How to Use Get-CASMailbox in Powershell

Managing mailbox access in Exchange is crucial for security, troubleshooting, and compliance. Whether you're ensuring users can connect through Outlook, mobile devices, or webmail, the Get-CASMailbox cmdlet is an essential tool for Exchange administrators.
Today, we’ll walk through how to use Get-CASMailbox step by step, with practical examples to help you make the most of this powerful cmdlet.
What is the Get-CASMailbox Command?
The Get-CASMailbox cmdlet in Exchange PowerShell is used to retrieve client access settings for mailboxes, including configurations for Outlook on the web, Exchange ActiveSync, POP3, IMAP4, and MAPI.
It helps administrators check which protocols are enabled or disabled for a specific user or a group of users, making it useful for troubleshooting and managing mailbox access. This cmdlet works in both on-premises Exchange and Exchange Online, but Microsoft recommends using Get-EXOCASMailbox for cloud environments.
Here’s the syntax for Get-CASMailbox:
What Can You Use the Get-CASMailbox Cmdlet For?
The Get-CASMailbox cmdlet is a handy tool when used correctly. Let’s take a quick look at three things you can do with this command:
- Check Mailbox Access Settings: You can use Get-CASMailbox to determine which client access protocols are enabled for each mailbox. For example, if a user is unable to connect using Outlook on the web, running this cmdlet will confirm whether OWA is enabled for their account. This is useful for both troubleshooting and auditing purposes, especially in environments where access policies are strictly controlled.
- Enforce Security Policies: Some legacy protocols like IMAP and POP3 can pose security risks if left enabled unnecessarily. With Get-CASMailbox, administrators can identify which mailboxes still have these protocols turned on and take action to disable them using Set-CASMailbox. This helps organizations maintain compliance with security best practices and prevent unauthorized access.
- Troubleshoot Connection Issues: If a user reports issues connecting to their mailbox through a specific client, running Get-CASMailbox can help pinpoint the problem. For instance, if a mobile user is unable to sync their email, checking their ActiveSync status can reveal whether the feature is enabled for their account.
Prerequisites to Run the Get-CASMailbox Cmdlet
Before you can run the Get-CASMailbox cmdlet in Exchange, you need to meet the following requirements:
- Required Permissions: You must be assigned the "Recipient Read" permission in Exchange. Without the proper role assignment, you'll receive an error when attempting to run the cmdlet.
- Exchange Environment: The Get-CASMailbox cmdlet is available in Exchange Server 2010, 2013, 2016, 2019, and Exchange Online. Ensure you’re working within a supported environment, as older or misconfigured Exchange versions may not support it.
- Exchange Management Tools: If you're running this cmdlet in an on-premises Exchange environment, you need to use the Exchange Management Shell (EMS). In Exchange Online, you must first connect via Exchange Online PowerShell using Connect-ExchangeOnline.
- Mailbox Existence: The mailbox you’re querying must exist and be licensed (for Exchange Online). Running the cmdlet on a nonexistent or disabled mailbox will return an error.
How to Use the Get-CASMailbox Cmdlet in 4 Steps
If you need to check which Client Access (CAS) protocols are enabled for a mailbox in Exchange, use the Get-CASMailbox cmdlet. Let’s check out four quick steps to use this command ASAP!
Step 1: Connect to Your Exchange Environment
Before running the cmdlet, you need to be connected to Exchange. The method depends on whether you’re working with an on-premises Exchange Server or Exchange Online.
For Exchange Online: Open PowerShell and establish a session using this cmdlet:
Replace [email protected] with your actual admin account. Once connected, you’ll be able to run Get-CASMailbox.
Step 2: Retrieve CAS Settings for a Specific Mailbox
Now, it’s time to run the command. This is simple— to check the CAS protocol settings for an individual user, run the following command:
This returns details about James’s mailbox, showing whether services like ActiveSync, OWA, POP3, and IMAP are enabled.
- ActiveSyncEnabled: Shows if mobile devices can sync via Exchange ActiveSync.
- OWAEnabled: Indicates if Outlook on the web is allowed.
- MAPIEnabled: Controls whether MAPI (Outlook desktop app access) is permitted.
- IMAPEnabled & POPEnabled: Determine if the mailbox can use IMAP or POP clients.
If a user has trouble accessing their email through a specific method, this command helps determine whether a protocol is disabled.
Step 3: List All Mailboxes with a Specific CAS Setting
Suppose you need to find all mailboxes with IMAP enabled because you plan to disable it for security reasons. You can filter results like this:
This lists every mailbox with IMAP access turned on. You can modify the filter to check other settings, such as users with ActiveSync disabled:
This is useful for identifying accounts that might be restricted from using mobile devices for security reasons or troubleshooting why a user can't connect via their phone.
Step 4: Export the Results for Reporting or Auditing
If you need to generate a report of all mailboxes and their CAS settings, export the data to a CSV file for analysis. To do this, run:
This creates a CSV file listing each mailbox along with its protocol settings, which can be opened in Excel for review. If you need to send this report to your security or IT team, this is an efficient way to gather the required data.
Wrapping Up: Using Get-CASMailbox in PowerShell
The Get-CASMailbox cmdlet is a powerful way to audit and troubleshoot mailbox access in Exchange. Whether you’re checking individual users, filtering based on settings, or exporting reports, this cmdlet provides essential insights into mailbox configurations.
Knowing how to use this command effectively will save you time and help you manage Exchange security and user access more efficiently, and now you have all the tools you need to do it.