Published: Aug 10, 2023
For IT administrators managing Office 365 and Exchange Server, having control over mailbox folder-level permissions is a crucial task. PowerShell, a powerful scripting language developed by Microsoft, offers a convenient and efficient way to control access to specific mailbox folders for users within an organization, including the calendar folder. In this article, I will detail how to add, change, and remove mailbox folder permissions using the PowerShell Add-MailboxFolderPermission and Set-MailboxFolderPermission cmdlets.
Before we dive into PowerShell commands, let me explain how mailbox folder permissions work in Office 365. Mailbox folder permissions refer to the rights granted to users to access specific folders and subfolders within another user’s mailbox. These permissions can range from simple read-only access to full control, depending on the level of access required.
Remember that calendar permissions are included here as the “Calendar” is simply another folder in a user’s mailbox.
Here are the primary types of mailbox folder permissions:
Let me offer another way to look at the permission levels with roles, which can be assigned to users to grant them a specific combination of permissions.
Role | Permissions |
Author | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems |
Contributor | CreateItems, FolderVisible |
Editor | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems, DeleteAllItems, EditAllItems |
NonEditingAuthor | CreateItems, DeleteOwnedItems, FolderVisible, ReadItems |
Owner | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems, DeleteAllItems, EditAllItems, CreateSubfolders, FolderContact, FolderOwner |
PublishingAuthor | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems, CreateSubfolders |
PublishingEditor | CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems, DeleteAllItems, EditAllItems |
Reviewer | FolderVisible, ReadItems |
To manage individual permissions, we first need to connect to Exchange Online PowerShell. Ensure you have the necessary permissions to perform these tasks. Follow these steps to establish the connection.
Incidentally, I’ve had struggles with PowerShell and connecting to Exchange Online. Although ‘starting from scratch’ and installing the modules for the most recent version 3 (v3) module is rather painless, the past was rough. On almost every system, it was as of Microsoft spent more time documenting all the warnings and error messages IT Pros would get when trying to ‘Install-Module’ and ‘Import-Module’.
However, as I said, on a fresh system, you shouldn’t have any issues. First, open your favorite Terminal program and run this command to connect to your Office 365 Exchange Online tenant.
Connect-ExchangeOnline
As an IT pro, you’ve probably seen updates from the ‘Microsoft 365 admin center – Message Center’ explaining that the older ‘REST API’ or v1 and v2 modules are going out of support. If you get an error message about the cmdlet not being recognized, you’ll first need to install or update the module for ExchangeOnlineManagement. You can check out the official Microsoft documentation for more information.
To add permissions to a specific mailbox folder, you can use the Add-MailboxFolderPermission cmdlet. The basic syntax is as follows:
Add-MailboxFolderPermission -Identity <MailboxIdentity> -User <UserOrGroupIdentity> -AccessRights <AccessRights>
Let’s do an example: We want to grant Megan Bowen ‘FolderOwner’ access to Nestor Wilke’s Calendar folder. This will allow Megan ‘full access’ to Nestor’s Calendar. Let’s use the following command to do that:
Add-MailboxFolderPermission -Identity [email protected]:\Calendar -User "Megan Bowen" -AccessRights FolderOwner
And thankfully, the output shows success. Megan Bowen now has FolderOwner access to Nestor’s Calendar. Nice and easy once you get the hang of the syntax!
You can use wildcard characters to specify multiple folders at once. For instance, to grant permissions on all folders in Miriam Graham’s mailbox to the group “Budget and Marketing Team” you can try the following command:
Add-MailboxFolderPermission -Identity [email protected]:\* -User [email protected] -AccessRights EditItems
Another parameter for these commands is the SharingPermissionFlags parameter. This assigns calendar delegate permissions. This parameter only applies to calendar folders and can only be used when the ‘AccessRights’ parameter value is ‘Editor’. Valid values are:
You can specify multiple values separated by commas.
To modify existing mailbox folder permissions, you can use the Get-MailboxFolderPermission cmdlet to check existing permissions and the Set-MailboxFolderPermission cmdlet to modify them. The basic syntax is as follows.
Get-MailboxFolderPermission -Identity [email protected]:\Calendar -user "Megan Bowen"
This error message makes sense – no permission entry currently exists for Megan in Nestor’s Calendar folder. And, if you’re slightly confused it’s because I’m performing these steps out of order per this article. Don’t worry, it all works!
Let’s go ahead and make some changes with the following command:
Set-MailboxFolderPermission -Identity <MailboxIdentity> -User <UserOrGroupIdentity> -AccessRights <AccessRights>
The parameters are the same as for the Add-MailboxFolderPermission cmdlet. Specify the new set of access rights you want to assign to the user or group.
For example, if we want to change the permissions for Megan’s access to Nestor’s Calendar, we can run the following command.
Set-MailboxFolderPermission -Identity [email protected]:\Calendar -User "Megan Bowen" -AccessRights EditAllItems
This changed the prior access of ‘FolderOwner’ to ‘EditAllItems’.
And yes, to close out this pool of scenarios, we also need the ability to remove existing permissions from a user or users. Let’s use the Remove-MailboxFolderPermission cmdlet.
Remove-MailboxFolderPermission -Identity <MailboxIdentity> -User <UserOrGroupIdentity>
Nice and simple. Let’s go ahead and remove Megan’s access to Nestor’s Calendar folder.
Remove-MailboxFolderPermission -Identity [email protected]:\Calendar -User "Megan Bowen"
When removing, the cmdlet will prompt you to confirm. Go ahead and click ‘Y‘ to remove the permission.
PowerShell provides Office 365 administrators with a powerful toolset for managing mailbox folder permissions efficiently. By understanding the various access rights and utilizing the appropriate cmdlets, you can easily add, change, and remove mailbox folder permissions as needed. Remember to exercise caution while handling permissions, ensuring that users have the appropriate level of access to maintain a secure and well-organized Exchange environment.
Please feel free to leave a command or question below and thank you for reading!