How to Add or Set MailboxFolderPermission with PowerShell

In Exchange Online we can share whole mailboxes with other users. But what if you want to share only a folder? Or only the calendar in Outlook? We can set the permissions in Outlook, but as an admin, we can also use the Add and Set MailboxFolderPermission cmdlet in PowerShell.

Changing mailbox permission is a regular task for an Office 365 admin. Calendars need to be shared internally and folder permissions need to be given or changed to co-workers. For these tasks is PowerShell really the easiest way to go.

In this article, we are going to take a look at how to use the Add and Set MailboxFolderPermission cmdlet in PowerShell.

Mailbox Folder Permissions

Before we are going to add or set mailbox folder permissions, are we first going to take a look at the different permissions. The most common way to assign permissions is to use one of the roles. Roles are a collection of permissions that you can assign.

We can assign the following roles:

AuthorCreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
ContributorCreateItems, FolderVisible
EditorCreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
NonEditingAuthorCreateItems, DeleteOwnedItems, FolderVisible, ReadItems
OwnerCreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
PublishingAuthorCreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
PublishingEditorCreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
ReviewerFolderVisible, ReadItems
Mailbox Folder Permission Roles

Another option is to assign the individual permissions:

NoneNo access to view or interact with the folder or its contents.
CreateItemsCan create items within the specified folder.
CreateSubfoldersCreate subfolders in the specified folder.
DeleteAllItemsDelete all items in the specified folder.
DeleteOwnedItemsCan only delete items that they created from the specified folder.
EditAllItemsEdit all items in the specified folder.
EditOwnedItemsCan only edit items that they created in the specified folder
FolderContactUser is the contact for the specified public folder.
FolderOwnerOwner of the specified folder. Can view the folder, move the folder, and create subfolders. Can’t read items, edit items, delete items or create items.
FolderVisibleCan view the specified folder, but can’t read or edit items within the specified public folder.
ReadItemsRead items within the specified folder.
Mailbox Folder Individual Permissions

For the calendars are also two unique roles available that are really interesting to use:

AvailabilityOnlyView only availability data
LimitedDetailsView availability data with subject and location

Add Mailbox Folder Permissions

Before we can add mailbox folder permissions we first need to connect to Exchange Online. Make sure that you have installed the Exchange Online module in PowerShell. You can read more about connecting to Exchange Online in this article.

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName

It’s always a good idea to first list the mailbox permission before you change the permission. I have also created a complete script that will list and export all mailbox permission for you.

List the existing permission with Get-MailboxFolderPermissions cmdlet:

Get-MailboxFolderPermission -Identity

# Result:
FolderName           User                 AccessRights                      SharingPermissionFlags
----------           ----                 ------------                      ----------------------
Top of Informatio... Default              {None}
Top of Informatio... Anonymous            {None}

The example above didn’t return any folder permissions. But what we just have done is only show the permissions of the top (root) folder of the mailbox. This won’t show the permissions om for example the calendar of the user.

As the cmdlet suggests, the permission is really set on the folder level. So you will have to specify the folder as well to set or get permissions. We can do this by adding a :\foldername behind the identity. For the calendar for example you can use:

Get-MailboxFolderPermission -Identity\calendar

# Result
FolderName           User                 AccessRights                      SharingPermissionFlags
----------           ----                 ------------                      ----------------------
Calendar             Default              {AvailabilityOnly}
Calendar             Anonymous            {None}
Calendar             Megan Bowen          {Editor}

As you can see, Megan Bowen has editor permissions on his calendar. Keep in mind that folder names are language-specific. If you have set the mailbox language to Dutch, then the calendar would be Agenda for example. To list the inbox sub folder names you can use the following PowerShell cmd:

 Get-EXOMailboxFolderStatistics -Identity | select-object Identity

Add MailboxFolderPermission

When adding permissions to a mailbox folder we can specify the following parameters:

  • Identity – Mailbox we want to give permissions to
  • User – The user that we want to give permission
  • AccessRights – The permission level
  • SharingPermissionFlags – (Calendar only) Make a user delegate and/or show private calendar items
  • SendNotificationToUser – (Calendar only) Send sharing inventation to user

To give a user editor permission to the calendar we can use the following PowerShell cmdlet:

Add-MailboxFolderPermission -Identity\calendar -User meganb -AccessRights Editor
add mailboxfolderpermission
Add mailboxfolderpermission

When it comes to calendars we can set an extra option, the delegate permissions. When a user is made a calendar delegate, the user will also receive the meeting invites and responses. Besides delegate we can also set the option to view private items in the calendar:

Delegate permission only works in combination with the Editor role!

Add-MailboxFolderPermission -Identity\calendar -User meganb -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems

Besides the calendar, we can of course also add permissions to other mailbox (sub)folders. For example, if you want to give access to the marketing sub folder you can use the following command:

Add-MailboxFolderPermission -Identity\marketing -User meganb -AccessRights Editor

When you give calendar permission you can also specify that you want to notify the user. To do this you will need to set the parameter SendNotificationToUser to $true

user notification

Give permission to Groups

Until now we have granted permission to a specific user. In most cases, this is more than enough, but it’s also possible to give folder permission to a mail-enabled security group.

For example, when you want to give the back office permission to the calendar of a manager, you can simply create a mail-enabled security group in the Microsoft 365 Admin center and assign the permission:

Add-MailboxFolderPermission -Identity\calendar -AccessRights Reviewer -user

Change Permissions with Set MailboxFolderPermission

Changing folder permissions is done with the set-mailboxfolderpermission cmdlet. It’s sometimes a bit confusing, you might want to add additional permission for a user. But to do that, we actually have to set the permission.

The set mailboxfolderpermission cmdlet overwrites existing permissions. So we don’t have to remove the old permission first. We can use the same parameters and permissions as with the add-mailboxfolderpermission cmdlet.

For example, to change calendar permission for Megan from Editor to Reviewer we can simply do:

Set-MailboxFolderPermission -Identity\calendar -User meganb -AccessRights Reviewer

Delegate permission can be added or removed by specifying the existing permission role and setting the SharingPermissionFlags parameter:

# Add Delegate permission
Set-MailboxFolderPermission -Identity\calendar -User adelev -AccessRights Editor -SharingPermissionFlags delegate

# Remove Delegate permission with None
Set-MailboxFolderPermission -Identity\calendar -User adelev -AccessRights Editor -SharingPermissionFlags none

Remove Mailbox Folder Permissions

We can also completely remove the permissions with PowerShell. For this we will need to specify the mailbox and user that we want to remove.

Remove-MailboxFolderPermission -Identity\calendar -User meganb

By default, the cmdlet verifies if you want to remove the permissions. You can use the parameter -confirm:$false to simply remove the permissions without the need to confirm it.

Just like with adding permissions, we can also send a notification to the user when we remove the permissions:

Remove-MailboxFolderPermission -Identity\calendar -User lazyadmin -Confirm:$false -SendNotificationToUser:$true

Wrapping Up

The add mailboxfolderpermission cmdlet is often used to set calendar permission. But we can also use it to set permissions on other folders in Outlook. If you want to know more about calendar permission, then make sure you read this article as well, where I explain more about room calendars.

I hope you found this article helpful, if you have any questions, just drop a comment below.

7 thoughts on “How to Add or Set MailboxFolderPermission with PowerShell”

  1. Hi Ruud,

    Is there any way we can find out Resource room calendar Statistics. (Past booking and future booking?) For example, who booked, date, time etc.

    • You could extract the information with PowerShell. You will need to use the Get-MgUserEvent cmdlet for that:

      Connect-MgGraph -Scopes "Calendars.Read"
      Get-MgUserEvent -userid ""
  2. Hi,
    Very nice article(s) we often use your information to clear things up ;-P
    Right now, we are facing a question from a customer;
    Is it possible to create a policy or rule, which sets all calendar details to open, for everyone, including new to come employees, so they have these policies automatically set?
    We already tried to change the default policy in Exchange, but this had no effect on newly created users. It would be very much appreciated if you would know a tric or so to get this done 🙂

  3. Hello!
    Thanks for the info. Just one thing to watch out for:
    The name of the calendar folder may very even within one tenant.
    I do have mailboxes with “calendar” as as well as with (German) “Kalender” in my tenant?!
    Guess it depends on various factors how the folder gets named.
    Like if the mailbox has ever been opened by Outlook or not
    OR setup via powershell vs via the GUI, etc..
    One way or the other, if the commands do not work, simply try both localized versions and the English version.

Leave a Comment