In Exchange Online we can share whole mailboxes with other users. But what if you want to share only a folder? Or only the calendar in Outlook? We can set the permissions in Outlook, but as an admin, we can also use the Add and Set MailboxFolderPermission cmdlet in PowerShell.
Changing mailbox permission is a regular task for an Office 365 admin. Calendars need to be shared internally and folder permissions need to be given or changed to co-workers. For these tasks is PowerShell really the easiest way to go.
In this article
In this article, we are going to take a look at how to use the Add and Set MailboxFolderPermission cmdlet in PowerShell.
Mailbox Folder Permissions
Before we are going to add or set mailbox folder permissions, are we first going to take a look at the different permissions. The most common way to assign permissions is to use one of the roles. Roles are a collection of permissions that you can assign.
We can assign the following roles:
| Role | Permissions |
|---|---|
| Author | CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems |
| Contributor | CreateItems, FolderVisible |
| Editor | CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems |
| NonEditingAuthor | CreateItems, DeleteOwnedItems, FolderVisible, ReadItems |
| Owner | CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems |
| PublishingAuthor | CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems |
| PublishingEditor | CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems |
| Reviewer | FolderVisible, ReadItems |
Another option is to assign the individual permissions:
| Permission | Description |
|---|---|
| None | No access to view or interact with the folder or its contents. |
| CreateItems | Can create items within the specified folder. |
| CreateSubfolders | Create subfolders in the specified folder. |
| DeleteAllItems | Delete all items in the specified folder. |
| DeleteOwnedItems | Can only delete items that they created from the specified folder. |
| EditAllItems | Edit all items in the specified folder. |
| EditOwnedItems | Can only edit items that they created in the specified folder |
| FolderContact | User is the contact for the specified public folder. |
| FolderOwner | Owner of the specified folder. Can view the folder, move the folder, and create subfolders. Can’t read items, edit items, delete items or create items. |
| FolderVisible | Can view the specified folder, but can’t read or edit items within the specified public folder. |
| ReadItems | Read items within the specified folder. |
For the calendars are also two unique roles available that are really interesting to use:
| Role | Permissions |
|---|---|
| AvailabilityOnly | View only availability data |
| LimitedDetails | View availability data with subject and location |
Add Mailbox Folder Permissions
Before we can add mailbox folder permissions we first need to connect to Exchange Online. Make sure that you have installed the Exchange Online module in PowerShell. You can read more about connecting to Exchange Online in this article.
# Connect to Exchange Online Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
It’s always a good idea to first list the mailbox permission before you change the permission. I have also created a complete script that will list and export all mailbox permission for you.
List the existing permission with Get-MailboxFolderPermissions cmdlet:
Get-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com
# Result:
FolderName User AccessRights SharingPermissionFlags
---------- ---- ------------ ----------------------
Top of Informatio... Default {None}
Top of Informatio... Anonymous {None}
The example above didn’t return any folder permissions. But what we just have done is only show the permissions of the top (root) folder of the mailbox. This won’t show the permissions om for example the calendar of the user.
As the cmdlet suggests, the permission is really set on the folder level. So you will have to specify the folder as well to set or get permissions. We can do this by adding a :\foldername behind the identity. For the calendar for example you can use:
Get-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar
# Result
FolderName User AccessRights SharingPermissionFlags
---------- ---- ------------ ----------------------
Calendar Default {AvailabilityOnly}
Calendar Anonymous {None}
Calendar Megan Bowen {Editor}
As you can see, Megan Bowen has editor permissions on his calendar. Keep in mind that folder names are language-specific. If you have set the mailbox language to Dutch, then the calendar would be Agenda for example. To list the inbox sub folder names you can use the following PowerShell cmd:
Get-EXOMailboxFolderStatistics -Identity alexw@lazydev.onmicrosoft.com | select-object Identity
Add MailboxFolderPermission
When adding permissions to a mailbox folder we can specify the following parameters:
- Identity – Mailbox we want to give permissions to
- User – The user that we want to give permission
- AccessRights – The permission level
- SharingPermissionFlags – (Calendar only) Make a user delegate and/or show private calendar items
- SendNotificationToUser – (Calendar only) Send sharing inventation to user
To give a user editor permission to the calendar we can use the following PowerShell cmdlet:
Add-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User meganb -AccessRights Editor
When it comes to calendars we can set an extra option, the delegate permissions. When a user is made a calendar delegate, the user will also receive the meeting invites and responses. Besides delegate we can also set the option to view private items in the calendar:
Delegate permission only works in combination with the Editor role!
Add-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User meganb -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems
Besides the calendar, we can of course also add permissions to other mailbox (sub)folders. For example, if you want to give access to the marketing sub folder you can use the following command:
Add-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\marketing -User meganb -AccessRights Editor
When you give calendar permission you can also specify that you want to notify the user. To do this you will need to set the parameter SendNotificationToUser to $true
Give permission to Groups
Until now we have granted permission to a specific user. In most cases, this is more than enough, but it’s also possible to give folder permission to a mail-enabled security group.
For example, when you want to give the back office permission to the calendar of a manager, you can simply create a mail-enabled security group in the Microsoft 365 Admin center and assign the permission:
Add-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -AccessRights Reviewer -user backoffice@lazydev.onmicrosoft.com
Change Permissions with Set MailboxFolderPermission
Changing folder permissions is done with the set-mailboxfolderpermission cmdlet. It’s sometimes a bit confusing, you might want to add additional permission for a user. But to do that, we actually have to set the permission.
The set mailboxfolderpermission cmdlet overwrites existing permissions. So we don’t have to remove the old permission first. We can use the same parameters and permissions as with the add-mailboxfolderpermission cmdlet.
For example, to change calendar permission for Megan from Editor to Reviewer we can simply do:
Set-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User meganb -AccessRights Reviewer
Delegate permission can be added or removed by specifying the existing permission role and setting the SharingPermissionFlags parameter:
# Add Delegate permission Set-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User adelev -AccessRights Editor -SharingPermissionFlags delegate # Remove Delegate permission with None Set-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User adelev -AccessRights Editor -SharingPermissionFlags none
Remove Mailbox Folder Permissions
We can also completely remove the permissions with PowerShell. For this we will need to specify the mailbox and user that we want to remove.
Remove-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User meganb
By default, the cmdlet verifies if you want to remove the permissions. You can use the parameter -confirm:$false to simply remove the permissions without the need to confirm it.
Just like with adding permissions, we can also send a notification to the user when we remove the permissions:
Remove-MailboxFolderPermission -Identity alexw@lazydev.onmicrosoft.com:\calendar -User lazyadmin -Confirm:$false -SendNotificationToUser:$true
Wrapping Up
The add mailboxfolderpermission cmdlet is often used to set calendar permission. But we can also use it to set permissions on other folders in Outlook. If you want to know more about calendar permission, then make sure you read this article as well, where I explain more about room calendars.
I hope you found this article helpful, if you have any questions, just drop a comment below.
Hi Ruud,
Is there any way we can find out Resource room calendar Statistics. (Past booking and future booking?) For example, who booked, date, time etc.
You could extract the information with PowerShell. You will need to use the Get-MgUserEvent cmdlet for that:
Hi,
Very nice article(s) we often use your information to clear things up ;-P
Right now, we are facing a question from a customer;
Is it possible to create a policy or rule, which sets all calendar details to open, for everyone, including new to come employees, so they have these policies automatically set?
We already tried to change the default policy in Exchange, but this had no effect on newly created users. It would be very much appreciated if you would know a tric or so to get this done 🙂
I don’t think there is a policy for that. But you could create a PowerShell script and run it every hour or so in an Azure Runbook.
Hello!
You should be able to give a email-enabled group the MailboxFolderPermissions.
In theory adding new users to this group should also give them “auto-magically” Folder Permissions.
see https://blog.icewolf.ch/archive/2020/10/23/exchange-online-calendar-permissions-with-a-group-for-all-usermailboxes.aspx for more details on this.
Hello!
Thanks for the info. Just one thing to watch out for:
The name of the calendar folder may very even within one tenant.
I do have mailboxes with “calendar” as as well as with (German) “Kalender” in my tenant?!
Guess it depends on various factors how the folder gets named.
Like if the mailbox has ever been opened by Outlook or not
OR setup via powershell vs via the GUI, etc..
One way or the other, if the commands do not work, simply try both localized versions and the English version.
fantastic write up, thank you!