Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 2/3 5/5 (1)

27 min read
In this article, we will review examples of different scenarios for using the Full Access mailbox permission.
For example, assigning Full access mailbox permissions to a User on other User Mailboxes, assigning Full access mailbox permissions to a User on all the Users Mailboxes (Bulk mode), assigning Full access mailbox permissions to a user on the Filtered list and much more.

Full Access Mailbox permission | Article Series

The Full Access Mailbox permission article series, including the following three articles:

PowerShell | Help & additional information

In case that you are a novice in the PowerShell environment, you can use the following link to get more information about the “first steps” such as: downloading the required PowerShell
software components, how to use the PowerShell console, running a PowerShell script, etc.

Read more
Link Table
PowerShell Naming Conventions & general information

If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information – o365info.com PowerShell articles

Create remote PowerShell session

Before we can use the required PowerShell commands, we need to download and install the Office 365 cmdlets + create remote PowerShell session to Office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange Online by using Remote PowerShell

How to use a PowerShell script

Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to Office 365 and Exchange Online using a script

PowerShell command and Script languish in more details

If you are new to the PowerShell world, you can read more information about PowerShell in Office 365 environment in the article: The Power of PowerShell


Scenario 1: Assign Full Access permissions to User Mailbox

Scenario 1 - Assign to a User mailbox permissions on other User Mailbox

We will start with the most basic scenario of using mailbox permissions.

In this example, we need to provide Alice Full Access to her manager mailbox (John).
As mentioned before, it’s recommended to add the InheritanceType All parameter to the basic PowerShell command for enabling Alice to get access to a new mail folder that could be created by John in the future.
We don’t need to add the AutoMapping option because the option of AutoMapping is enabled by default. In other words, after executing the following PowerShell command, John’s mailbox will be added automatically to the Alice Outlook mail profile.

PowerShell command syntax

PowerShell command example

Scenario 2: Assign Full Access permissions to a User on all Mailboxes (Bulk mode)

Scenario 2 -Assign to a User mailbox permissions on all of the User Mailboxes (Bulk mode)

Our task is to provide Alice Full Access mailbox permissions to all the user mailboxes.
In this scenario, we should consider cancelling the default option of AutoMapping because the underlying assumption is that Alice will need access to the user mailboxes from time to time based on the specific requirement, but we don’t want to add automatically to Alice Outlook mail profile tens or hundreds of mailboxes.

  1. In the first section of the PowerShell sentence, we ask from PowerShell to get a list or a collection of all the Exchange Online mailboxes. The output from the first part is piped to the second part of the PowerShell command.
  2. In the second part, we are assigning to Alice a Full Access mailbox permission on all the mailboxes (the mailbox list that we got from the first part of the PowerShell command).
  3. Get-Mailbox -ResultSize unlimited – When we use the Get-Mailbox command, the default PowerShell option is to Get or display the first 1,000 mailboxes. In case that you manage an enterprise organization that has more than a 1,000 mailboxes, we will need to add the option of: Get-Mailbox -ResultSize unlimited to get a list of all the existing mailboxes.

PowerShell command example


Scenario 3: Assign mailbox permissions to a user on a Filtered list member’s mailbox

Scenario 3- Assign mailbox permissions to a user on a Filtered list ( the member’s mailboxes)
In the following section, we review scenarios in which we want to provide a Full Access mailbox permission to a user on a filtered list of mailboxes.;

Scenario 3.1 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Only users mailboxes

Our task is to provide Alice Full Access mailbox permissions to a filtered list of user mailboxes. We want to provide Alice Full Access permission only to a user’s mailbox.
(In the Exchange environment, there is an additional type of mailboxes such as room mailbox, resource mailbox, shared mailbox and so on).

  • AutoMapping – the additional requirement is to disable the option of automating. As mentioned before, the AutoMapping feature is implemented by default. In our scenario, we don’t want to use the AutoMapping option because we want to avoid the scenario in which Alice Outlook mail profile we include tens or hundreds of mailboxes. We will implement this requirement by using the parameter: -AutoMapping $False
PowerShell command example

Scenario 3.2 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Mailboxes that have a specific mail address suffix

Our task is to provide Alice Full Access mailbox permissions for all the mailboxes that have a specific domain suffix in their email address. In our example, we want to provide Alice’s access only the mailboxes that have the o365info.com domain name suffix.
The PowerShell script that we use has three parts:

  • Part 1: in this part, we ask from PowerShell to get a list of all the existing mailboxes.
  • Part 2: we “pipe” the result from the first part of the second part of the PowerShell command by using the pipe (“|“) charter. Then, we use the Filter cmdlets for filtering or “pull off” from the list of the mailboxes, the mailboxes that have a mailbox with the domain name suffix: o365info.com
  • Part 3: in the last part of the PowerShell command, we assign to Alice Full Access mailbox permissions to the filtered list of the mailbox list that we got from the second part of the PowerShell command.
PowerShell command syntax

PowerShell command example

Scenario 3.3 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Mailboxes users from a specific department

Our task is to provide Alice mailbox permissions for of the users who work for the Seals department. Pay attention to the fact that we want to filter out users with a particular character (users who work in the sales department) and then, provide Alice, a Full Access permission to this user’s mailbox.

When we want to reference a property such as a department, we need to use the “User object” because property such as department or manager is a User property and not a mailbox property.
To be able to get information about a user object property in the Exchange Online environment, we will need to use the Get-User cmdlets. The Get-User cmdlets enable us to reference Office 365 users who have a mailbox.

PowerShell command syntax

PowerShell command example

Scenario 3.4 – Assign Full Access permissions to a User on multiple Exchange mailboxes | users that work in department X or at department Y

Our task is to provide Alice, Full Access mailbox permissions for of the users who work in the Sales department and, to users who work in the Marketing department. To be able to reference user from two different department, we will use the logic operator: “OR

PowerShell command syntax

PowerShell command example

Scenario 3.5 – Assign Full Access permissions to a User on multiple Exchange mailboxes | using a combination of logical operators

Our task is to provide Alice Full Access mailbox permissions for:

  1. All of the managers that work in the Sales department.
  2. All of the managers that work in the Marketing department.

To be able to implement the required condition, we will use the logic operator: “OR” and additional the logic operator: “AND“.

PowerShell command syntax

PowerShell command example

Scenario 3.6 – Assign Full Access permissions to a User on multiple Exchange mailboxes | using the filter option for exclude list of users

To accomplish this task, we will need to use a more complicated PowerShell script.

  • Step 1: Get a list of all the users who have the Global Admin role.
  • Step 2: Extract the email address for each of the users who configured as Global Administrator.
  • Step 3: Assign a Full Access mailbox permission to Alice, for all the mailboxes, but we exclude or filter out from the list all the mailboxes that ‘belong” to users who have the Global Administrator role.

PowerShell command example


Scenario 4 – Assign Full Access mailbox permissions to a Security group (Mail Enabled Security group)

Using a Security group for assigning mailbox permissions is the best practice for the task of permission’s assignment and management.

The use of Security group enables us to enjoy the “dynamic nature” of the Security group. When we use the option of assigning permission to Individual user, the permission’s management becomes complicated because it’s very hard to document and track the information about which users have explicit permission to other user’s mailboxes.

Using a Security group, enable us to simplify and optimize the assignment and, the management of mailbox permissions. For example, instead of providing permission to six users for a particular mailbox, we can create a Security group, add the users to the Security group and assign the permission to the Security group.

In case that we need to enable additional user access to the specific user mailbox, all we need to do is just add these users to the Security group. The “new users” will automatically inherit the permission that assigned to the Security group.

The same logic applies when we need to Remove or remove mailbox permission form a specific user.

You can read more detailed information on the concepts and the advantages for assigning permission to a Security group in the article: Effective management of permission in Exchange Online by using groups.

Additional things that I would like to mention are:;

Note – if you need a reminder about the AutoMap feature read the section: AutoMap

Scenario 4.1 – Assign mailbox permissions to a Security group (Mail Enabled Security group) – on the other User Mailbox

Scenario 4.1-Assign mailbox permissions to a Security Group (Mail Enabled Security Group) on a user mailbox

In the following example, we provide a Full Access mailbox permission to a Security group named: NY-HelpDesk.

Note that the PowerShell command syntax for assigning mailbox permission to use or a Security group is identical. There is no special parameter that we need you to use when we assign permission to a Security group.

PowerShell command syntax

PowerShell command example

Scenario 4.2 – Assigning permission to a Security group (Mail Enabled Security group) on a Filtered list of mailboxes

Scenario 4.2- Assigning permission to a Security group on a filtered list of mailboxes
Additional example, could be a scenario in which we want to provide Security group Full Access mailbox permissions for all of user’s mailboxes.
For example, we want to assign Full Access mailbox permissions to a security group named: “NY-HelpDesk” for all the user’s mailboxes.
As mentioned before, when we provide a mailbox permission to a security group, there is no change in the standard PowerShell syntax that we should use verse the scenario in which we provide a mailbox permission to a user.
All we need to do is to use the name of the security group (mail enabled security group)
after the -User parameter.

PowerShell command syntax

PowerShell command example

Scenario 4.3 – Assigning permission to a Security group (Mail Enabled Security group) on, User Mailbox + using the AutoMap option

One of the main differences between assigning a mailbox permission to a security group verse assigning permission to a specific user is that the future of the AutoMap will not be implemented for each of the security group members because of the permission assignment implemented by referencing the “Group object” and not the security group members.

To make the scenario a little more complicated, we will add additional demand: we would like to “activate” the AutoMap feature for each of the members of the security group.

To be able to accomplish this task, we will use a little trick, instead of assigning permission directly to the security group, we will first extract a list of the group members (a list of the names of each of the group members) and then, we will use the ForEach PowerShell cmdlets for providing the required mailbox permissions for each of the group members.

PowerShell command syntax

PowerShell command example


Scenario 5 – Assigning permissions to a Distribution group on a users mailbox

Scenario 5 - Assigning permissions to a Distribution group on a users mailbox
By default, we cannot assign a permit to a distribution group because a distribution group is not a “security object.” object”. The Distribution group serves for “gathering” recipient for the papers by sending mail to a group of recipients.
In case that we will try to assign a Full Access mailbox permission to a Distribution group, the PowerShell console will display the following error:

“User or group “<group Name>” wasn’t found. Please make sure you’ve typed it correctly.”

The PowerShell console error is not clear because the message says that the specific group doesn’t exist. This message is not quite correct because the Group exists ,but because the group is a Distribution group, there is no option for assigning a mailbox permission to the group.

So now the obvious question could be: “why do I use the title of “Assigning mailbox permissions to a Distribution group on a user’s mailbox” for this section?”

The answer is that we can use a little trick or workaround for accomplishing this task.
The trick that we use is first to use a PowerShell command that extracts each of the Distribution group members and in the next step, we will assign the required mailbox permission for each of the group members separately.
The assignment of the mailbox permission for each of the group members is implemented by using the PowerShell cmdlets: ForEach

In the first part, we define a Variable named $Members who will serve as a “container” or an array that contains all the members (users) of a distribution group: “NY-HelpDesk”

The “content of the $Members Variable is populated by using the PowerShell cmdlets Get-DistributionGroupMember.

The next section is based on the ForEach cmdlets. In the parenthesis of the ForEach cmdlets we are telling to the ForEach cmdlets to “do something” for each item that includes in the $Members array.

We use an additional variable named: $Member who will represent a single entity, each time (a specific user) when we run the mailbox permission command. The name of the Variable is just a name whom I have chosen. We can choose any name whom we would like.
The section that defines by using the curly brackets includes the PowerShell command that we want to execute. In our example, we use the Add-MailboxPermission.
Pay attention that versus a standard syntax of Add-MailboxPermission command, instead of specifying the user name that will get Full Access mailbox permissions to John’s mailbox, we use the $Member Variable with the property name ($Member.name).

The reason is when using the ForEach option, the Add-MailboxPermission command will run over and over for each of the group members until the last member in the list.
In the last part we use the -AutoMapping option with the value of: $True. This is because we want to enable the –AutoMapping option for each of the group members.

PowerShell command syntax

PowerShell command example


Scenario 6 -Assigning permission to a Distribution group on a Filtered list of mailboxes

Scenario 6- Assigning permission to a Distribution group on a Filtered list of mailboxes
In this example, we want to provide a Full Access mailbox permission to a member in a Distribution group for all the existing mailboxes.
Because we cannot assign Full Access mailbox permission directly to a Distribution group, we will use two “ForEach” arrays.

  1. Referencing the group members – to be able to reference each of the group members, we will create a Variable named $Members who will serve as a “container” or an array that contains all the members (users) of a security group: “NY-HelpDesk
  2. Referencing the Exchange Online mailboxes – to be able to reference all the user mailboxes we will create additional variable named $Mailboxes that will serve as a “container” for all the user’s mailboxes.
  3. The next section contains a combination of two ForEach sentence. The first ForEach section is running the command separately for each of the mailboxes.
  4. The next ForEach section (nesting ForEach) will run the command for each of the group members.
  5. The part that describes the user who want to share his mailbox (provide Full Access sperms ion to his mailbox) is represented by the Variable $Mailbox.name
  6. The part that describes the user who will have access to the user mailbox (is represented by the Variable $Member.name

PowerShell command syntax

PowerShell command example



Scenario 7 – Assigning permission to a user on list of users from a File

Scenario 7 - Assigning permission to a user on list of users from a File
In this section, we relate to a scenario in which we want to provide permission to a user on a collection of other users (recipients). The difference from the former situation is that the “collection” of user located in a file.;

General concepts when working with the file

Until now, we got used to create a list of users or mailboxes by using the Get PowerShell cmdlets. We can describe this method as a “dynamic” because, the list that we get created by a query that created when we use a command such as Get-Mailbox and by default, and the output stored on the desktop memory. Verse this method, additional option that we can use is storing information in a File.

We can describe this method as “static” because the file content includes static information. There are a couple of advantages for using a file as a source for information because when the information stored in a file, we can use an application such as Excel for editing the data in an easy way.

Most of the time, the best practice is to use file format named: CSV (comma separated value).
Technically, the content of a CSV file is based on a simple text format, but the difference is that the CSV format, enables us to mimic or to simulate the structure of a data table that includes column, column headers, and a row.
In the following section, we will review some example for using a file as a “source of information” for providing mailbox permissions.

Scenario 7.1 – Assign Full Access permissions to list (from a file) on a user’s mailbox

Scenario 7.1 -Assigning mailbox permissions to a user list ( from a file) on a user mailbox
In the following scenario, we would like to provide a list of users, Full Access mailbox permission to John’s mailbox. The difference from a former scenario is that the user list contained within a file that we have already prepared in advance.
In the next screenshot, we can see an example of the file structure. As you can see, the structure is very simple. We will need to use a CSV file because the CSV format enables us to “mimic” a table structure by using s simple TXT file.
The “table” that we use includes a row header named: Users. The name “User” is just an example. You can choose every other name who will suit your needs (avoid from selecting a header name which includes spaces).

Scenario 7.1 - Assigning mailbox permissions to a user list - from a file - on a user mailbox.
To be able to import the list content from the CSV file, we will use the PowerShell cmdlets: Import-CSV and provide the path and the file name. In our example, the file name is: User.csv and the file location is: C:\Temp
After the “import” step, we will use the ForEach PowerShell cmdlets, for assigning the required permission to each of the users separately.

We can define the user list from the CSV file as an array. To enable the PowerShell to relate to each of the users (member\item within the array), we use the $_. sign.
The $_. character contains the current pipeline object, used in script blocks, filters, and the where statement.
In our example, the column header for the user’s column is named “users” (you can choose any other name who will suit your needs).
If you look at the PowerShell command syntax, you will notice that instead of using a specific user name, we use the $_.users;

The meaning is that the ForEach PowerShell cmdlets will look at the table column named “users” and run the mailbox permission command for each of the users who appears under the table column. The $_.users characters serve as a “space holder” for the value of the user name that will be replaced each time with a different user name until the end of the list.

PowerShell command example

Scenario 7.2 – Assign Full Access permissions to a user on a user’s list (from a file)

Scenario 7.2 - Assigning mailbox permissions to a user on a Users list (from a file)
In this scenario, we want to provide a user (John on our example) Full Access mailbox permission to a list of user’s mailboxes. The list of the user named is saved in a file.

PowerShell command example


Using a TXT file
This scenario is identical to the former scenario (scenario 7.2). The difference is that in this Scenario, we will import the required information from a TXT file instead of a CSV file.

In the following screenshot, we can see an example of the content\structure of the TXT file.
Scenario 7.2 Assigning mailbox permissions to a user on a user list ( from a file)-TXT File
The PowerShell syntax that we use is a little bit different.
When we want to read data from a TXT file, we use the PowerShell cmdlets Get-Content

PowerShell command example

Scenario 7.3 – Assigning mailbox permissions to a list of users on a list of another user list (from a file)

In the next example, we use more advanced option. The CSV file includes two columns.
The first column (named List1) includes a list of users whom we want to provide them Full Access permissions to the users who listed in the second column (List2).
Scenario 7.3 - Assigning mailbox permissions to a list of users on a list of user list ( from a file)

For example, the user Jeff will get a Full Access permission to John’s mailbox.

PowerShell command example



Scenario 8 – Assigning Full Access mailbox permissions to a Filtered list Members on a user mailbox

Scenario 8 - Assigning mailbox permissions to a Filtered list Members on a user mailbox
In the following scenario, we want to provide a mailbox permission to a filtered list of users to user mailbox (many to one relationship).

For example, we want to provide a Full Access mailbox permission to all the users whom their title is – manager to John’s mailbox.

  1. To be able to get a list of users whom their title is: manager, we will need to use the PowerShell cmdlets: Get-User. As mentioned before, the Title property is a User object property and not a mailbox property (mailbox cannot be a manager but a user can be a manager).
  2. In the first part of the PowerShell script, we create a variable named $Members who will store or contain the list of the users whom their Title is: manager
  3. We use the Filter cmdlets to filter out (get a filtered list) only the users who answer the condition Title = manager
  4. In the next section, we use the ForEach cmdlets that enable us to loop through – and perform an action on – each item in a collection (all the users whom their Title is: manager).
  5. In the last part, we assign the Full Access mailbox permission to each of the members on the user (John in our example) mailbox. To be able to reference each of the manager mailboxes, we create a variable named Member and add the identifier name to get the Name of the mailbox.

PowerShell command syntax

PowerShell command example

Scenario 9 – Assigning Full Access mailbox permissions to a Security group (Mail Enabled Security group) on other Group member’s

Scenario 9 - Assign mailbox permissions to a Secur
As mentioned in the: Table Matrix of permissions scenarios, technically we cannot provide a permit to a Security group directly to another group (Security or Distribution group).
In the following scenario, we will use the trick of – extracting the group Members (of a Security group or a Distribution group) as individual users and then, provide the required permission for each of the individual group members to the Security group.
In our example, we will assign a Full Access permission to a Security group named: SEC-01 for each of the group members of a Distribution group named: DL-01

  1. In the first part of the PowerShell script, we create a variable named $Member who will store or contain the members of the destination group.
    The PowerShell cmdlets Get-DistributionGroupMember serves for getting a Distribution group and also Mail enabled security group.
  2. In the next section, we use the ForEach cmdlets that enable us to loop through – and perform an action on – each item in a collection ( all the members in the DL-01 Distribution group )
  3. In the last part, we assign the Full Access mailbox permission to a mail enabled Security group named: Sec-01. To be able to reference separately each of the members in the DL-01 Distribution group, we use a variable named $Member and add the property name to get the Name of the mailbox (the identity of each user).
PowerShell command syntax

PowerShell command example


Scenario 10 – Assigning Full Access mailbox permissions to a Group on other Group member’s Mailboxes and vice versa

Scenario 10 - Assigning mailbox permissions to a Group on other Group member’s Mailboxes and vice versa
The following scenario looks a bit confusing. However, fear not!, The business need: we have two Distribution groups: managers Distribution group and assistant Distribution group. Each of the managers needs Full Access mailbox permissions for each of the assistant mailboxes and vice versa: each of the assistant need Full Access mailbox permissions to each of the manager’s mailboxes.
The manager’s group name is: Manager-DL
The assistant’s group name is: Assistant-DL

PowerShell command example

PowerShell Script Links


Mailbox Permissions – PowerShell commands
Mailbox Permissions – PowerShell commands
For your convenience, I have “Wrapped” all of the PowerShell commands that was reviewed, In a PowerShell Script named: Mailbox-Permissions.zip

Script to Modify Office 365 Mailbox Permissions (PowerShell)
Script to Modify Office 365 Mailbox Permissions (PowerShell)
This script could be used to modify Office 365 mailbox permissions. You can use this script to add or remove mailbox permissions. This script will try to connect Windows PowerShell to Office 365 automatically if the connection is not established.

Export mailbox permissions from Office 365 to CSV file
Export mailbox permissions from Office 365 to CSV file
This Powershell script will connect to Office 365 and export all mailbox permissions to a CSV file. This script forms the basis of the Mailbox Permission reports available in our Office 365 reporting package.
The script only collects permissions that are non-standard, and won’t collect permissions set by Built In groups like Administrators making for a cleaner and more relevant report.

Now it’s Your Turn!
It is important for us to know your opinion on this article


Summary
Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 2/3
Article Name
Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 2/3
Description
In this article, we will review examples of different scenarios for using the Full Access mailbox permission. For example, assigning Full access mailbox permissions to a User on other User Mailboxes, assigning Full access mailbox permissions to a User on all the Users Mailboxes (Bulk mode), assigning Full access mailbox permissions to a user on the Filtered list and much more.
Author
Publisher Name
o365info.com
Publisher Logo
Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *