How to Add or Set MailboxFolderPermission with PowerShell

In Exchange Online we can share whole mailboxes with other users. But what if you want to share only a folder? Or only the calendar in Outlook? We can set the permissions in Outlook, but as an admin, we can also use the Add and Set MailboxFolderPermission cmdlet in PowerShell.

Changing mailbox permission is a regular task for an Office 365 admin. Calendars need to be shared internally and folder permissions need to be given or changed to co-workers. For these tasks is PowerShell really the easiest way to go.

In this article, we are going to take a look at how to use the Add and Set MailboxFolderPermission cmdlet in PowerShell.

Mailbox Folder Permissions

Before we are going to add or set mailbox folder permissions, are we first going to take a look at the different permissions. The most common way to assign permissions is to use one of the roles. Roles are a collection of permissions that you can assign.

We can assign the following roles:

RolePermissions
AuthorCreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
ContributorCreateItems, FolderVisible
EditorCreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
NonEditingAuthorCreateItems, DeleteOwnedItems, FolderVisible, ReadItems
OwnerCreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
PublishingAuthorCreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
PublishingEditorCreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
ReviewerFolderVisible, ReadItems
Mailbox Folder Permission Roles

Another option is to assign the individual permissions:

PermissionDescription
NoneNo access to view or interact with the folder or its contents.
CreateItemsCan create items within the specified folder.
CreateSubfoldersCreate subfolders in the specified folder.
DeleteAllItemsDelete all items in the specified folder.
DeleteOwnedItemsCan only delete items that they created from the specified folder.
EditAllItemsEdit all items in the specified folder.
EditOwnedItemsCan only edit items that they created in the specified folder
FolderContactUser is the contact for the specified public folder.
FolderOwnerOwner of the specified folder. Can view the folder, move the folder, and create subfolders. Can’t read items, edit items, delete items or create items.
FolderVisibleCan view the specified folder, but can’t read or edit items within the specified public folder.
ReadItemsRead items within the specified folder.
Mailbox Folder Individual Permissions

For the calendars are also two unique roles available that are really interesting to use:

RolePermissions
AvailabilityOnlyView only availability data
LimitedDetailsView availability data with subject and location

Add Mailbox Folder Permissions

Before we can add mailbox folder permissions we first need to connect to Exchange Online. Make sure that you have installed the Exchange Online module in PowerShell. You can read more about connecting to Exchange Online in this article.

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName [email protected]

It’s always a good idea to first list the mailbox permission before you change the permission. I have also created a complete script that will list and export all mailbox permission for you.

List the existing permission with Get-MailboxFolderPermissions cmdlet:

Get-MailboxFolderPermission -Identity [email protected]

# Result:
FolderName           User                 AccessRights                      SharingPermissionFlags
----------           ----                 ------------                      ----------------------
Top of Informatio... Default              {None}
Top of Informatio... Anonymous            {None}

The example above didn’t return any folder permissions. But what we just have done is only show the permissions of the top (root) folder of the mailbox. This won’t show the permissions om for example the calendar of the user.

As the cmdlet suggests, the permission is really set on the folder level. So you will have to specify the folder as well to set or get permissions. We can do this by adding a :\foldername behind the identity. For the calendar for example you can use:

Get-MailboxFolderPermission -Identity [email protected]:\calendar

# Result
FolderName           User                 AccessRights                      SharingPermissionFlags
----------           ----                 ------------                      ----------------------
Calendar             Default              {AvailabilityOnly}
Calendar             Anonymous            {None}
Calendar             Megan Bowen          {Editor}

As you can see, Megan Bowen has editor permissions on his calendar. Keep in mind that folder names are language-specific. If you have set the mailbox language to Dutch, then the calendar would be Agenda for example. To list the inbox sub folder names you can use the following PowerShell cmd:

 Get-EXOMailboxFolderStatistics -Identity [email protected] | select-object Identity

Add MailboxFolderPermission

When adding permissions to a mailbox folder we can specify the following parameters:

  • Identity – Mailbox we want to give permissions to
  • User – The user that we want to give permission
  • AccessRights – The permission level
  • SharingPermissionFlags – (Calendar only) Make a user delegate and/or show private calendar items
  • SendNotificationToUser – (Calendar only) Send sharing inventation to user

To give a user editor permission to the calendar we can use the following PowerShell cmdlet:

Add-MailboxFolderPermission -Identity [email protected]:\calendar -User meganb -AccessRights Editor
add mailboxfolderpermission
Add mailboxfolderpermission

When it comes to calendars we can set an extra option, the delegate permissions. When a user is made a calendar delegate, the user will also receive the meeting invites and responses. Besides delegate we can also set the option to view private items in the calendar:

Delegate permission only works in combination with the Editor role!

Add-MailboxFolderPermission -Identity [email protected]:\calendar -User meganb -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems

Besides the calendar, we can of course also add permissions to other mailbox (sub)folders. For example, if you want to give access to the marketing sub folder you can use the following command:

Add-MailboxFolderPermission -Identity [email protected]:\marketing -User meganb -AccessRights Editor

When you give calendar permission you can also specify that you want to notify the user. To do this you will need to set the parameter SendNotificationToUser to $true

user notification

Give permission to Groups

Until now we have granted permission to a specific user. In most cases, this is more than enough, but it’s also possible to give folder permission to a mail-enabled security group.

For example, when you want to give the back office permission to the calendar of a manager, you can simply create a mail-enabled security group in the Microsoft 365 Admin center and assign the permission:

Add-MailboxFolderPermission -Identity [email protected]:\calendar -AccessRights Reviewer -user [email protected]

Change Permissions with Set MailboxFolderPermission

Changing folder permissions is done with the set-mailboxfolderpermission cmdlet. It’s sometimes a bit confusing, you might want to add additional permission for a user. But to do that, we actually have to set the permission.

The set mailboxfolderpermission cmdlet overwrites existing permissions. So we don’t have to remove the old permission first. We can use the same parameters and permissions as with the add-mailboxfolderpermission cmdlet.

For example, to change calendar permission for Megan from Editor to Reviewer we can simply do:

Set-MailboxFolderPermission -Identity [email protected]:\calendar -User meganb -AccessRights Reviewer

Delegate permission can be added or removed by specifying the existing permission role and setting the SharingPermissionFlags parameter:

# Add Delegate permission
Set-MailboxFolderPermission -Identity [email protected]:\calendar -User adelev -AccessRights Editor -SharingPermissionFlags delegate

# Remove Delegate permission with None
Set-MailboxFolderPermission -Identity [email protected]:\calendar -User adelev -AccessRights Editor -SharingPermissionFlags none

Remove Mailbox Folder Permissions

We can also completely remove the permissions with PowerShell. For this we will need to specify the mailbox and user that we want to remove.

Remove-MailboxFolderPermission -Identity [email protected]:\calendar -User meganb

By default, the cmdlet verifies if you want to remove the permissions. You can use the parameter -confirm:$false to simply remove the permissions without the need to confirm it.

Just like with adding permissions, we can also send a notification to the user when we remove the permissions:

Remove-MailboxFolderPermission -Identity [email protected]:\calendar -User lazyadmin -Confirm:$false -SendNotificationToUser:$true

Wrapping Up

The add mailboxfolderpermission cmdlet is often used to set calendar permission. But we can also use it to set permissions on other folders in Outlook. If you want to know more about calendar permission, then make sure you read this article as well, where I explain more about room calendars.

I hope you found this article helpful, if you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share