Get-EXOMailboxPermission issues

Question

Get-EXOMailboxPermission issues

Roman King 26

Hi all

I have a script that goes through all mailboxes (about 6k) in our org and collects access data.

Then, based on this data, we can find out which user has access to what mailboxes. To speedup the process, I run 48 streams in parallel. For some reason, I receive JUST ONE error message that states: The 'Get-EXOMailboxPermission' command was found in the module 'ExchangeOnlineManagement', but the module could not be loaded due to the following error: [Collection was modified; enumeration operation may not execute.]

For more information, run 'Import-Module ExchangeOnlineManagement'.

Here is the function, partially:


function Get-MailboxesAccess {
    param (
        [parameter(Mandatory = $true)][String]$TargetUser
    )
    

    $TargetUser = $TargetUser.Trim()
    if ($TargetUser -notlike "*@*") { $TargetUser = $TargetUser + "@blood.ca" }       
    
    Write-Host "Looking for mailboxes.." -ForegroundColor Cyan
    $mailboxes = Get-EXOMailbox -ResultSize Unlimited 
    Write-Host "Total mailboxes to proces: $($mailboxes.Count)" -ForegroundColor Cyan
    if (!$mailboxes) {
        Write-Host "No mailboxes found, nothing to process"
        Break
    }


    $job = $mailboxes | Foreach-Object -ThrottleLimit 48 -Parallel {
        function Get-FullAccessPermissions {
            # This function collects FullAccess rights
            param (
                [Parameter(Mandatory = $true)][string]$Mailbox
            )
    
            $result = Get-EXOMailboxPermission -Identity $Mailbox -ErrorAction SilentlyContinue | Where-Object { $_.AccessRights -match "FullAccess" -and $_.User -ne "NT AUTHORITY\SELF" } | Select-Object User
            return $($result.User)
        }
        function Get-SendAsPermissions {
            # This function collects SendAs rights
            param (
                [Parameter(Mandatory = $true)][string]$Mailbox
            )
    
            $result = Get-EXORecipientPermission -Identity $Mailbox -ErrorAction SilentlyContinue | Where-Object { $_.AccessRights -match "SendAs" -and $_.Trustee -ne "NT AUTHORITY\SELF" } | Select-Object Trustee
            return $($result.Trustee)
        }   
        function Get-SendOnBehalfPermissions {
            # This function collects SoB rights
            param (
                [Parameter(Mandatory = $true)][string]$Mailbox
            )
            try {
                $result = Get-EXOMailbox $Mailbox -Properties GrantSendOnBehalfTo | Select-Object -ExpandProperty GrantSendOnBehalfTo | Get-EXOMailbox -ErrorAction SilentlyContinue | Select-Object UserPrincipalName
                return $($result.UserPrincipalName)
            }
            catch {
                return $null
            }
        }

        # An array of data is simple 
        # In case we will require a JSON file that is simpler to process, we will uncomment those three lines in the middle
        $accessDetails = [PSCustomObject]@{
            "Mailbox"              = $_.UserPrincipalName
            "RecipientType"        = $_.RecipientType
            "RecipientTypeDetails" = $_.RecipientTypeDetails
            #"FullAccess" = Get-FullAccessPermissions -Mailbox $_.UserPrincipalName
            #"SendAs" = Get-SendAsPermissions -Mailbox $_.UserPrincipalName
            #"SoB" = Get-SendOnBehalfPermissions -Mailbox $_.UserPrincipalName
            "FullAccess"           = (Get-FullAccessPermissions -Mailbox $_.UserPrincipalName) -join "; "
            "SendAs"               = (Get-SendAsPermissions -Mailbox $_.UserPrincipalName) -join "; "
            "SoB"                  = (Get-SendOnBehalfPermissions -Mailbox $_.UserPrincipalName) -join "; "
        }
        
        $report += $accessDetails    
        return $report
        
    } -AsJob

Ondřej Šebela 6 Reputation points

2025-11-21T14:13:45.88+00:00

How is it possible you don't have to reauthenticate to EXO inside the parallel job? Whats the trick here?
Roman King 26 Reputation points

2025-11-21T14:26:47.29+00:00

The trick is that old Get-Mailbox (or other commands) does require authentication.
But Get-EXO* commands rely on the existing connection. So, this is kind of an MS trick, not mine.

2 answers

Your answer

Ondřej Šebela 6 Reputation points

2025-11-21T14:13:45.88+00:00

How is it possible you don't have to reauthenticate to EXO inside the parallel job? Whats the trick here?
Roman King 26 Reputation points

2025-11-21T14:26:47.29+00:00

The trick is that old Get-Mailbox (or other commands) does require authentication.
But Get-EXO* commands rely on the existing connection. So, this is kind of an MS trick, not mine.

Answer 1

Anonymous

Hi, @Roman King

It sounds like your problem is in a script, please understand that the Exchange Online tag is not focused on script issues at this time. Since you have added the Power Shell tag, you can wait for more professional guidance from them.

From my personal point of view, you can try the following suggestions:

Use a for loop to iterate over the collection. This prevents the enumerator from throwing an exception when the collection is changed.
Create a separate collection to store the threads to be aborted.
Load 'Import-Module ExchangeOnlineManagement' at the beginning of the script
Change parallel processing to serial processing, it may avoid the problem of concurrent modifications.
Move the permission acquisition functions outside of the main script body to ensure they are available across the scope of the script.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Roman King 26 Reputation points

2024-10-07T17:55:44.5333333+00:00

It looks like the problem is not related to my script. I reduced the number of streams and it significantly reduced the number of errors.

I suspect that ExchangeOnline has some limits but I can't find any KBs mentioning that I can't run Get-EXOMailboxPermission more than X times/second.

With only 8 streams (which significantly reduces speed) my script works fine
Anonymous

2024-10-10T01:37:03.32+00:00

Hi, @Roman King

Just wanted to check if the answer shared by Rich Matheisen helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.

Answer 2

Rich Matheisen 48,026

Is there a reason you're using the "-AsJob" parameter?

Using the Foreach-Object with the -Parallel switch causes each iteration to run in its own runspace. Shouldn't that be sufficient?

Also, when you use the -AsJob, the Foreach-Object returns a job object, not the output from the success stream.

Runspaces, and jobs, consume a significant amount of memory and time (to set up and tear down). You might benefit from reusing runspaces by pooling them instead of creating/destroying 6,000 of them!

Also, each of your interior functions use this pattern:

. . . | Where-Object { $_.AccessRights -match "SendAs" -and $_.Trustee -ne "NT AUTHORITY\SELF" } | Select-Object Trustee
return $($result.Trustee)

That "Select-Object" is creating a PSCustomObject. But all you seem to want is the text value of the property. Try using . . . | Select-Object -Expand <propertyname> to get an array (multiple mailboxes may have the same permission on the target mailbox) of strings instead of an array of PSCustomObjects.

Roman King 26 Reputation points

2024-10-07T19:42:14.7733333+00:00

Thanks for the tips!

Using the Foreach-Object with the -Parallel switch causes each iteration to run in its own runspace. Shouldn't that be sufficient?

It could be, but I want to monitor the progress so having a number of items already processed (as a job) I can draw a progress bar.

Runspaces, and jobs, consume a significant amount of memory and time (to set up and tear down)

To be honest, it does not utilize a lot of RAM, but it really fast compared to foreach with no parallel processing.
Rich Matheisen 48,026 Reputation points

2024-10-08T02:51:40.1966667+00:00
The description of the -ThrottleLimit, -AsJob, and -Parallel combination isn't (I think) very clearly explained in the help. This does a better job: https://devblogs.microsoft.com/powershell/powershell-foreach-object-parallel-feature/

I think the use of the -AsJob in your case isn't necessary.

How are you using the progress bar (it doesn't show up in your code)? Is it thread safe?

That "thread safe" bit is a real consideration. Given your initial post staying that you receive the error "Collection was modified; enumeration operation may not execute" you may be using a collection object in a way that's causing it to be updated from more than one thread while the collection is being enumerated. If that's happening you'll probably have to use one of the System.Collections.Concurrent .Net classes to avoid the problem.

In your function I see this in the last two lines:

$report += $accessDetails return $report

But I don't understand why you're using the "+=" operator instead of just returning the $accessDetails variable.

Share via

Get-EXOMailboxPermission issues

2 answers

Your answer