In this article, we will show how to manage mailbox or folder access permissions in on-prem Exchange Server and on Microsoft 365 (Exchange Online). Methods and PowerShell commands to manage mailbox/folder permissions in on-premises and cloud Exchange are almost the same (except for the differences in the EAC graphical interface), so I decided to collect all information useful for a system administrator in a single article.
In Exchange (both on-prem and cloud-based Microsoft 365), there are two levels of mailbox permissions:
- Mailbox-level permissions – allow to grant full access to the mailbox contents and sending emails. On this level, the following privileges are available:
Full Access,SendAs, andSend on Behalf; - Folder-level permissions – allow to granularly assign permissions to folders in a user or shared mailbox. For example, you can grant full access to manage items in the Calendar folder and a privilege to view Inbox contents.
Let’s consider mailbox-level permissions in detail:
- Send As – allows to send emails from this mailbox;
- Send on Behalf – allows to send emails on behalf of the mailbox, while the actual sender is shown in the From field;
- Full Access – allows accessing all items in the mailbox (except sending on behalf of the mailbox)
Granting Mailbox Permissions in Exchange and Microsoft 365
You can assign Full Access, SendAs, and Send on behalf permissions through the EAC graphic interface. For example, open the Exchange Admin Center (https://admin.exchange.microsoft.com) in Microsoft 365 and go to Mailboxes.
- Find a user/room mailbox;
- Open its properties -> Mailbox permissions -> Manage mailbox delegation;
- In the next window, you can view or change current access permissions.
Exchange/Microsoft 365: Manage Mailbox Permissions Using PowerShell
Typically, an Exchange administrator rarely used EAC to manage mailbox permissions. It is much faster and more convenient to manage mailbox permissions via PowerShell.
Connect to your Exchange server or Microsoft 365 (Exchange Online) tenant:
- You can remotely connect to your on-premises Exchange server from the PowerShell console without installing Exchange Management Tools:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mun-exch1.woshub.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session - To connect to Microsoft 365 with an MFA-enabled account, use the Exchange Online PowerShell module (EXOv2):
Connect-ExchangeOnline -UserPrincipalName [email protected]
For example, to grant full access permissions to a shared mailbox so that users can view its contents and send email messages, you need to assign them Full Access and Send As permissions.
The command below grants the MaxBak Full Access permissions to the MullerH mailbox:
Add-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -AutoMapping:$true -InheritanceType All
The following PowerShell command is used to grant Send As permissions:
Add-RecipientPermission [email protected] -AccessRights SendAs -Trustee [email protected]
To grant SendOnBehalf permissions, run this command:
Get-Mailbox [email protected] | Set-Mailbox -GrantSendOnBehalfTo [email protected]
You can assign permissions to multiple users at once. For example, let’s grant a user SendAs permissions on all mailboxes of a specific department:
Get-Recipient -Filter {(Department -eq "Financial Dept")} | Add-RecipientPermission -AccessRights SendAs –Trustee [email protected]
Or let’s grant Full Access permissions to a shared mailbox for all members of a specific Exchange distribution group (list):
$Members = Get-DistributionGroupMember -id MUNmarketing
ForEach ($Member in $Members)
{
Add-RecipientPermission John -AccessRights SendAs –Trustee $Member.name
Add-MailboxPermission -Identity [email protected] -User $Member.name -AccessRights FullAccess -AutoMapping:$true -InheritanceType All
}
List users with Full Access permissions on a mailbox:
Get-MailboxPermission -identity [email protected] |ft -AutoSize
To get a detailed report with a list of users having Full Access permissions on any other mailboxes in an Exchange organization (tenant):
Get-Mailbox|Get-MailboxPermission | where {($_.AccessRights -like 'Full*') -and ($_.User -notlike "nt authority\self")} | Format-Table -Auto User,Deny,IsInherited,AccessRights
A report on SendOnBehalf permissions:
Get-Mailbox –ResultSize Unlimited | Where {$_.GrantSendOnBehalfTo -ne $null} | Select UserprincipalName,GrantSendOnBehalfTo
To display a list of users with SendAs permissions on a mailbox:
Get-RecipientPermission [email protected]
List of all mailboxes to which a specific user has been assigned SendAs privileges:
Get-Recipient | Get-RecipientPermission -Trustee MullerH@woshub.onmicrosoft.com | Select Identity, Trustee, AccessRights
To remove SendAs privileges on all mailboxes in the organization for the user:
Get-Recipient | Remove-RecipientPermission -AccessRights SendAs –Trustee [email protected]
To revoke mailbox permissions for a user:
Remove-MailboxPermission -identity [email protected] -accessrights:fullaccess -user [email protected]
How to Manage Folder-Level Permissions in Exchange (Microsoft 365) Mailbox?
You can grant your users access to any folder in their mailboxes. For example, you can allow a user to view the Inbox or edit any items in the Calendar folder.
Users can themselves grant access to a folder to other users through Outlook or OWA. Just click a folder name and select Permissions.
You will see a form that displays the current user access permissions on the folder. You can grant access to other users here. Click + and enter the name of the user you want to grant access to.
You can select a level of access to the folder. You can select one of the predefined roles or assign specific permission.
The following roles are available (as collections of specific permissions):
| Role | Role Permissions |
|---|---|
| Author | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems |
| Contributor | CreateItems, FolderVisible |
| Editor | CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems |
| None | FolderVisible |
| NonEditingAuthor | CreateItems, FolderVisible, ReadItems |
| Owner | CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems |
| PublishingEditor | CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems |
| PublishingAuthor | CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems |
| Reviewer | FolderVisible, ReadItems |
| AvailabilityOnly | Applied to the Calendar folder only. Allows to view availability information (Free/Busy) |
| LimitedDetails | Applied to the Calendar folder only. Allows to view availability, theme, and location |
A list of available individual permissions:
- CreateItems
- CreateSubfolders
- DeleteAllItems
- DeleteOwnedItems
- EditAllItems
- EditOwnedItems
- FolderContact
- FolderOwner
- FolderVisible
- ReadItems
An Exchange administrator can grant access to any user mailbox folder in PowerShell. The following command displays a list of available folders in a user mailbox:
Get-MailboxFolder -Identity [email protected] -Recurse
You can get a list of permissions assigned on a specific mailbox folder:
Get-MailboxFolderPermission -Identity "[email protected]:\Inbox"
The command below allows to view a list of folders in a mailbox:
Add-MailboxFolderPermission -Identity [email protected]:\ -User [email protected] -AccessRights Reviewer
Subfolders do not inherit the permissions of their parent folder.
To allow viewing Inbox contents, run this command:
Add-MailboxFolderPermission -Identity "[email protected]:\Inbox" -User [email protected] -AccessRights Reviewer
To grant Full Access to the Calendar:
Add-MailboxFolderPermission -Identity [email protected]:\Calendar -User [email protected] -AccessRights Editor
To remove permissions on a mailbox folder, the following command is used:
Remove-MailboxFolderPermission -Identity "[email protected]:\Inbox" –user [email protected]