Mailbox Permissions - PowerShell commands ~ o365info.com Mailbox Permissions - PowerShell commands
Saturday, September 1, 2012

“Mailbox permission “include two categories:
1. Full Access Permissions- Enable other recipient to see all of the mailbox content.
2. Permission to send email using other recipient name (“Send As”  and “Send on Behalf” ).
Some of the Mailbox permission can be assigned by the user himself (by using the outlook or OWA interface) and the permissions to send email, using other recipient name, could only be assigned by using the PowerShell interface. The considerable advantage of using PowerShell for managing Mailbox Permissions is that - the administrator can remotely create the required setting for the user (assist users and prevent miss configurations) and using the power of the PowerShell, to execute commands in Bulk Mode (execute configuration settings for more than one Mailbox).


Information and help related to PowerShell


1

PowerShell Naming Conventions &  general information
If you want to get more information about the Naming Conventions that we use in this article and, get some general tips about how to work with the PowerShell described in the article, read the article:  Help and additional information - o365info.com PowerShell articles

2

PowerShell command and Script languish in more details
If you are new in the PowerShell world, you can read more information about PowerShell in an office environment in the article: The Power of PowerShell

3

Create remote PowerShell session
Before we can use the required PowerShell commands, we need to download and install the office 365 cmdlets + create remote PowerShell session to office 365 or Exchange online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange online by using Remote PowerShell

4

How to use a PowerShell script
Most of the PowerShell articles include a PowerShell script that simplify the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to office 365 and Exchange online using a script


PowerShell commands table

1 - Assign Mailbox Permissions

Assign “Full Access” permissions for a Mailbox

PowerShell command syntax:
Add-MailboxPermission <User>  -User <User/Distribution Group> -AccessRights FullAccess -InheritanceType all
Example:
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType all

Assign “Send As” Permissions for a Mailbox

PowerShell command syntax:
Add-RecipientPermission <User/Distribution Group> -AccessRights SendAs -Trustee <User>
Example:
Add-RecipientPermission John -AccessRights SendAs -Trustee Suzan
Adjustments & Improvements:
To avoid the need for confirmation, we can add the option: “-Confirm:$false”
Add-RecipientPermission John -Trustee Suzan -AccessRights SendAs -Confirm:$false

Assign “Send As” Permissions for a ALL Mailbox's (BULK Mode)

PowerShell command syntax:
$MBXS = Get-Recipient -RecipientType usermailbox ForEach ($MBX in $MBXS) { Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee <UPN> -Confirm:$false } Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'null sid')} }
Example:
$MBXS = Get-Recipient -RecipientType usermailbox ForEach ($MBX in $MBXS) { Add-RecipientPermission $MBX.name -AccessRights SendAs -Trustee admin@o365info.com -Confirm:$false } Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'null sid')} }

Assign “Send As” Permissions for recipient for each member in a distribution group

PowerShell command syntax:
$DL = Get-DistributionGroupMember <Distribution Group>
Foreach ($item in $DL)
{
Add-RecipientPermission $item.name -AccessRights SendAs
–Trustee <Alias> -Confirm:$false
}
Example:
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL)
{
Add-RecipientPermission $item.name -AccessRights SendAs –Trustee    Suzan -Confirm:$false
}

Assign “Send As” Permissions for each member in a distribution group for a specific recipient

PowerShell command syntax:
$DL = Get-DistributionGroupMember <Distribution Group>
Foreach ($item in $DL)
{
Add-RecipientPermission <Alias> -AccessRights SendAs
–Trustee $item.name -Confirm:$false
}
Example:
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL)
{
Add-RecipientPermission Suzan -AccessRights SendAs –Trustee     $item.name -Confirm:$false
}

Assign “Send on Behalf” Permissions for a Mailbox

PowerShell command syntax:
Set-Mailbox -Identity <User>  -GrantSendOnBehalfTo  <User/Distribution group>
Example:
Set-Mailbox -Identity John -GrantSendOnBehalfTo Suzan

Assign "Full Access" permissions for all Mailboxes (BULK Mode)

PowerShell command syntax:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <User> -AccessRights fullaccess -InheritanceType all
Example:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights fullaccess -InheritanceType all

2 - Assign Full Access Permissions and AutoMap

Assign “Full Access” permissions to Distribution Group + AutoMap

PowerShell command syntax:
$DL = Get-distributiongroupmember <Distribution Group>| Select-Object -ExpandProperty Name
foreach ($Member in $DL )
{Add-MailboxPermission -Identity <User>  -User $S -AccessRights ‘FullAccess’ -InheritanceType all}
Example:
$DL = Get-distributiongroupmember Assistants-group | Select-Object -ExpandProperty Name
foreach ($Member in $DL )
{Add-MailboxPermission -Identity FL1-Room1 -User $S -AccessRights ‘FullAccess’ -InheritanceType all}


Additional Reading :

Assign "Full Access" permissions for all Mailboxes (BULK Mode) and Disable AutoMap

PowerShell command syntax:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <User> -AccessRights fullaccess -InheritanceType all –Automapping $false
Example:
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights fullaccess -InheritanceType all –Automapping $false

Assign "Full Access" permissions for Specific User and Disable AutoMap

PowerShell command syntax:
Add-MailboxPermission <User>  -User <User/Distribution Group> -AccessRights FullAccess -InheritanceType all –AutoMapping $false
Example:
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType all –AutoMapping $false

3 - Display permissions for a Mailbox

Display “Full Access” Permissions for a Mailbox

PowerShell command syntax:
Get-Mailboxpermission <User> 
Example:
Get-Mailboxpermission John
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-Mailboxpermission John | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |Select Identity, user, AccessRights

Display “Send As” permission for a Mailbox

PowerShell command syntax:
Get-RecipientPermission <User> 
Example:
Get-RecipientPermission John
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission  John | where { ($_.IsInherited -eq $false) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights

Display "Send On Behalf" Permissions for Mailbox

PowerShell command syntax:
Get-Mailbox <User> 
Example:
Get-Mailbox John
Adjustments & Improvements
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission  John | where { ($_.IsInherited -eq $false) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights

View all "Send As permissions" you’ve configured in your organization

PowerShell command syntax:
Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'null sid')} | select Identity, Trustee, AccessRights

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

PowerShell command syntax:
$a = get-mailbox
$a |Get-Mailboxpermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } | Select Identity, user, AccessRights

4 - Revoke Permissions

Revoke "Full Access" Permissions

PowerShell command syntax:
Remove-MailboxPermission  <User>  -User <User>  -AccessRights FullAccess
Example:
Remove-MailboxPermission  John -User Suzan -AccessRights FullAccess
Adjustments & Improvements
To avoid the need for confirmation, we can add the option: “-Confirm:$false”
Remove-MailboxPermission  John -User Suzan -AccessRights FullAccess -Confirm:$false

Revoke "Send As" Permissions

PowerShell command syntax:
Remove-RecipientPermission <User>  -AccessRights SendAs -Trustee <User> 
Example:
Remove-RecipientPermission John   -AccessRights SendAs -Trustee Suzan
Adjustments & Improvements
To avoid the need for confirmation, we can add the option: “-Confirm:$false”:
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$false

Script Box

For your convent, I have “Wrapped” all of the PowerShell commands that was reviewed in a PowerShell Script named: Mailbox-Permissions.ps1

Download

Now it’s Your Turn!
We really like to know what is your opinion on the Article

{ 10 comments... read them below or Comment }

  1. Useful collection of PS cmds. Thanks O365info!

    ReplyDelete
    Replies
    1. Hi,

      Many thanks for the article, very helpful.
      I have one question.
      In my company we are using GMB (Generic Mailbox) for information exchange. People have access Full Access to it, also they should have Send on Behalf Of access. To simplify access, I have created Distribution List(DL), and include this DL as "Full Access" member of the GMB(with this everything is fine). I have tried to include DL into GMB Send on Behalf Of, but it didn't find my DL via EMC. I have tried to do it via EMS, but my attempt failed.
      My command:
      Set-Mailbox -Identity "Name of GMB"-GrantSendOnBehalfTo "Name of DL"

      Could you please advise on this issue? What should I do?

      Thank you

      Delete
    2. Hello Irop
      The answer is that you should configure the Group (the DL) as a security group. In Exchange Online environment, you can create the security group form the Exchange Online Web management. The security group is configured automatically as mail enabled group and from the user point of view serve as a "standard distribution group". The different between security mail enabled security group verses standard distribution group is that you cannot assign permission to distribution group. In case that you try to assign send as permission to standard distribution group (using PowerShell) you will get error such as: "User or group "DL NAME" wasn't found. Please make sure you've typed it correctly."

      Delete
  2. Hi, in lieu of public folders being rolled out in o365, we are using a user's mailbox as the storage area for our numerous sub-folders. We have granted the permissions using Outlook, but are experiencing problems with this - folders are not always visible even though the permissions haven't changed (new folders/sub-folders being created and inheriting the properties of the one above). It has been suggested in the o365 community that I set the permissions using PowerShell. Are you able to assist me with the relevant commands please? I do not want to grant open access to this user's Inbox, just to the sub-folders of that Inbox where our shared emails are stored.

    Many thanks.

    ReplyDelete
  3. I try to read some information about your request.
    I have found an article (http://community.office365.com/en-us/forums/160/p/43423/147639.aspx), that suggest using the option of “Recurse”, by using the following PowerShell command
    Get-MailboxFolder –Identity :\ -Recurse | Add-MailboxFolderPermission -User -AccessRights Owner
    By using this option, the permission that you assign to the “parent folder” will be inherited to all of the “Child Folder” in any level.
    I little fact that was not mentioned is that to be able to use this PowerShell command you will need to create the remote PowerShell session by using the user credentials that you need to assign the permission to his folder (login as “user1” in our example)
    (You can read more information at the following link: http://technet.microsoft.com/en-us/library/dd351164.aspx )
    Generally speaking, it’s not so obvious to use a “user mailbox” to mimic the concept of a public folder.
    The next version of office 365 and Exchange online will include support in the Public folder, so maybe it's worth to wait for a while

    ReplyDelete
  4. How to remove send on behalf permission using the script???

    ReplyDelete
  5. congratulations and thanks for this very useful site.

    ReplyDelete
  6. How can I get an email address (kind of UserPrincipalName) instead of User ?

    I use the cmdlet get-mail $_.user | select UserPrincipalName in a foreach but it is very very so long. Any other idea ?

    Thank you so much.

    ReplyDelete
  7. thanks for all that but i want two give read only permission to two user in one time on single mailbox means i use one powershell comand

    ReplyDelete
  8. how to give permission to 2 or 3 user for read only access a single mailbox i want to know what command i can use for same .

    ReplyDelete

About

Recent posts

Popular Post

- Copyright © o365info.com -Metrominimalist- Powered by Blogger - Designed by Johanes Djogan -