Display Exchange Mailbox Permissions in Active Roles

I'm going to assume:

Your mailboxes live in Office 365.

I would architect a solution for this as follows:

NOTE:  This solution fetches the list of mailboxes in real time so it will delay the opening of your user properties form - the delay could be substantial if you have a lot of mailboxes in your tenant.  Another approach would be to populate the virtual attribute proposed below on a scheduled basis for all users using an Automation workflow.  The basic Get-Mailbox | Get-MailboxPermission code would be the same.

Create an un-stored virtual attribute edsvaMailboxAccessList (multi value string syntax)

Add this VA to a tab in your AR web ui user properties form.

Assign a Control to your Web UI user properties form called "MyFormID" and set the value to "UserProps"

Create a provisioning policy script that implements an OnPreGet handler and add this policy script to the provisioning policy that is linked to the OU(s) potentially containing users with access to other mailboxes

In this handler, implement a $Request.GetInControl("MyFormID") check to see whether the form the current $Request transaction is coming from is your user properties form "UserProps"

If the request is coming from this form, implement some code similar to the pseudo code below to retrieve the list of mailboxes that your user has access to:

Function OnPreGet ($Request)

{

# Is this $Request coming from my user properties form

Try

{

$SourceForm = $Request.GetInControl("MyFormID")

}

Catch

{

# You need this to handle the cases where the in-process transaction is not coming from the user properties form

return

}

Try

{

$Session = <Establish a session with EOL in your M365 tenant>

}

Catch

{

# If the setup of the EOL session fails, terminate the script

return

}

# Get the UPN / email of the in process user

$TargetUser = $Dirobj.Get("mail")

# Find all mailboxes where this user has permission

Try

{

$ListofMailboxes = Get-Mailbox -ErrorAction Stop | Get-MailboxPermission -User $TargetUser

}

Catch

{

# If your attempt to pull the mailbox info fails, close your EOL session and terminate the script

<Close your session with EOL>

Get-PSSession $Session | remove-PSSession

return

}

# Apply the returned list to the virtual property

Set-QADUser -proxy -identity $Request.DN -objectattributes @{edsvaMailboxAccessList=$ListofMailboxes}

<Close your session with EOL>

Get-PSSession $Session | remove-PSSession

} # End of OnGet handler

Is this fairly advanced stuff?  Yes.

Is what I suggested going to work the first time?  Nope - it will require some tweaking.

I'm going to assume:

Your mailboxes live in Office 365.

I would architect a solution for this as follows:

NOTE:  This solution fetches the list of mailboxes in real time so it will delay the opening of your user properties form - the delay could be substantial if you have a lot of mailboxes in your tenant.  Another approach would be to populate the virtual attribute proposed below on a scheduled basis for all users using an Automation workflow.  The basic Get-Mailbox | Get-MailboxPermission code would be the same.

Create an un-stored virtual attribute edsvaMailboxAccessList (multi value string syntax)

Add this VA to a tab in your AR web ui user properties form.

Assign a Control to your Web UI user properties form called "MyFormID" and set the value to "UserProps"

Create a provisioning policy script that implements an OnPreGet handler and add this policy script to the provisioning policy that is linked to the OU(s) potentially containing users with access to other mailboxes

In this handler, implement a $Request.GetInControl("MyFormID") check to see whether the form the current $Request transaction is coming from is your user properties form "UserProps"

If the request is coming from this form, implement some code similar to the pseudo code below to retrieve the list of mailboxes that your user has access to:

Function OnPreGet ($Request)

{

# Is this $Request coming from my user properties form

Try

{

$SourceForm = $Request.GetInControl("MyFormID")

}

Catch

{

# You need this to handle the cases where the in-process transaction is not coming from the user properties form

return

}

Try

{

$Session = <Establish a session with EOL in your M365 tenant>

}

Catch

{

# If the setup of the EOL session fails, terminate the script

return

}

# Get the UPN / email of the in process user

$TargetUser = $Dirobj.Get("mail")

# Find all mailboxes where this user has permission

Try

{

$ListofMailboxes = Get-Mailbox -ErrorAction Stop | Get-MailboxPermission -User $TargetUser

}

Catch

{

# If your attempt to pull the mailbox info fails, close your EOL session and terminate the script

<Close your session with EOL>

Get-PSSession $Session | remove-PSSession

return

}

# Apply the returned list to the virtual property

Set-QADUser -proxy -identity $Request.DN -objectattributes @{edsvaMailboxAccessList=$ListofMailboxes}

<Close your session with EOL>

Get-PSSession $Session | remove-PSSession

} # End of OnGet handler

Is this fairly advanced stuff?  Yes.

Is what I suggested going to work the first time?  Nope - it will require some tweaking.