Skip to content

Manage Mailbox Permissions by using PowerShell | Office 365

In the current article, we will review how to use the PowerShell commands for managing full access mailbox permission in Exchange Online environment.

Connect to Exchange Online PowerShell

To be able to run the PowerShell commands specified in the current article, you will need to Connect to Exchange Online PowerShell.

Start Windows PowerShell as administrator and run the cmdlet Connect-ExchangeOnline.

Connect-ExchangeOnline

Mailbox permissions

Mailbox permission includes two categories:

  1. Full Access Permissions- Enable another recipient to see all of the mailbox content.
  2. Permission to send email using another recipient name (“Send As” and “Send on Behalf” ).

Some of the Mailbox permission can be assigned by the user himself (by using the Outlook or OWA interface) and the permissions to send email, using another recipient name, could only be allocated by using the PowerShell interface.

The considerable advantage of using PowerShell for managing Mailbox Permissions is that the administrator can remotely create the required setting for the user (assist users and prevent miss configurations) and using the power of the PowerShell, to execute commands in Bulk Mode (execute configuration settings for more than one Mailbox).

Mailbox permissions PowerShell commands basic structure

The basic structure of the PowerShell mailbox permissions command, is written by using the following syntax:

Mailbox permissions PowerShell command basic structure

In our example, we want to enable Alice to get Full Access permission to hear manager mailbox. The -Identity parameter, relates to the user who wants to “share” his mailbox (provide other users the option to access the content of his mailbox) and the –User parameter, represent the user who will get the access to the mailbox.

1. Assign Mailbox Permissions

1.1 – Assign “Full Access” permissions for a Mailbox

PowerShell command syntax:

Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All

PowerShell command example:

Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All
Send As permissions logic

1.2 – Assign “Send As” Permissions for a Mailbox

PowerShell command syntax:

Add-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>

PowerShell command example:

Add-RecipientPermission John -AccessRights SendAs -Trustee Suzan

To avoid the need for confirmation, we can add the option: “-Confirm:$False”.

Add-RecipientPermission John -Trustee Suzan -AccessRights SendAs -Confirm:$False

1.3 – Assign “Send As” Permissions for a ALL Mailbox’s (BulkMode)

PowerShell command syntax:

$MBXS = Get-Recipient -RecipientType UserMailbox

ForEach ($MBX in $MBXS) { 
    Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee <User Principal Name> -Confirm:$False 
}

Get-RecipientPermission | Where { ($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid') } }

PowerShell command example:

$MBXS = Get-Recipient -RecipientType UserMailbox

ForEach ($MBX in $MBXS) { 
    Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee John@o365info.com -Confirm:$False 
}
 
Get-RecipientPermission | Where { ($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid') } }

1.4 – Assign “Send As” Permissions for recipient for each member in a distribution group

PowerShell command syntax:

$DL = Get-DistributionGroupMember  
Foreach ($item in $DL) { 
    Add-RecipientPermission $item.name -AccessRights SendAs –Trustee <Identity> -Confirm:$False 
}

PowerShell command example:

$DL = Get-DistributionGroupMember DL-01 
Foreach ($item in $DL) { 
    Add-RecipientPermission $item.name -AccessRights SendAs –Trustee Suzan -Confirm:$False 
}

1.5 – Assign “Send As” Permissions for each member in a distribution group for a specific recipient

PowerShell command syntax:

$DL = Get-DistributionGroupMember  
Foreach ($item in $DL) { 
    Add-RecipientPermission <Identity> -AccessRights SendAs –Trustee $item.name -Confirm:$False 
}

PowerShell command example:

$DL = Get-DistributionGroupMember DL-01 
Foreach ($item in $DL) { 
    Add-RecipientPermission Suzan -AccessRights SendAs –Trustee $item.name -Confirm:$False 
}

1.6 – Assign “Send on Behalf” Permissions for a Mailbox

PowerShell command syntax:

Set-Mailbox <Identity> -GrantSendOnBehalfTo <Identity>

PowerShell command example:

Set-Mailbox -Identity John -GrantSendOnBehalfTo Suzan

1.7 – Assign “Full Access” permissions for all Mailboxes (BulkMode)

PowerShell command syntax:

Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType All

PowerShell command example:

Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User John -AccessRights FullAccess -InheritanceType All

2. Assign Full Access Permissions and AutoMap

2.1 – Assign “Full Access” permissions to Distribution Group + AutoMap

PowerShell command syntax:

$DL = Get-DistributionGroupMember <Distribution Group> | Select-Object -ExpandProperty Name 
ForEach ($Member in $DL ) {
    Add-MailboxPermission -Identity <Identity>  -User $S -AccessRights FullAccess -InheritanceType All
}

PowerShell command example:

$DL = Get-DistributionGroupMember "Assistants Group" | Select-Object -ExpandProperty Name 
ForEach ($Member in $DL ) {
    Add-MailboxPermission -Identity "FL1 Room1"  -User $S -AccessRights FullAccess -InheritanceType All
}

2.2 – Assign “Full Access” permissions for all Mailboxes (BulkMode) and Disable AutoMap

PowerShell command syntax:

Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <Identity> -AccessRights FullAccess -InheritanceType All –Automapping $False

PowerShell command example:

Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights FullAccess -InheritanceType All –Automapping $False

2.3 – Assign “Full Access” permissions for Specific User and Disable AutoMap

PowerShell command syntax:

Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All –AutoMapping $False

PowerShell command example:

Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All –AutoMapping $False

3. Display permissions for a Mailbox

3.1 – Display “Full Access” Permissions for a Mailbox

PowerShell command syntax:

Get-MailboxPermission <Identity>

PowerShell command example:

Get-MailboxPermission John

To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:

Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights

3.2 – Display “Send As” permission for a Mailbox

PowerShell command syntax:

Get-RecipientPermission <Identity>

PowerShell command example:

Get-RecipientPermission John

To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:

Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights

3.3 – Display “Send On Behalf” Permissions for Mailbox

PowerShell command syntax:

Get-Mailbox <Identity>

PowerShell command example:

Get-Mailbox John

To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:

Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights

3.4 – View all “Send As permissions” you’ve configured in your organization

PowerShell command syntax:

Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights

3.5 – Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

PowerShell command syntax:

$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } | Select Identity, user, AccessRights

4. Revoke Permissions

4.1 – Revoke “Full Access” Permissions

PowerShell command syntax:

Remove-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess

PowerShell command example:

Remove-MailboxPermission John -User Suzan -AccessRights FullAccess

To avoid the need for confirmation, we can add the option: “-Confirm:$False”.

Remove-MailboxPermission John -User Suzan -AccessRights FullAccess -Confirm:$False

4.2 – Revoke “Send As” Permissions

PowerShell command syntax:

Remove-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>

PowerShell command example:

Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan

To avoid the need for confirmation, we can add the option: “-Confirm:$False”.

Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *