Manage Mailbox Permissions by using PowerShell | Office 3657 min read
Mailbox permission includes two categories:
- Full Access Permissions- Enable another recipient to see all of the mailbox content.
- Permission to send email using another recipient name (“Send As” and “Send on Behalf” ).
Some of the Mailbox permission can be assigned by the user himself (by using the Outlook or OWA interface) and the permissions to send email, using another recipient name, could only be allocated by using the PowerShell interface.
The considerable advantage of using PowerShell for managing Mailbox Permissions is that the administrator can remotely create the required setting for the user (assist users and prevent miss configurations) and using the power of the PowerShell, to execute commands in Bulk Mode (execute configuration settings for more than one Mailbox).
Article Table of content | Click to Expand
PowerShell | Help & additional information
In case that you are a novice in the PowerShell environment, you can use the following link to get more information about the “first steps” such as: downloading the required PowerShell
software components, how to use the PowerShell console, running a PowerShell script, etc.
| Link Table |
| PowerShell Naming Conventions & general information
If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information – o365info.com PowerShell articles |
| Create remote PowerShell session
Before we can use the required PowerShell commands, we need to download and install the Office 365 cmdlets + create remote PowerShell session to Office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange Online by using Remote PowerShell |
| How to use a PowerShell script
Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to Office 365 and Exchange Online using a script |
| PowerShell command and Script languish in more details
If you are new to the PowerShell world, you can read more information about PowerShell in Office 365 environment in the article: The Power of PowerShell |
Mailbox permissions PowerShell commands basic structure
The basic structure of the PowerShell mailbox permissions command, is written by using the following syntax:
In our example, we want to enable Alice to get Full Access permission to hear manager mailbox. The -Identity parameter, relates to the user who wants to “share” his mailbox (provide other users the option to access the content of his mailbox) and the –User parameter, represent the user who will get the access to the mailbox.
1. Assign Mailbox Permissions
1.1 – Assign “Full Access” permissions for a Mailbox
PowerShell command Syntax
|
1 |
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All |
PowerShell command Example
|
1 |
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All |
Assign “Send As” Permissions for a Mailbox
1.2 – Assign “Send As” Permissions for a Mailbox
PowerShell command Syntax
|
1 |
Add-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity> |
PowerShell command Example
|
1 |
Add-RecipientPermission John -AccessRights SendAs -Trustee Suzan |
Adjustments & Improvements
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
|
1 |
Add-RecipientPermission John -Trustee Suzan -AccessRights SendAs -Confirm:$False |
1.3 – Assign “Send As” Permissions for a ALL Mailbox’s (BulkMode)
PowerShell command Syntax
|
1 2 3 4 5 |
$MBXS = Get-Recipient -RecipientType UsermMilbox ForEach ($MBX in $MBXS) { Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee <User Principal Name> -Confirm:$False } Get-RecipientPermission | Where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} } |
PowerShell command Example
|
1 2 3 4 5 |
$MBXS = Get-Recipient -RecipientType UsermMilbox ForEach ($MBX in $MBXS) { Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee John@o365info.com -Confirm:$False } Get-RecipientPermission | Where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} } |
1.4 – Assign “Send As” Permissions for recipient for each member in a distribution group
PowerShell command Syntax
|
1 2 3 4 5 6 |
$DL = Get-DistributionGroupMember Foreach ($item in $DL) { Add-RecipientPermission $item.name -AccessRights SendAs –Trustee <Identity> -Confirm:$False } |
PowerShell command Example
|
1 2 3 4 5 |
$DL = Get-DistributionGroupMember DL-01 Foreach ($item in $DL) { Add-RecipientPermission $item.name -AccessRights SendAs –Trustee Suzan -Confirm:$False } |
1.5 – Assign “Send As” Permissions for each member in a distribution group for a specific recipient
PowerShell command Syntax
|
1 2 3 4 5 6 |
$DL = Get-DistributionGroupMember Foreach ($item in $DL) { Add-RecipientPermission <Identity> -AccessRights SendAs –Trustee $item.name -Confirm:$False } |
PowerShell command Example
|
1 2 3 4 5 |
$DL = Get-DistributionGroupMember DL-01 Foreach ($item in $DL) { Add-RecipientPermission Suzan -AccessRights SendAs –Trustee $item.name -Confirm:$False } |
1.6 – Assign “Send on Behalf” Permissions for a Mailbox
PowerShell command Syntax
|
1 |
Set-Mailbox <Identity> -GrantSendOnBehalfTo <Identity> |
PowerShell command Example
|
1 |
Set-Mailbox -Identity John -GrantSendOnBehalfTo Suzan |
1.7 – Assign “Full Access” permissions for all Mailboxes (BulkMode)
PowerShell command Syntax
|
1 |
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType All |
PowerShell command Example
|
1 |
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User John -AccessRights FullAccess -InheritanceType All |
2. Assign Full Access Permissions and AutoMap
2.1 – Assign “Full Access” permissions to Distribution Group + AutoMap
PowerShell command Syntax
|
1 2 3 4 5 |
$DL = Get-DistributionGroupMember <Distribution Group> | Select-Object -ExpandProperty Name ForEach ($Member in $DL ) { Add-MailboxPermission -Identity <Identity> -User $S -AccessRights FullAccess -InheritanceType All } |
PowerShell command Example
|
1 2 3 4 5 |
$DL = Get-DistributionGroupMember "Assistants Group" | Select-Object -ExpandProperty Name ForEach ($Member in $DL ) { Add-MailboxPermission -Identity "FL1 Room1" -User $S -AccessRights FullAccess -InheritanceType All } |
Additional reading
2.2 – Assign “Full Access” permissions for all Mailboxes (BulkMode) and Disable AutoMap
PowerShell command Syntax
|
1 |
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <Identity> -AccessRights FullAccess -InheritanceType All –Automapping $False |
PowerShell command Example
|
1 |
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights FullAccess -InheritanceType All –Automapping $False |
2.3 – Assign “Full Access” permissions for Specific User and Disable AutoMap
PowerShell command Syntax
|
1 |
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All –AutoMapping $False |
PowerShell command Example
|
1 |
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All –AutoMapping $False |
3. Display permissions for a Mailbox
3.1 – Display “Full Access” Permissions for a Mailbox
PowerShell command Syntax
|
1 |
Get-MailboxPermission <Identity> |
PowerShell command Example
|
1 |
Get-MailboxPermission John |
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
|
1 |
Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights |
3.3 – Display “Send As” permission for a Mailbox
PowerShell command Syntax
|
1 |
Get-RecipientPermission <Identity> |
PowerShell command Example
|
1 |
Get-RecipientPermission John |
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
|
1 |
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights |
3.3 – Display “Send On Behalf” Permissions for Mailbox
PowerShell command Syntax
|
1 |
Get-Mailbox <Identity> |
PowerShell command Example
|
1 |
Get-Mailbox John |
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
|
1 |
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights |
3.4 – View all “Send As permissions” you’ve configured in your organization
PowerShell command Syntax
|
1 |
Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights |
3.5 – Display a list of recipient’s that have FULL ACCESS permission on other recipient’s
PowerShell command Syntax
|
1 |
$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } | Select Identity, user, AccessRights |
4. Revoke Permissions
4.1 – Revoke “Full Access” Permissions
PowerShell command Syntax
|
1 |
Remove-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess |
PowerShell command Example
|
1 |
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess |
Adjustments & Improvements
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
|
1 |
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess -Confirm:$False |
4.2 – Revoke “Send As” Permissions
PowerShell command Syntax
|
1 |
Remove-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity> |
PowerShell command Example
|
1 |
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan |
Adjustments & Improvements
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
|
1 |
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False |
Additional reading
PowerShell command syntax – Office 365 | Article series index
It is important for us to know your opinion on this article
Anonymous
10/10/2012 at 12:46 amUseful collection of PS cmds. Thanks O365info!
Ігор Коваль
10/01/2013 at 6:02 amHi,
Many thanks for the article, very helpful.
I have one question.
In my company we are using GMB (Generic Mailbox) for information exchange. People have access Full Access to it, also they should have Send on Behalf Of access. To simplify access, I have created Distribution List(DL), and include this DL as “Full Access” member of the GMB(with this everything is fine). I have tried to include DL into GMB Send on Behalf Of, but it didn’t find my DL via EMC. I have tried to do it via EMS, but my attempt failed.
My command:
Set-Mailbox -Identity “Name of GMB”-GrantSendOnBehalfTo “Name of DL”
Could you please advise on this issue? What should I do?
Thank you
edoron777
10/01/2013 at 1:15 pmHello Irop
The answer is that you should configure the Group (the DL) as a security group. In Exchange Online environment, you can create the security group form the Exchange Online Web management. The security group is configured automatically as mail enabled group and from the user point of view serve as a “standard distribution group”. The different between security mail enabled security group verses standard distribution group is that you cannot assign permission to distribution group. In case that you try to assign send as permission to standard distribution group (using PowerShell) you will get error such as: “User or group “DL NAME” wasn’t found. Please make sure you’ve typed it correctly.”
Anonymous
11/16/2012 at 8:44 amHi, in lieu of public folders being rolled out in o365, we are using a user’s mailbox as the storage area for our numerous sub-folders. We have granted the permissions using Outlook, but are experiencing problems with this – folders are not always visible even though the permissions haven’t changed (new folders/sub-folders being created and inheriting the properties of the one above). It has been suggested in the o365 community that I set the permissions using PowerShell. Are you able to assist me with the relevant commands please? I do not want to grant open access to this user’s Inbox, just to the sub-folders of that Inbox where our shared emails are stored.
Many thanks.
Eyal Doron
11/16/2012 at 4:17 pmI try to read some information about your request.
I have found an article (http://community.office365.com/en-us/forums/160/p/43423/147639.aspx), that suggest using the option of “Recurse”, by using the following PowerShell command
Get-MailboxFolder –Identity : -Recurse | Add-MailboxFolderPermission -User -AccessRights Owner
By using this option, the permission that you assign to the “parent folder” will be inherited to all of the “Child Folder” in any level.
I little fact that was not mentioned is that to be able to use this PowerShell command you will need to create the remote PowerShell session by using the user credentials that you need to assign the permission to his folder (login as “user1” in our example)
(You can read more information at the following link: http://technet.microsoft.com/en-us/library/dd351164.aspx )
Generally speaking, it’s not so obvious to use a “user mailbox” to mimic the concept of a public folder.
The next version of office 365 and Exchange online will include support in the Public folder, so maybe it’s worth to wait for a while
Abhisheck2.0
02/27/2013 at 10:25 amHow to remove send on behalf permission using the script???
Anonymous
04/24/2013 at 9:27 amcongratulations and thanks for this very useful site.
Anonymous
09/23/2013 at 6:44 amHow can I get an email address (kind of UserPrincipalName) instead of User ?
I use the cmdlet get-mail $_.user | select UserPrincipalName in a foreach but it is very very so long. Any other idea ?
Thank you so much.
Abdul Hamid Ansari
12/07/2013 at 11:29 amthanks for all that but i want two give read only permission to two user in one time on single mailbox means i use one powershell comand
Abdul Hamid Ansari
12/07/2013 at 11:30 amhow to give permission to 2 or 3 user for read only access a single mailbox i want to know what command i can use for same .
Michael
03/02/2015 at 11:42 pmWanted to say thanks so much for this… I am not the best with powershell yet, and this helps alot. is there away you can edit to add a user to a distribution list / group, Ie what list would you like this user added to? Scans, users ? Joe.
Usman
03/26/2015 at 9:06 amHi,
Consider scenario where we have 2 users with same name “Simon Walker”, UPN: [email protected], [email protected]” in an organization, both have permission “Full Access” on Sales mailbox. Now we want to remove permission for [email protected].
The Get-MailboxPermission will return DisplayName of user who has permission not DistinguishedName as in Exchange 2013 on-premises server that can be used to remove user easily as one do not have to remember UPN.
How to get UPN or DistinguishedName of user who has permission on a particular Mailbox using Get-MailboxPermission?
Regards,
Usman
Ankit Jaiswal
07/21/2016 at 9:33 pmAwesome Blogs and PS cmdlets with explanation
Thanks for usefull info…
Keep it up!!
scott S
10/28/2016 at 9:05 pmI’m having an issue setting the Clutter setting on a new mailbox, sometimes it can take over a hour before it will let me set the setting?
Daniel Potter
01/11/2017 at 6:48 pmAny idea why the accessrights switch is a multivalued property but only accepts sendas? The idea that sendas,sendonbehalf,fullaccess are stored in different areas is maddening.
Ryan Chau
02/13/2018 at 7:45 pmGreat article.
However.
Original from the article: $DL = Get-DistributionGroupMember “Assistants Group” | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity “FL1 Room1” -User $S -AccessRights FullAccess -InheritanceType All
}
Should it be? ($S will be replace $Member)
$DL = Get-DistributionGroupMember “Assistants Group” | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity “FL1 Room1” -User $Member -AccessRights FullAccess -InheritanceType All
}