In the current article, we will review how to use the Search-Mailbox PowerShell cmdlet for…
Manage Mailbox Permissions by using PowerShell | Office 365
In the current article, we will review how to use the PowerShell commands for managing full access mailbox permission in Exchange Online environment.
Table of contents
- Connect to Exchange Online PowerShell
- Mailbox permissions
- 1. Assign Mailbox Permissions
- 1.1 – Assign “Full Access” permissions for a Mailbox
- 1.2 – Assign “Send As” Permissions for a Mailbox
- 1.3 – Assign “Send As” Permissions for a ALL Mailbox’s (BulkMode)
- 1.4 – Assign “Send As” Permissions for recipient for each member in a distribution group
- 1.5 – Assign “Send As” Permissions for each member in a distribution group for a specific recipient
- 1.6 – Assign “Send on Behalf” Permissions for a Mailbox
- 1.7 – Assign “Full Access” permissions for all Mailboxes (BulkMode)
- 2. Assign Full Access Permissions and AutoMap
- 3. Display permissions for a Mailbox
- 3.1 – Display “Full Access” Permissions for a Mailbox
- 3.2 – Display “Send As” permission for a Mailbox
- 3.3 – Display “Send On Behalf” Permissions for Mailbox
- 3.4 – View all “Send As permissions” you’ve configured in your organization
- 3.5 – Display a list of recipient’s that have FULL ACCESS permission on other recipient’s
- 4. Revoke Permissions
Connect to Exchange Online PowerShell
To be able to run the PowerShell commands specified in the current article, you will need to Connect to Exchange Online PowerShell.
Start Windows PowerShell as administrator and run the cmdlet Connect-ExchangeOnline.
Connect-ExchangeOnline
Mailbox permissions
Mailbox permission includes two categories:
- Full Access Permissions- Enable another recipient to see all of the mailbox content.
- Permission to send email using another recipient name (“Send As” and “Send on Behalf” ).
Some of the Mailbox permission can be assigned by the user himself (by using the Outlook or OWA interface) and the permissions to send email, using another recipient name, could only be allocated by using the PowerShell interface.
The considerable advantage of using PowerShell for managing Mailbox Permissions is that the administrator can remotely create the required setting for the user (assist users and prevent miss configurations) and using the power of the PowerShell, to execute commands in Bulk Mode (execute configuration settings for more than one Mailbox).
Mailbox permissions PowerShell commands basic structure
The basic structure of the PowerShell mailbox permissions command, is written by using the following syntax:
In our example, we want to enable Alice to get Full Access permission to hear manager mailbox. The -Identity parameter, relates to the user who wants to “share” his mailbox (provide other users the option to access the content of his mailbox) and the –User parameter, represent the user who will get the access to the mailbox.
1. Assign Mailbox Permissions
1.1 – Assign “Full Access” permissions for a Mailbox
PowerShell command syntax:
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All
PowerShell command example:
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All
1.2 – Assign “Send As” Permissions for a Mailbox
PowerShell command syntax:
Add-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>
PowerShell command example:
Add-RecipientPermission John -AccessRights SendAs -Trustee Suzan
To avoid the need for confirmation, we can add the option: “-Confirm:$False”.
Add-RecipientPermission John -Trustee Suzan -AccessRights SendAs -Confirm:$False
1.3 – Assign “Send As” Permissions for a ALL Mailbox’s (BulkMode)
PowerShell command syntax:
$MBXS = Get-Recipient -RecipientType UserMailbox
ForEach ($MBX in $MBXS) {
Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee <User Principal Name> -Confirm:$False
}
Get-RecipientPermission | Where { ($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid') } }
PowerShell command example:
$MBXS = Get-Recipient -RecipientType UserMailbox
ForEach ($MBX in $MBXS) {
Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee John@o365info.com -Confirm:$False
}
Get-RecipientPermission | Where { ($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid') } }
1.4 – Assign “Send As” Permissions for recipient for each member in a distribution group
PowerShell command syntax:
$DL = Get-DistributionGroupMember
Foreach ($item in $DL) {
Add-RecipientPermission $item.name -AccessRights SendAs –Trustee <Identity> -Confirm:$False
}
PowerShell command example:
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL) {
Add-RecipientPermission $item.name -AccessRights SendAs –Trustee Suzan -Confirm:$False
}
1.5 – Assign “Send As” Permissions for each member in a distribution group for a specific recipient
PowerShell command syntax:
$DL = Get-DistributionGroupMember
Foreach ($item in $DL) {
Add-RecipientPermission <Identity> -AccessRights SendAs –Trustee $item.name -Confirm:$False
}
PowerShell command example:
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL) {
Add-RecipientPermission Suzan -AccessRights SendAs –Trustee $item.name -Confirm:$False
}
1.6 – Assign “Send on Behalf” Permissions for a Mailbox
PowerShell command syntax:
Set-Mailbox <Identity> -GrantSendOnBehalfTo <Identity>
PowerShell command example:
Set-Mailbox -Identity John -GrantSendOnBehalfTo Suzan
1.7 – Assign “Full Access” permissions for all Mailboxes (BulkMode)
PowerShell command syntax:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType All
PowerShell command example:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User John -AccessRights FullAccess -InheritanceType All
2. Assign Full Access Permissions and AutoMap
2.1 – Assign “Full Access” permissions to Distribution Group + AutoMap
PowerShell command syntax:
$DL = Get-DistributionGroupMember <Distribution Group> | Select-Object -ExpandProperty Name
ForEach ($Member in $DL ) {
Add-MailboxPermission -Identity <Identity> -User $S -AccessRights FullAccess -InheritanceType All
}
PowerShell command example:
$DL = Get-DistributionGroupMember "Assistants Group" | Select-Object -ExpandProperty Name
ForEach ($Member in $DL ) {
Add-MailboxPermission -Identity "FL1 Room1" -User $S -AccessRights FullAccess -InheritanceType All
}
2.2 – Assign “Full Access” permissions for all Mailboxes (BulkMode) and Disable AutoMap
PowerShell command syntax:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <Identity> -AccessRights FullAccess -InheritanceType All –Automapping $False
PowerShell command example:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights FullAccess -InheritanceType All –Automapping $False
2.3 – Assign “Full Access” permissions for Specific User and Disable AutoMap
PowerShell command syntax:
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All –AutoMapping $False
PowerShell command example:
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All –AutoMapping $False
3. Display permissions for a Mailbox
3.1 – Display “Full Access” Permissions for a Mailbox
PowerShell command syntax:
Get-MailboxPermission <Identity>
PowerShell command example:
Get-MailboxPermission John
To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights
3.2 – Display “Send As” permission for a Mailbox
PowerShell command syntax:
Get-RecipientPermission <Identity>
PowerShell command example:
Get-RecipientPermission John
To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights
3.3 – Display “Send On Behalf” Permissions for Mailbox
PowerShell command syntax:
Get-Mailbox <Identity>
PowerShell command example:
Get-Mailbox John
To improve the quality of the output, we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights
3.4 – View all “Send As permissions” you’ve configured in your organization
PowerShell command syntax:
Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights
3.5 – Display a list of recipient’s that have FULL ACCESS permission on other recipient’s
PowerShell command syntax:
$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } | Select Identity, user, AccessRights
4. Revoke Permissions
4.1 – Revoke “Full Access” Permissions
PowerShell command syntax:
Remove-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess
PowerShell command example:
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess
To avoid the need for confirmation, we can add the option: “-Confirm:$False”.
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess -Confirm:$False
4.2 – Revoke “Send As” Permissions
PowerShell command syntax:
Remove-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>
PowerShell command example:
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan
To avoid the need for confirmation, we can add the option: “-Confirm:$False”.
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False
Great article.
However.
Original from the article:
$DL = Get-DistributionGroupMember “Assistants Group” | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity “FL1 Room1” -User $S -AccessRights FullAccess -InheritanceType All
}
Should it be? ($S will be replace $Member)
$DL = Get-DistributionGroupMember “Assistants Group” | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity “FL1 Room1” -User $Member -AccessRights FullAccess -InheritanceType All
}
Any idea why the accessrights switch is a multivalued property but only accepts sendas? The idea that sendas,sendonbehalf,fullaccess are stored in different areas is maddening.
I’m having an issue setting the Clutter setting on a new mailbox, sometimes it can take over a hour before it will let me set the setting?
Awesome Blogs and PS cmdlets with explanation
Thanks for usefull info…
Keep it up!!
Hi,
Consider scenario where we have 2 users with same name “Simon Walker”, UPN: Simon1@Contoso.com, Simon2@Contoso.com” in an organization, both have permission “Full Access” on Sales mailbox. Now we want to remove permission for Simon2@Contoso.com.
The Get-MailboxPermission will return DisplayName of user who has permission not DistinguishedName as in Exchange 2013 on-premises server that can be used to remove user easily as one do not have to remember UPN.
How to get UPN or DistinguishedName of user who has permission on a particular Mailbox using Get-MailboxPermission?
Regards,
Usman
Wanted to say thanks so much for this… I am not the best with powershell yet, and this helps alot. is there away you can edit to add a user to a distribution list / group, Ie what list would you like this user added to? Scans, users ? Joe.
how to give permission to 2 or 3 user for read only access a single mailbox i want to know what command i can use for same .
thanks for all that but i want two give read only permission to two user in one time on single mailbox means i use one powershell comand
Hi,Many thanks for the article, very helpful.I have one question.In my company we are using GMB (Generic Mailbox) for information exchange. People have access Full Access to it, also they should have Send on Behalf Of access. To simplify access, I have created Distribution List(DL), and include this DL as “Full Access” member of the GMB(with this everything is fine). I have tried to include DL into GMB Send on Behalf Of, but it didn’t find my DL via EMC. I have tried to do it via EMS, but my attempt failed.My command:Set-Mailbox -Identity “Name of GMB”-GrantSendOnBehalfTo “Name of DL”Could you please advise on this issue? What should I do?Thank you
Hello Irop,
The answer is that you should configure the Group (the DL) as a security group. In Exchange Online environment, you can create the security group form the Exchange Online Web management. The security group is configured automatically as mail enabled group and from the user point of view serve as a “standard distribution group”. The difference between security mail-enabled security group vs. standard distribution group is that you cannot assign permission to distribution group. In case that you try to assign send as permission to standard distribution group (using PowerShell) you will get error such as: “User or group “DL NAME” wasn’t found. Please make sure you’ve typed it correctly.”
How can I get an email address (kind of UserPrincipalName) instead of User ?
I use the cmdlet get-mail $_.user | select UserPrincipalName in a foreach but it is very very so long. Any other idea ?
Thank you so much.
congratulations and thanks for this very useful site.
How to remove send on behalf permission using the script???
Hi, in lieu of public folders being rolled out in o365, we are using a user’s mailbox as the storage area for our numerous sub-folders. We have granted the permissions using Outlook, but are experiencing problems with this – folders are not always visible even though the permissions haven’t changed (new folders/sub-folders being created and inheriting the properties of the one above). It has been suggested in the o365 community that I set the permissions using PowerShell. Are you able to assist me with the relevant commands please? I do not want to grant open access to this user’s Inbox, just to the sub-folders of that Inbox where our shared emails are stored.
Many thanks.
Useful collection of PS cmds. Thanks O365info!