Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 2/3

In this article, we will review examples of different scenarios for using the Full Access mailbox permission. For example, assigning Full access mailbox permissions to a User on other User Mailboxes, assigning Full access mailbox permissions to a User on all the Users Mailboxes (Bulk mode), assigning Full access mailbox permissions to a user on the Filtered list, and much more.

Full Access Mailbox permission | Article Series

The Full Access Mailbox permission article series includes the following three articles:

1. Full Access Mailbox permission – Part 1/3
2. Full Access Mailbox permission – Part 2/3 (this article)
3. Full Access Mailbox permission – Part 3/3

Scenario 1. Assign Full Access permissions to User Mailbox

We will start with the most basic scenario of using mailbox permissions.

In this example, we need to provide Alice Full Access to her manager mailbox (John).

As mentioned before, it’s recommended to add the InheritanceType All parameter to the basic PowerShell command for enabling Alice to get access to a new mail folder that could be created by John in the future.

We don’t need to add the AutoMapping option because the option of AutoMapping is enabled by default. In other words, after executing the following PowerShell command, John’s mailbox will be added automatically to the Alice Outlook mail profile.

Powershell command syntax:

Add-MailboxPermission -Identity <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All

PowerShell command example:

Add-MailboxPermission -Identity "John" -User "Alice" -AccessRights FullAccess -InheritanceType All

Scenario 2. Assign Full Access permissions to a User on all Mailboxes (Bulk mode)

Our task is to provide Alice Full Access mailbox permissions to all the user mailboxes.

In this scenario, we should consider cancelling the default option of AutoMapping because the underlying assumption is that Alice will need access to the user mailboxes from time to time based on the specific requirement, but we don’t want to add automatically to Alice Outlook mail profile tens or hundreds of mailboxes.

1. In the first section of the PowerShell sentence, we ask from PowerShell to get a list or a collection of all the Exchange Online mailboxes. The output from the first part is piped to the second part of the PowerShell command.
2. In the second part, we are assigning to Alice a Full Access mailbox permission on all the mailboxes (the mailbox list that we got from the first part of the PowerShell command).
3. Get-Mailbox -ResultSize unlimited – When we use the Get-Mailbox command, the default PowerShell option is to Get or display the first 1,000 mailboxes. In case that you manage an enterprise organization that has more than a 1,000 mailboxes, we will need to add the option of: Get-Mailbox -ResultSize unlimited to get a list of all the existing mailboxes.

PowerShell command example:

Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3. Assign mailbox permissions to a user on a Filtered list member’s mailbox

In the following section, we review scenarios in which we want to provide Full Access mailbox permission to a user on a filtered list of mailboxes.

Scenario 3.1 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Only users mailboxes

Our task is to provide Alice Full Access mailbox permissions to a filtered list of user mailboxes. We want to provide Alice Full Access permission only to a user’s mailbox.

(In the Exchange environment, there is an additional type of mailboxes such as room mailbox, resource mailbox, shared mailbox, and so on).

• AutoMapping – the additional requirement is to disable the option of automating. As mentioned before, the AutoMapping feature is implemented by default. In our scenario, we don’t want to use the AutoMapping option because we want to avoid the scenario in which Alice Outlook mail profile we include tens or hundreds of mailboxes. We will implement this requirement by using the parameter: -AutoMapping $False

PowerShell command example:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3.2 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Mailboxes that have a specific mail address suffix

Our task is to provide Alice Full Access mailbox permissions for all the mailboxes that have a specific domain suffix in their email address. In our example, we want to provide Alice’s access only the mailboxes that have the o365info.com domain name suffix.

The PowerShell script that we use has three parts:

1. In this part, we ask PowerShell to get a list of all the existing mailboxes.
2. We “pipe” the result from the first part of the second part of the PowerShell command by using the pipe (“|”) charter. Then, we use the Filter cmdlets for filtering or “pull off” from the list of the mailboxes, the mailboxes that have a mailbox with the domain name suffix: o365info.com
3. We assign Alice Full Access mailbox permissions to the filtered list of the mailbox list that we got from the second part of the PowerShell command.

PowerShell command syntax:

Get-Mailbox -ResultSize unlimited -Filter {(Email Addresses -like "*<Mail address suffix>*")} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType all -AutoMapping $False

PowerShell command example:

Get-Mailbox -ResultSize unlimited -Filter {(Email Addresses -like "*o365info.com*")} | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3.3 – Assign Full Access permissions to a User on multiple Exchange mailboxes | Mailboxes users from a specific department

Our task is to provide Alice mailbox permissions for of the users who work for the Seals department. Pay attention to the fact that we want to filter out users with a particular character (users who work in the sales department) and then, provide Alice, a Full Access permission to this user’s mailbox.

When we want to reference a property such as a department, we need to use the “User object” because a property such as department or manager is a User property and not a mailbox property.

To be able to get information about a user object property in the Exchange Online environment, we will need to use the Get-User cmdlets. The Get-User cmdlet enables us to reference Office 365 users with mailboxes.

PowerShell command syntax:

Get-User -Filter {(Department -eq "<Department>")} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType all -AutoMapping $False

PowerShell command example:

Get-User -Filter {(Department -eq "Sales")} | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3.4 – Assign Full Access permissions to a User on multiple Exchange mailboxes | users that work in department X or at department Y

Our task is to provide Alice, Full Access mailbox permissions for the users who work in the Sales department and for users who work in the Marketing department. To be able to reference user from two different department, we will use the logic operator “OR”.

PowerShell command syntax:

Get-User -Filter {(Department -eq "<Department>") -or (Department -eq "<Department>")} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType all -AutoMapping $False

PowerShell command example:

Get-User -Filter {(Department -eq "Sales") -or (Department -eq "Marketing")} | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3.5 – Assign Full Access permissions to a User on multiple Exchange mailboxes | using a combination of logical operators

Our task is to provide Alice Full Access mailbox permissions for:

1. All of the managers that work in the Sales department.
2. All of the managers that work in the Marketing department.

To be able to implement the required condition, we will use the logic operator: “OR” and additional the logic operator “AND”.

PowerShell command syntax:

Get-User -Filter {(Department -eq "<Department>") -or (Department -eq "<Department>")-and (Title -eq "<Title>")} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType all -AutoMapping $False

PowerShell command example:

Get-User -Filter {(Department -eq "Sales") -or (Department -eq "Marketing")-and (Title -eq "Manger")} | Add-MailboxPermission -User "Alice" -AccessRights FullAccess -InheritanceType all -AutoMapping $False

Scenario 3.6 – Assign Full Access permissions to a User on multiple Exchange mailboxes | using the filter option for exclude list of users

To accomplish this task, we need to use a more complicated PowerShell script:

1. Get a list of all the users who have the Global Admin role.
2. Extract the email address for each of the users who configured as Global Administrator.
3. Assign a Full Access mailbox permission to Alice, for all the mailboxes, but we exclude or filter out from the list all the mailboxes that ‘belong” to users who have the Global Administrator role.

PowerShell command example:

# Get role Members, extract their Email address property

$role = Get-MsolRole -RoleName 'Company Administrator' 
$roleMember = Get-MsolRoleMember -RoleObjectId $role.ObjectId | Select-Object -ExpandProperty EmailAddress

# Get all users mailboxes except Members of the 'Company Administrator' role
 
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | 
Where { $roleMember -notcontains $_.WindowsEmailAddress } |
Add-MailboxPermission -User Alice -AccessRights FullAccess -InheritanceType All -AutoMapping $False

Scenario 4. Assign Full Access mailbox permissions to a Security group (Mail Enabled Security group)

Using a Security group for assigning mailbox permissions is the best practice for the task of permission’s assignment and management.

The use of Security group enables us to enjoy the “dynamic nature” of the Security group. When we use the option of assigning permission to Individual user, the permission’s management becomes complicated because it’s very hard to document and track the information about which users have explicit permission to other user’s mailboxes.

Using a Security group, enable us to simplify and optimize the assignment and, the management of mailbox permissions. For example, instead of providing permission to six users for a particular mailbox, we can create a Security group, add the users to the Security group and assign the permission to the Security group.

In case that we need to enable additional user access to the specific user mailbox, all we need to do is just add these users to the Security group. The “new users” will automatically inherit the permission that assigned to the Security group.

The same logic applies when we need to Remove or remove mailbox permission form a specific user.

You can read more detailed information on the concepts and the advantages for assigning permission to a Security group in the article Effective management of permission in Exchange Online by using groups.

Additional things that I would like to mention are:

• AutoMap
  When we assign mailbox permission to a Security group, the AutoMap feature is not activated for each of the group Members. The simple reason is that when we assign a mailbox permission to a Security group, the permission is assigned directly to the group and not to the group Members.

• Display information about permissions
  When we use PowerShell to display information about “who has permission to a particular mailbox,” in case we assign permission to a Security group, the displayed results will relate to the name of the Security group and not to the name of each of the Security group members. In other words, when we display mailbox permission, we don’t have the option to get information about the specific users who are members of the Security group.

Scenario 4.1 – Assign mailbox permissions to a Security group (Mail Enabled Security group) – on the other User Mailbox

In the following example, we provide a Full Access mailbox permission to a Security group named: NY-HelpDesk.

Note: The PowerShell command syntax for assigning mailbox permission to use or a Security group is identical. There is no special parameter that we need you to use when we assign permission to a Security group.

PowerShell command syntax:

Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All

PowerShell command example:

Add-MailboxPermission "John" -User "NY-HelpDesk" -AccessRights FullAccess -InheritanceType All

Scenario 4.2 – Assigning permission to a Security group (Mail Enabled Security group) on a Filtered list of mailboxes

Additional example, could be a scenario in which we want to provide Security group Full Access mailbox permissions for all of user’s mailboxes.

For example, we want to assign Full Access mailbox permissions to a security group named: “NY-HelpDesk” for all the user’s mailboxes.

As mentioned before, when we provide a mailbox permission to a security group, there is no change in the standard PowerShell syntax that we should use vs. the scenario in which we provide a mailbox permission to a user.

All we need to do is to use the name of the security group (mail-enabled security group) after the -User parameter.

PowerShell command syntax:

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType All

PowerShell command example:

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Add-MailboxPermission -User "NY-HelpDesk" -AccessRights FullAccess -InheritanceType All

Scenario 4.3 – Assigning permission to a Security group (Mail Enabled Security group) on, User Mailbox + using the AutoMap option

One of the main differences between assigning a mailbox permission to a security group vs. assigning permission to a specific user is that the future of the AutoMap will not be implemented for each of the security group members because of the permission assignment implemented by referencing the “Group object” and not the security group members.

To make the scenario a little more complicated, we will add additional demand: we would like to “activate” the AutoMap feature for each of the members of the security group.

To be able to accomplish this task, we will use a little trick, instead of assigning permission directly to the security group, we will first extract a list of the group members (a list of the names of each of the group members) and then, we will use the ForEach PowerShell cmdlets for providing the required mailbox permissions for each of the group members.

PowerShell command syntax:

$Members = Get-DistributionGroupMember -id <Identity>
ForEach ($Member in $Members) {
    Add-MailboxPermission <Identity> -user $Member.name -AccessRights FullAccess
    -InheritanceType All -AutoMapping $True
}

PowerShell command example:

$Members = Get-DistributionGroupMember -id "NY-HelpDesk"
ForEach ($Member in $Members) {
    Add-MailboxPermission "John" -user $Member.name -AccessRights FullAccess
    -InheritanceType All -AutoMapping $True
}

Scenario 5. Assigning permissions to a Distribution group on a users mailbox

By default, we cannot assign a permit to a distribution group because a distribution group is not a “security object”. The Distribution group serves for “gathering” recipient for the papers by sending mail to a group of recipients.

In case that we will try to assign a Full Access mailbox permission to a Distribution group, the PowerShell console will display the following error:

“User or group “” wasn’t found. Please make sure you’ve typed it correctly.”

The PowerShell console error is not clear because the message says that the specific group doesn’t exist. This message is not quite correct because the Group exists ,but because the group is a Distribution group, there is no option for assigning a mailbox permission to the group.

So now the obvious question could be: “why do I use the title of “Assigning mailbox permissions to a Distribution group on a user’s mailbox” for this section?”

The answer is that we can use a little trick or workaround to accomplish this task.

The trick that we use is first to use a PowerShell command that extracts each of the Distribution group members and in the next step, we will assign the required mailbox permission for each of the group members separately.
The assignment of the mailbox permission for each of the group members is implemented by using the PowerShell cmdlet ForEach.

In the first part, we define a Variable named $Members who will serve as a “container” or an array that contains all the members (users) of a distribution group: “NY-HelpDesk”

The “content of the $Members Variable is populated using the PowerShell cmdlets Get-DistributionGroupMember.

The next section is based on the ForEach cmdlets. In the parenthesis of the ForEach cmdlets we are telling to the ForEach cmdlets to “do something” for each item that includes in the $Members array.

We use an additional variable named: $Member who will represent a single entity, each time (a specific user) when we run the mailbox permission command. The name of the Variable is just a name whom I have chosen. We can choose any name whom we would like.

The section that defines by using the curly brackets includes the PowerShell command that we want to execute. In our example, we use the Add-MailboxPermission.

Pay attention that vs. a standard syntax of Add-MailboxPermission command, instead of specifying the user name that will get Full Access mailbox permissions to John’s mailbox, we use the $Member Variable with the property name ($Member.name).

The reason is when using the ForEach option, the Add-MailboxPermission command will run over and over for each of the group members until the last member in the list.

In the last part, we use the -AutoMapping option with the value of $True. This is because we want to enable the -AutoMapping option for each of the group members.

PowerShell command syntax:

$Members = Get-DistributionGroupMember -id <Identity>
ForEach ($Member in $Members) {
    Add-MailboxPermission <Identity> -user $Member.name -AccessRights FullAccess -InheritanceType All -AutoMapping $True 
}

PowerShell command example:

$Members = Get-DistributionGroupMember -id "NY-HelpDesk"
ForEach ($Member in $Members) {
    Add-MailboxPermission "John" -user $Member.name -AccessRights FullAccess -InheritanceType All -AutoMapping $True 
}

Scenario 6. Assigning permission to a Distribution group on a Filtered list of mailboxes

In this example, we want to provide Full Access mailbox permission to a member in a Distribution group for all the existing mailboxes.

Because we cannot assign Full Access mailbox permission directly to a Distribution group, we will use two “ForEach” arrays.

1. Referencing the group members – to be able to reference each of the group members, we will create a Variable named $Members who will serve as a “container” or an array that contains all the members (users) of a security group: “NY-HelpDesk”
2. Referencing the Exchange Online mailboxes – to be able to reference all the user mailboxes we will create additional variable named $Mailboxes that will serve as a “container” for all the user’s mailboxes.
3. The next section contains a combination of two ForEach sentence. The first ForEach section is running the command separately for each of the mailboxes.
4. The next ForEach section (nesting ForEach) will run the command for each of the group members.
5. The part that describes the user who want to share his mailbox (provide Full Access sperms ion to his mailbox) is represented by the Variable $Mailbox.name
6. The part that describes the user who will have access to the user mailbox (is represented by the Variable $Member.name.

PowerShell command syntax:

$Members = Get-DistributionGroupMember -id <Identity>
$Mailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox 
ForEach ($mailbox in $Mailboxes) {
    ForEach ($member in $Members) {
        Add-MailboxPermission $mailbox.name -AccessRights FullAccess -user $Member.name 
    }
}

PowerShell command example:

$Members = Get-DistributionGroupMember -id "NY-HelpDesk"
$Mailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox 
ForEach ($mailbox in $Mailboxes) {
    ForEach ($member in $Members) {
        Add-MailboxPermission $mailbox.name -AccessRights FullAccess -user $Member.name 
    }
}

Scenario 7. Assigning permission to a user on list of users from a File

In this section, we relate to a scenario in which we want to provide permission to a user on a collection of other users (recipients). The difference from the previous situation is that the “collection” of user located in a file.

General concepts when working with the file

Until now, we got used to create a list of users or mailboxes by using the Get PowerShell cmdlets. We can describe this method as “dynamic” because the list that we get created by a query is when we use a command such as Get-Mailbox by default, and the output is stored on the desktop memory. Vs. this method, another option we can use is storing information in a File.

We can describe this method as “static” because the file content includes static information. There are a couple of advantages to using a file as a source of information because when the information is stored in a file, we can use an application such as Excel to edit the data easily.

Most of the time, the best practice is to use a file format named: CSV (comma-separated value).

Technically, the content of a CSV file is based on a simple text format, but the difference is that the CSV format enables us to mimic or simulate the structure of a data table that includes a column, column headers, and a row.

In the following section, we will review some examples for using a file as a “source of information” for providing mailbox permissions.

Scenario 7.1 – Assign Full Access permissions to list (from a file) on a user’s mailbox

In the following scenario, we would like to provide a list of users, Full Access mailbox permission to John’s mailbox. The difference from a previous scenario is that the user list contained within a file that we have already prepared in advance.

In the next screenshot, we can see an example of the file structure. As you can see, the structure is very simple. We will need to use a CSV file because the CSV format enables us to “mimic” a table structure by using s simple TXT file.

The “table” that we use includes a row header named Users. The name “Users” is just an example. You can choose every other name that will suit your needs (avoid selecting a header name that includes spaces).

To import the list content from the CSV file, we will use the PowerShell cmdlet Import-Csv and provide the path and the file name. In our example, the file name is: User.csv and the file location is: C:\Temp

After the “import” step, we will use the ForEach PowerShell cmdlets, for assigning the required permission to each of the users separately.

We can define the user list from the CSV file as an array. To enable PowerShell to relate to each of the users (member/item within the array), we use the $_. sign. The $_. character contains the current pipeline object, used in script blocks, filters, and the where statement.

In our example, the column header for the user’s column is named “users” (you can choose any other name who will suit your needs).

If you look at the PowerShell command syntax, you will notice that instead of using a specific user name, we use the $_.users;

The meaning is that the ForEach PowerShell cmdlets will look at the table column named “users” and run the mailbox permission command for each of the users who appears under the table column.

The $_.users characters serve as a “space holder” for the value of the user name that will be replaced each time with a different user name until the end of the list.

PowerShell command example:

Import-Csv "C:\Temp\User.csv" | ForEach { Add-MailboxPermission "John" -User $_.users -AccessRights FullAccess -InheritanceType all }

Scenario 7.2 – Assign Full Access permissions to a user on a user’s list (from a file)

In this scenario, we want to provide a user (John on our example) Full Access mailbox permission to a list of user’s mailboxes. The list of the user named is saved in a file.

PowerShell command example:

$Mailboxes = Import-Csv "C:\Temp\User.csv"
ForEach ($Mailbox in $Mailboxes) {
    Add-MailboxPermission $Mailbox.users -User "John" -AccessRight FullAccess -InheritanceType All
}

Using a TXT file

This scenario is identical to the previous scenario (scenario 7.2). The difference is that, in this scenario, we will import the required information from a TXT file instead of a CSV file.

In the following screenshot, we can see an example of the content\structure of the TXT file.

The PowerShell syntax that we use is a little bit different. When we want to read data from a TXT file, we use the PowerShell cmdlet Get-Content.

PowerShell command example:

Get-Content "C:\Temp\User.txt" | ForEach { Add-MailboxPermission "Alice" -User $_ -AccessRights FullAccess -InheritanceType all }

Scenario 7.3 – Assigning mailbox permissions to a list of users on a list of another user list (from a file)

In the next example, we use a more advanced option. The CSV file includes two columns.

The first column (named List1) includes a list of users whom we want to provide them Full Access permissions to the users who listed in the second column (List2).

For example, the user Jeff will get Full Access permission to John’s mailbox.

PowerShell command example:

Import-Csv "C:\Temp\User.csv" | ForEach { Add-MailboxPermission $_.List1 -User $_. List2 -AccessRights FullAccess -InheritanceType all }

Scenario 8. Assigning Full Access mailbox permissions to a Filtered list Members on a user mailbox

In the following scenario, we want to provide mailbox permission to a filtered list of users to user mailbox (many to one relationship).

For example, we want to provide a Full Access mailbox permission to all the users whom their title is – manager to John’s mailbox.

1. To be able to get a list of users whom their title is: manager, we will need to use the PowerShell cmdlet Get-User. As mentioned before, the Title property is a User object property and not a mailbox property (mailbox cannot be a manager but a user can be a manager).
2. In the first part of the PowerShell script, we create a variable named $Members who will store or contain the list of the users whom their Title is manager.
3. We use the Filter cmdlets to filter out (get a filtered list) only the users who answer the condition Title = manager.
4. In the next section, we use the ForEach cmdlets that enable us to loop through – and perform an action on – each item in a collection (all the users whose Title is: manager).
5. In the last part, we assign the Full Access mailbox permission to each of the members on the user (John in our example) mailbox. To be able to reference each of the manager mailboxes, we create a variable named Member and add the identifier name to get the Name of the mailbox.

PowerShell command syntax:

$Members = Get-User -ResultSize unlimited -Filter { (RecipientType -eq 'UserMailbox') -and (Title -like '*<Title>*') }
ForEach ($Member in $Members) {
    Add-MailboxPermission <Identity> -AccessRights FullAccess -user $Member.name -InheritanceType all
}

PowerShell command example:

$Members = Get-User -ResultSize unlimited -Filter { (RecipientType -eq 'UserMailbox') -and (Title -like '*manager*') }
ForEach ($Member in $Members) {
    Add-MailboxPermission "John" -AccessRights FullAccess -user $Member.name -InheritanceType all
}

Scenario 9. Assigning Full Access mailbox permissions to a Security group (Mail Enabled Security group) on other Group member’s

Technically we cannot provide a permit to a Security group directly to another group (Security or Distribution group).

In the following scenario, we will use the trick of – extracting the group Members (of a Security group or a Distribution group) as individual users and then provide the required permission for each of the individual group members to the Security group.

In our example, we will assign a Full Access permission to a Security group named SEC-01 for each of the group members of a Distribution group named DL-01.

1. In the first part of the PowerShell script, we create a variable named $Member which will store or contain the members of the destination group. The PowerShell cmdlets Get-DistributionGroupMember serves for getting a Distribution group and also Mail enabled security group.
2. In the next section, we use the ForEach cmdlets that enable us to loop through – and perform an action on – each item in a collection ( all the members in the DL-01 Distribution group )
3. In the last part, we assign the Full Access mailbox permission to a mail enabled Security group named: Sec-01. To be able to reference separately each of the members in the DL-01 Distribution group, we use a variable named $Member and add the property name to get the Name of the mailbox (the identity of each user).

PowerShell command syntax:

$Members = Get-DistributionGroupMember -id "<Identity>"
ForEach ($Member in $Members) {
    Add-MailboxPermission $Member.name -AccessRights FullAccess -user "" -InheritanceType all
}

PowerShell command example:

$Members = Get-DistributionGroupMember -id "DL-01"
ForEach ($Member in $Members) {
    Add-MailboxPermission $Member.name -AccessRights FullAccess -user "SEC-01" -InheritanceType all
}

Scenario 10. Assigning Full Access mailbox permissions to a Group on other Group member’s Mailboxes and vice versa

The following scenario looks a bit confusing. However, fear not! The business need: We have two Distribution groups: managers Distribution group and assistant Distribution group. Each of the managers needs Full Access mailbox permissions for each of the assistant mailboxes and vice versa: each of the assistant need Full Access mailbox permissions to each of the manager’s mailboxes.

• The manager’s group name is: Manager-DL
• The assistant’s group name is: Assistant-DL

PowerShell command example:

$GroupA = Get-DistributionGroupMember -Identity "Manager-DL"
$GroupB = Get-DistributionGroupMember -Identity "Assistant-DL"

# Iterate over the Members of each group
# Give each member of groupA full mailbox permissions to all Members of groupB
ForEach ($MemberA in $GroupA) {
    ForEach ($MemberB in $GroupB) {
        Add-MailboxPermission -Identity $MemberB.Identity -User $memberA.Identity -AccessRights FullAccess -AutoMapping:$False -InheritanceType All
        Add-MailboxPermission -Identity $memberA.Identity -User $memberB.Identity -AccessRights FullAccess -AutoMapping:$False -InheritanceType All
    }
}

That’s it!

In the next article, we will look into Full Access Mailbox permission – Everything You Always Wanted to Know About But Were Afraid to Ask part 3/3.