Just ran into this today where there was a discrepancy between the permissions that were showing up in the Office 365 Admin Portal, in the Exchange Admin Center, and in PowerShell.
From the Exchange Admin Center, you could only see a single user added with Full Access:
However, if you look at the Office 365 Portal, it shows that there are two users with the “Read and manage” permission:
Looking at the permissions in PowerShell, I noticed something interesting… the user that is not showing up in the EAC has a Deny: True attached to their permissions:
Even weirder still, trying to remove those mailbox permissions just gave me an error, like so:
I figured I’d try to see if I could update those permissions and change the Deny from True to False, but no success. I also tried adding the user back in to reset their permissions, and they only got added a second time, and now had both a Deny -eq True and a Deny -eq False entry!
Eventually this is what fixed it for me:
Remove-MailboxPermission -Identity user -User delegate -AccessRights FullAccess -Deny
Remember that in this cmdlet, “-Identity” is the mailbox you want to edit permissions on, and “-User” is the person you’re either adding permissions for, or removing their existing permissions. As soon as I ran that command, it removed the Deny permissions, and left the Allow permissions intact. Better still, the Admin Portal, Exchange Admin Center and PowerShell all told the same story again!
I don’t know how those Deny permissions got on there in the first place, but ultimately, remember this – if you come across a user with funky permissions, and the Deny -eq True… the Deny permissions are going to always overrule any Allow permissions that have been granted. Deal with those ones first, and all will be well with the world again.