBehalfList) {
        # Match the property where [email protected] appears (e.g., PrimarySmtpAddress)
        if ($entry.PrimarySmtpAddress -eq $sendOnBehalfUser) {
            # Append the mailbox display name to the output file if permissions are found
            $mailbox.DisplayName | Out-File -FilePath $outputFile -Append
            break
        }
    }
}

# Optional: Display a message confirming the file path
Write-Output "Results saved to $outputFile" 
        

The following script will find all mailbox with SendOnBehalfOf permissions and dump then into a text file located in C:\temp\SendOnBehalfResults.txt

#this outputs all SendOnBehalfOf permissions in Exchange Online Tenant
#First 3 commands are to install module and connect with Exchange Admin creds, make sure you got correct creds
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
# Define the SamAccountName or identifier to check for in "Send on Behalf Of" permissions, samaccountname should be replaced with the SAM of the account to whome permssions have been granted, the trustee
$sendOnBehalfUser = "samaccountname"

# Define the output file path, make sure C:\temp folder exists 
$outputFile = "C:\temp\SendOnBehalfResults.txt"

# Initialize the output file with a header
"Mailboxes that ${sendOnBehalfUser} can send on behalf of:" | Out-File -FilePath $outputFile

# Retrieve all mailboxes with no result size limit
$mailboxes = Get-Mailbox -ResultSize Unlimited

# Loop through each mailbox and check if noreply can send on behalf
foreach ($mailbox in $mailboxes) {
    # Get the GrantSendOnBehalfTo property for the current mailbox
    $sendOnBehalfList = Get-Mailbox -Identity $mailbox.Identity | Select-Object -ExpandProperty GrantSendOnBehalfTo

    # Check each entry in GrantSendOnBehalfTo for the matching SamAccountName
    foreach ($entry in $sendOnBehalfList) {
        # Check if the entry's SamAccountName or other identifier matches "noreply"
        if ($entry.SamAccountName -eq $sendOnBehalfUser) {
            # Append the mailbox display name to the output file if permissions are found
            $mailbox.DisplayName | Out-File -FilePath $outputFile -Append
            break
        }
    }
}

# Optional: Display a message confirming the file path
Write-Output "Results saved to $outputFile" 
        

This checks who has send as permissions to a specific mailbox, in this instance the mailbox is ?[email protected]

#this outputs all SendOnBehalfOf permissions in Exchange Online Tenant
#First 3 commands are to install module and connect with Exchange Admin creds, make sure you got correct creds
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
# Define a specific mailbox to inspect GrantSendOnBehalfTo entries
$mailboxIdentity = "[email protected]”

# Display the full GrantSendOnBehalfTo property
Get-Mailbox -Identity $mailboxIdentity | Select-Object -ExpandProperty GrantSendOnBehalfTo 
        

The following script will output all SendAS permissions of all mailboxes in the Exchange tenant

# Connect to Exchange Online
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited

# Initialize a string to store results
$results = ""

# Loop through each mailbox and get the "Send As" permissions
foreach ($mailbox in $mailboxes) {
    # Retrieve the Send As permissions for the mailbox
    $sendAsPermissions = Get-RecipientPermission -Identity $mailbox.Identity | Where-Object { $_.Trustee -ne 'NT AUTHORITY\SELF' -and $_.AccessRights -contains 'SendAs' }

    # Add the results to the string if there are Send As permissions
    foreach ($permission in $sendAsPermissions) {
        $results += "Mailbox: $($mailbox.DisplayName) - GrantedTo: $($permission.Trustee) - AccessRight: Send As`n"
    }
}

# Output the results to a text file
$results | Out-File -FilePath "C:\temp\SendAsPermissions2.txt" -Encoding UTF8

# Disconnect from Exchange Online
Disconnect-ExchangeOnline