The Mailbox Auto-Mapping feature in on-premises Exchange Server and Exchange Online (Microsoft 365) is used to automatically connect shared mailboxes to an Outlook profile. When Outlook starts, it gets a list of additional mailboxes to map according to the AlternateMailbox attribute in Autodiscover. Outlook automatically connects shared mailboxes with Full Access permissions for the current user.
This is a useful feature because the user doesn’t need to manually connect additional shared mailboxes in Outlook settings. Up to 10 mailboxes can be mounted using the auto-mapping feature (Outlook restriction). But there is another problem: the user himself cannot remove additional mailboxes connected through auto-mapping from the Outlook profile.
The auto-mapping for shared mailboxes in Exchange is based on two multivalued user attributes in Active Directory DS:
- msExchDelegateListLink – shared mailbox attribute. Contains a list of Distinguished Names of user accounts that have been granted Full Access permissions to this mailbox;
- msExchDelegateListBL – user attribute. Contains a list of mailboxes to which this user has Full Access rights.
When you grant full access to an Exchange mailbox (by using the Add-MailboxPermission cmdlet or from the Exchange Admin Center), these attributes are automatically updated on both the user and the mailbox.
You can get the values for these attributes in the user Attribute Editor in the ADUC ( dsa.msc) console or by using the Get-ADUser cmdlet.
msExchDelegateListBL and msExchDelegateListLink attributes in Exchange Online (Microsoft 365) because they are hidden by the Azure layer.List the shared mailboxes that are automatically connected in a user’s Outlook:
Get-ADUser maxbak -Properties msExchDelegateListBL | Select -ExpandProperty msExchDelegateListBL
List the users of the shared mailbox to which it automatically connects:
Get-ADUser finance_de -Properties msExchDelegateListLink | Select -ExpandProperty msExchDelegateListLink
You can manually change the value of these attributes using the Set-ADUser cmdlet. For example, you can automatically connect a shared mailbox with read-only permissions.
Set-ADUser -Identity maxbak -Add @{msExchDelegateListLink/BL=finance_de}
When trying to delete a shared mailbox connected via Auto-Mapping, an Outlook error appears:
This group of folders is associated with an e-mail account. To remove the account, click the File Tab, and on the Info tab, click Account Settings. Select the e-mail account, and then click Remove.
These mailboxes also don’t appear in the Outlook profile settings under the Additional Mailboxes section of the Advanced tab. To remove such a shared mailbox in Outlook, you will have to disable automapping using PowerShell.
You can disable Outlook Auto-Mapping for a specific shared mailbox in Exchange using PowerShell. Connect to your on-prem Exchange Server using EMS or remotely from the PowerShell console:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mun-mbex1.woshub.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session
For example, to grant TestUser1 Full Access permissions to SharedMBX mailbox and disable Auto Mapping in Outlook, use this command:
Add-MailboxPermission -Identity SharedMBX -User TestUser1 -AccessRight FullAccess -InheritanceType All -Automapping $False
This cmdlet clears the mailbox references in the msExchDelegateListBL and msExchDelegateListLink attributes.
If the permissions have been already granted, you will have to revoke them first and then reassign:
Remove-MailboxPermission -Identity SharedMBX -User TestUser1 -AccessRight FullAccess -InheritanceType All
Add-MailboxPermission -Identity SharedMBX -User1 TestUser1 -AccessRight FullAccess -InheritanceType All -Automapping $False
The following script allows to disable Auto-Mapping for all users having the permissions for a certain shared mailbox:
$FixAutoMapping = Get-MailboxPermission SharedMBX |where {$_AccessRights -eq “FullAccess” -and $_IsInherited -eq $False}
$FixAutoMapping | Remove-MailboxPermission
$FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $False}
In Exchange Online (Microsoft 365), you can also enable or disable automatic mapping of shared mailboxes by using the Add-MailboxPermission cmdlet.
Connect to your tenant using the EXOv2 PowerShell module:
Connect-ExchangeOnline
In order to grant permissions and disable automapping for a shared mailbox in Microsoft 365:
Add-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -AutoMapping:$False
Accordingly, if you need to enable mailbox in automapping Outlook, use the -AutoMapping:$True parameter.
In Microsoft 365, you can clear the AutoMapping attribute with this command:
Remove-MailboxPermission sales_de -ClearAutoMapping -Confirm:$False
After that, the mailbox will automatically map only to the mailbox owner’s Outlook profile.