Pre-Requisite.
Install-Module -Name ExchangeOnlineManagement
------------------------------------------------------------Start Code--------------------------------------------------------------
Import-Module ExchangeOnlineManagement
# Connect to Exchange Online
Connect-ExchangeOnline
# Prompt for admin email address
do {
$adminEmail = Read-Host "Enter the admin's email address to remove access"
if (-not ($adminEmail -match "^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$")) {
Write-Host "Invalid email format. Please enter a valid email address." -ForegroundColor Red
}
} while (-not ($adminEmail -match "^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$"))
# Ask for exclusions
Write-Host "`nExclusion options:"
Write-Host "1. Exclude specific email addresses (keep access for these)"
Write-Host "2. Exclude mailboxes containing specific words (keep access for these)"
Write-Host "3. No exclusions (remove from all mailboxes)"
$exclusionChoice = Read-Host "Choose an exclusion option (1-3)"
$excludeList = @()
# Handle exclusions based on choice
if ($exclusionChoice -eq "1") {
do {
$excludeEmail = Read-Host "Enter email address to exclude (or press Enter to finish)"
if ($excludeEmail -ne "") {
$excludeList += $excludeEmail
}
} while ($excludeEmail -ne "")
} elseif ($exclusionChoice -eq "2") {
$excludePattern = Read-Host "Enter text pattern to exclude (e.g., 'CEO' will keep access for any mailbox with 'CEO' in the address)"
$excludeList += $excludePattern
}
# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited
# Filter mailboxes based on exclusions
if ($exclusionChoice -eq "1") {
$mailboxes = $mailboxes | Where-Object {$_.UserPrincipalName -notin $excludeList}
} elseif ($exclusionChoice -eq "2") {
$mailboxes = $mailboxes | Where-Object {$_.UserPrincipalName -notmatch $excludeList[0]}
}
# Show summary before proceeding
Write-Host "`nSummary:"
Write-Host "Admin to remove access: $adminEmail"
Write-Host "Total mailboxes to process: $($mailboxes.Count)"
if ($excludeList.Count -gt 0) {
Write-Host "Excluded from processing (access will be kept): $($excludeList -join ', ')"
}
# Confirm before proceeding
$confirm = Read-Host "`nReady to remove full mailbox access for $adminEmail from the above mailboxes. Continue? (Y/N)"
if ($confirm -ne "Y") {
Write-Host "Operation cancelled." -ForegroundColor Yellow
exit
}
# Remove full access permissions for each mailbox
foreach ($mailbox in $mailboxes) {
try {
# First check if the permission exists
$hasAccess = Get-MailboxPermission -Identity $mailbox.Identity | Where-Object {$_.User -eq $adminEmail -and $_.AccessRights -contains "FullAccess"}
if ($hasAccess) {
Remove-MailboxPermission -Identity $mailbox.Identity -User $adminEmail -AccessRights FullAccess -Confirm:$false
Write-Host "Successfully removed access from mailbox: $($mailbox.UserPrincipalName)" -ForegroundColor Green
} else {
Write-Host "No full access permission found for $adminEmail on mailbox: $($mailbox.UserPrincipalName)" -ForegroundColor Yellow
}
}
catch {
Write-Host "Error removing access from mailbox $($mailbox.UserPrincipalName): $($_.Exception.Message)" -ForegroundColor Red
}
}
# Verify permissions were removed
Write-Host "`nVerifying permissions were removed..." -ForegroundColor Yellow
$remainingAccess = @()
foreach ($mailbox in $mailboxes) {
$access = Get-MailboxPermission -Identity $mailbox.Identity | Where-Object {$_.User -eq $adminEmail -and $_.AccessRights -contains "FullAccess"}
if ($access) {
$remainingAccess += $mailbox.UserPrincipalName
}
}
if ($remainingAccess.Count -gt 0) {
Write-Host "`nWarning: Access still exists for the following mailboxes:" -ForegroundColor Red
$remainingAccess | ForEach-Object { Write-Host $_ }
} else {
Write-Host "`nAll permissions successfully removed!" -ForegroundColor Green
}
# Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
-----------------------------------------------------------END-----------------------------------------------------------------