Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Exchange / Managing Mailbox and Folder Permissions in Exchange and Microsoft 365

December 27, 2021 ExchangeMicrosoft 365PowerShell

Managing Mailbox and Folder Permissions in Exchange and Microsoft 365

In this article, we will show how to manage mailbox or folder access permissions in on-prem Exchange Server and on Microsoft 365 (Exchange Online). Methods and PowerShell commands to manage mailbox/folder permissions in on-premises and cloud Exchange are almost the same (except for the differences in the EAC graphical interface), so I decided to collect all information useful for a system administrator in a single article.

In Exchange (both on-prem and cloud-based Microsoft 365), there are two levels of mailbox permissions:

  • Mailbox-level permissions – allow to grant full access to the mailbox contents and sending emails. On this level, the following privileges are available: Full Access, SendAs, and Send on Behalf;
  • Folder-level permissions – allow to granularly assign permissions to folders in a user or shared mailbox. For example, you can grant full access to manage items in the Calendar folder and a privilege to view Inbox contents.

Let’s consider mailbox-level permissions in detail:

  • Send As – allows to send emails from this mailbox;
  • Send on Behalf – allows to send emails on behalf of the mailbox, while the actual sender is shown in the From field;
  • Full Access – allows accessing all items in the mailbox (except sending on behalf of the mailbox)

Contents:
  • Granting Mailbox Permissions in Exchange and Microsoft 365
  • Exchange/Microsoft 365: Manage Mailbox Permissions Using PowerShell
  • How to Manage Folder-Level Permissions in Exchange (Microsoft 365) Mailbox?

Granting Mailbox Permissions in Exchange and Microsoft 365

You can assign Full Access, SendAs, and Send on behalf permissions through the EAC graphic interface. For example, open the Exchange Admin Center (https://admin.exchange.microsoft.com) in Microsoft 365 and go to Mailboxes.

  1. Find a user/room mailbox;
  2. Open its properties -> Mailbox permissions -> Manage mailbox delegation;Manage mailbox delegation in Exchange Admin Center
  3. In the next window, you can view or change current access permissions. assigned mailbox permissions in Microsoft 365

Exchange/Microsoft 365: Manage Mailbox Permissions Using PowerShell

Typically, an Exchange administrator rarely used EAC to manage mailbox permissions. It is much faster and more convenient to manage mailbox permissions via PowerShell.

Connect to your Exchange server or Microsoft 365 (Exchange Online) tenant:

  1. You can remotely connect to your on-premises Exchange server from the PowerShell console without installing Exchange Management Tools:$UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mun-exch1.woshub.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential
    Import-PSSession $Session
  2. To connect to Microsoft 365 with an MFA-enabled account, use the Exchange Online PowerShell module (EXOv2):
    Connect-ExchangeOnline -UserPrincipalName maxbak@woshub.onmicrosoft.com

For example, to grant full access permissions to a shared mailbox so that users can view its contents and send email messages, you need to assign them Full Access and Send As permissions.

The command below grants the MaxBak Full Access permissions to the MullerH mailbox:

Add-MailboxPermission -Identity maxbak@woshub.onmicrosoft.com -User MullerH@woshub.onmicrosoft.com -AccessRights FullAccess -AutoMapping:$true -InheritanceType All

Add-MailboxPermission FullAccess AutoMapping

The following PowerShell command is used to grant Send As permissions:

Add-RecipientPermission maxbak@woshub.onmicrosoft.com -AccessRights SendAs -Trustee MullerH@woshub.onmicrosoft.com

Manage Send As Permissions using PowerShell Add-RecipientPermission cmdlet

To grant SendOnBehalf permissions, run this command:

Get-Mailbox maxbak@woshub.onmicrosoft.com | Set-Mailbox -GrantSendOnBehalfTo MullerH@woshub.onmicrosoft.com

You can assign permissions to multiple users at once. For example, let’s grant a user SendAs permissions on all mailboxes of a specific department:

Get-Recipient -Filter {(Department -eq "Financial Dept")} | Add-RecipientPermission -AccessRights SendAs –Trustee MullerH@woshub.onmicrosoft.com

Or let’s grant Full Access permissions to a shared mailbox for all members of a specific Exchange distribution group (list):

$Members = Get-DistributionGroupMember -id MUNmarketing
ForEach ($Member in $Members)
{
Add-RecipientPermission John -AccessRights SendAs –Trustee $Member.name
Add-MailboxPermission -Identity MUNmarkets@woshub.onmicrosoft.com -User $Member.name -AccessRights FullAccess -AutoMapping:$true -InheritanceType All
}

List users with Full Access permissions on a mailbox:

Get-MailboxPermission -identity maxbak@woshub.onmicrosoft.com |ft -AutoSize

Reporting Exchange Online Mailbox Permissions

To get a detailed report with a list of users having Full Access permissions on any other mailboxes in an Exchange organization (tenant):

Get-Mailbox|Get-MailboxPermission | where {($_.AccessRights -like 'Full*') -and ($_.User -notlike "nt authority\self")} | Format-Table -Auto User,Deny,IsInherited,AccessRights

Exchange PowerShell: List Users With Access to Other Mailboxes

A report on SendOnBehalf permissions:

Get-Mailbox –ResultSize Unlimited | Where {$_.GrantSendOnBehalfTo -ne $null} | Select UserprincipalName,GrantSendOnBehalfTo

To display a list of users with SendAs permissions on a mailbox:

Get-RecipientPermission maxbak@woshub.onmicrosoft.com

List of all mailboxes to which a specific user has been assigned SendAs privileges:

Get-Recipient | Get-RecipientPermission -Trustee MullerH@woshub.onmicrosoft.com | Select Identity, Trustee, AccessRights

List mailboxes with SendAs permission assigned

To remove SendAs privileges on all mailboxes in the organization for the user:

Get-Recipient | Remove-RecipientPermission -AccessRights SendAs –Trustee MullerH@woshub.onmicrosoft.com

To revoke mailbox permissions for a user:

Remove-MailboxPermission -identity maxbak@woshub.onmicrosoft.com -accessrights:fullaccess -user MullerH@woshub.onmicrosoft.com

How to Manage Folder-Level Permissions in Exchange (Microsoft 365) Mailbox?

You can grant your users access to any folder in their mailboxes. For example, you can allow a user to view the Inbox or edit any items in the Calendar folder.

Users can themselves grant access to a folder to other users through Outlook or OWA. Just click a folder name and select Permissions.

change folder permission settings in Outlook

You will see a form that displays the current user access permissions on the folder. You can grant access to other users here. Click + and enter the name of the user you want to grant access to.

add permissions on outlook folder

You can select a level of access to the folder. You can select one of the predefined roles or assign specific permission.

The following roles are available (as collections of specific permissions):

Role Role Permissions
Author CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
Contributor CreateItems, FolderVisible
Editor CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
None FolderVisible
NonEditingAuthor CreateItems, FolderVisible, ReadItems
Owner CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
PublishingEditor CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
PublishingAuthor CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
Reviewer FolderVisible, ReadItems
AvailabilityOnly Applied to the Calendar folder only. Allows to view availability information (Free/Busy)
LimitedDetails Applied to the Calendar folder only. Allows to view availability, theme, and location

A list of available individual permissions:

  • CreateItems
  • CreateSubfolders
  • DeleteAllItems
  • DeleteOwnedItems
  • EditAllItems
  • EditOwnedItems
  • FolderContact
  • FolderOwner
  • FolderVisible
  • ReadItems

Outlook Permission Levels

An Exchange administrator can grant access to any user mailbox folder in PowerShell. The following command displays a list of available folders in a user mailbox:

Get-MailboxFolder -Identity maxbak@woshub.onmicrosoft.com -Recurse

Get-MailboxFolder - list folders in Exchange mailbox

Note the names of default Outlook folders, they may differ depending on the regional settings of a mailbox.

You can get a list of permissions assigned on a specific mailbox folder:

Get-MailboxFolderPermission -Identity "maxbak@woshub.onmicrosoft.com:\Inbox"

Get-MailboxFolderPermission - view folder-level permissions in mailbox

The command below allows to view a list of folders in a mailbox:

Add-MailboxFolderPermission -Identity maxbak@woshub.onmicrosoft.com:\ -User MullerH@woshub.onmicrosoft.com -AccessRights Reviewer

Subfolders do not inherit the permissions of their parent folder.

To allow viewing Inbox contents, run this command:

Add-MailboxFolderPermission -Identity "maxbak@woshub.onmicrosoft.com:\Inbox" -User MullerH@woshub.onmicrosoft.com -AccessRights Reviewer

To grant Full Access to the Calendar:

Add-MailboxFolderPermission -Identity maxbak@woshub.onmicrosoft.com:\Calendar -User MullerH@woshub.onmicrosoft.com -AccessRights Editor

Add-MailboxFolderPermission modify existing mailbox folder permissions in Exchange mailbox

To remove permissions on a mailbox folder, the following command is used:

Remove-MailboxFolderPermission -Identity "maxbak@woshub.onmicrosoft.com:\Inbox" –user MullerH@woshub.onmicrosoft.com

0 comment
1
Facebook Twitter Google + Pinterest
previous post
How to Hide Installed Programs in Windows 10 and 11?
next post
Find Windows Version, Edition, and Build from ISO or WIM file

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Outlook Keeps Asking for Password on Windows
  • How to Manually Configure Exchange or Microsoft 365 Account in Outlook 365/2019/2016?
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • How to Cleanup, Truncate or Move Log Files in Exchange Server 2013/2016/2019?
  • Moving Exchange Mailboxes to Different Database
  • Fix: Microsoft Outlook Search Not Working on Windows 10/11
  • How to Delete or Rename Default Mailbox Database in Exchange Server?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top