Finding Misconfigured Calendar Permissions in Office365

We recently had an issue at work where someone discovered that their calendar could be viewed by another user in the organization that they didnt give explicit permission to. Upon further inspection of the problem, we discovered it was being caused by the exchange role of Reviewer1 being given to the Default user on the user’s calendar folder. The Default user in exchange refers to any user in the organization, so any permissions assigned to it is essentially saying “I want every user in my company to be able to do this to this resource2. We fixed the user’s issue quickly by modifying the permissions, but I started wondering if anyone else had accidentally modified the Default user on their calendar as well. Powershell time! I created a script to check the Default user permissions on each user’s Calendar folder and return any calendars where it wasn’t set to the company default of AvailabilityOnly.

$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

$StandardPermission = "AvailabilityOnly"

$inboxes = Get-Mailbox -ResultSize Unlimited | Select-Object -ExpandProperty UserPrincipalName
$inboxpercent = (100 / $inboxes.Count)
$i = 0
foreach($inbox in $inboxes){
    $i = $i + $inboxpercent
    Write-Progress -Activity "Checking permissions" -Status "Checking $inbox" -PercentComplete $i
    $inboxperm = Get-MailboxFolderPermission -Identity $inbox`:\Calendar -User Default
    if ($inboxperm.AccessRights -ne $StandardPermission) {
        $inboxperm | Add-Member -NotePropertyName Inbox -NotePropertyValue $inbox -PassThru | Select-Object FolderName,User,AccessRights,Inbox
    }
}

It takes a while to traverse through all the users, but the script will output it’s progress as it plods along using the Write-Progress cmdlet. I haven’t tested it, but the script should also be able to work on newer versions of Exchange Server as well (just remove the part where it connects to Office365, right above the line $StandardPermission = "AvailabilityOnly"). If you’re interested in more information about calendar permissions in Office365, check out the following article from Microsoft: https://support.microsoft.com/en-us/help/2865291/how-to-set-free-busy-permissions-in-exchange-management-shell-in-offic

  1. https://technet.microsoft.com/en-us/library/bb124148(v=exchg.65).aspx
  2. Most companies set the default for Default on calendars to something like AvailabilityOnly or LimitedDetails, which lets users view free and busy time in other users calendars to help in scheduling meetings, but nothing else.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s