You might think that a user’s delegate permissions for other mailboxes will be removed up on deleting the account in the Azure Active Directory, apparently it wasn’t in my case.
Scenario:
Location – Calendar folder of ‘manoj@mantoso.live:\Calendar’
Delegated editor permissions to – ‘Marie Jonas’ (Abandoned identity after AD account deletion)
Even though this particular account was permanently deleted from Azure AD after 30 days of marking deletion, the delegation access (editor) to other users’ Exchange mailboxes remained intact which caused the following strange behaviors that I had to get rid of.
- Others can still spot this user’s name in the calendar invites
- Possibly in other various occasions too based on the permissions the user had before deleted
Here’s the PowerShell command to fetch the permissions of a specific location. This will list down all the delegated permissions of ‘Manoj’s’ Exchange calendar. In my case, the abandoned user also popped up in the results.
Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar"
e.g
Now, to dig further down to be more specific to this mysterious user, let’s run this command
Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" | where {$_.user.tostring() -like "Marie Jonas*"}
e.g
This means the permission thumbprint is intact even after the account was permanently deleted which is a mystery. Now to get rid of this, we can use this command below. I tried several other approaches from various Microsoft articles and forum posts but none of them worked but the following.
Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False
After running that with no errors/warnings. I ran Get command again to verify if it really was a success. And Yes ! Nothing returned, which means the permissions are now cleared for this abandoned identity of ‘Marie Jonas’.
Allowed it a couple of hours, her name disappeared from the calendar invites as well.
Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False
Microsoft Cloud Infrastructure Technical Journal 
Is there a command to view what permissions overall a leaver had? Something that would list all their permissions to all other user’s mailbox so access could be removed prior to leaving?