How to add-MailboxPermission in Powershell

How to add-MailboxPermission in Powershell

When it comes to managing permissions in Exchange, the Add-MailboxPermission cmdlet is your go-to tool for giving users access to mailboxes, whether it’s for full management or specific tasks.

In this article, I’ll walk through how to use Add-MailboxPermission step-by-step, complete with practical examples to help you get it right and avoid common pitfalls.

What is the Add-MailboxPermission Cmdlet?

The Add-MailboxPermission cmdlet is a PowerShell command used to grant specific permissions to users for accessing mailboxes in Exchange environments, whether on-premises or in Exchange Online.

This cmdlet allows administrators to assign rights like Full Access or Read Permission to a user or group, enabling them to manage or view the mailbox's content. It's useful for sharing resources, such as giving team members access to shared mailboxes or allowing someone to manage a colleague's inbox while they're away.

Below is the Add-MailboxPermission’s syntax followed by a brief explanation of each parameter:

Add-MailboxPermission

[-Identity] <MailboxIdParameter>

-AccessRights <MailboxRights[]>

-User <SecurityPrincipalIdParameter>

[-AutoMapping <Boolean>]

[-Confirm]

[-Deny]

[-DomainController <Fqdn>]

[-GroupMailbox]

[-IgnoreDefaultScope]

[-InheritanceType <ActiveDirectorySecurityInheritance>]

[-WhatIf]

[<CommonParameters>]

  • Identity: Identifies the mailbox to add permissions to.
  • AccessRights: Defines the level of access (e.g., FullAccess, ReadPermission).
  • User: Specifies who gets the permissions.
  • AutoMapping: Controls whether the mailbox is auto-mapped in Outlook.
  • Confirm: Requests confirmation before execution.
  • Deny: Denies the specified permissions to the user.
  • DomainController: Sets the domain controller for Active Directory operations (on-premises only).
  • GroupMailbox: Specifies if permissions are for a Microsoft 365 Group mailbox.
  • IgnoreDefaultScope: Expands the command's scope to the entire forest.
  • InheritanceType: Determines how permissions apply to mailbox folders.
  • WhatIf: Simulates the action without making changes.

What Can You Use the Add-MailboxPermission Command For?

Let’s see 3 use cases for the Add-MailboxPermission cmdlet:

  1. Delegating Access: Grant a user full access to another user's mailbox, allowing them to read, send, and manage emails on behalf of that user, which is helpful for administrative support roles.
  2. Resource Mailbox Management: Assign permissions to users for resource mailboxes (like conference rooms), enabling them to book and manage meeting spaces within an organization.
  3. Managing Group Mailbox Access: Add permissions to a Microsoft 365 Group mailbox, allowing members to collaborate and share emails, calendars and files within the group.

Add-MailboxPermission vs Get-MailboxPermission: Key Differences Explained

It is worth noting that Get-MailboxPermission and Add-MailboxPermission, although similar, are not the same.

The Add-MailboxPermission cmdlet is used to assign specific access rights to a mailbox for a user, while the Get-MailboxPermission cmdlet retrieves and displays the current permissions assigned to a mailbox, allowing administrators to review who has access and what rights they hold.

The table below highlights the key differences between the two cmdlets:

 

Add-MailboxPermission

Get-MailboxPermission

Purpose

Adds permissions to a mailbox for a user

Retrieves mailbox permissions

Primary Use Case

Assigning permissions to grant access

Auditing or checking existing permissions

Role Required

Mailbox Admin or higher

Any user with permissions viewing rights

Default Permission Level

None (must specify with -AccessRights)

Shows all permissions if not filtered

Prerequisites to Use Add-MailboxPermission in PowerShell

Before using the Add-MailboxPermission cmdlet, you need to meet the following prerequisites:

  • Appropriate Permissions: Ensure that you have the necessary permissions assigned to you. You need to be a member of a role group that includes the Mailbox Import Export role, or have been explicitly assigned permissions to manage mailbox permissions.
  • Exchange Environment: Confirm that you're operating in an appropriate Exchange environment, as this cmdlet is applicable in both on-premises Exchange and Exchange Online, but some parameters might be exclusive to one environment.
  • Access to the Mailbox: Verify that the mailbox to which you want to add permissions exists and is accessible. You should also ensure that the mailbox is not a shared or resource mailbox that might have specific management restrictions.

Using Add-MailboxPermission Step by Step

Using Add-MailboxPermission is quite simple, so let’s see how to do it in just five steps.

Step 1: Connect to Exchange PowerShell

Before running the Add-MailboxPermission cmdlet, establish a connection to Exchange PowerShell. For on-premises Exchange environments, open the Exchange Management Shell on your server. You can use this cmdlet:

Connect-ExchangeOnline -UserPrincipalName admin@meetingroom365.com


Replace admin@meetingroom365.com with your administrator credentials and proceed. Remember that the Exchange Online Management module needs to be installed.

Step 2: Identify the Target Mailbox and User

First, identify the mailbox to which you want to assign permissions and the user who will receive them. Acceptable values include the mailbox's email address, alias, or GUID. For example:

  • Mailbox: "Simon Mail"
  • User: "James Smith." This clarity ensures that you are assigning the correct permissions to the right mailbox. An example command is:

Add-MailboxPermission -Identity "Simon Mail" -User "James Smith" -AccessRights FullAccess -InheritanceType All

Here, the -Identity parameter specifies "Simon Mail" as the mailbox, and the -User parameter assigns "James Smith" Full Access permissions. The -InheritanceType All option ensures permissions apply across all mailbox folders.

Step 3: Specify Access Rights

Now, determine the level of access you want to grant. Options include FullAccess, SendAs, or ReadPermission.

In most scenarios, Full Access is used to allow the designated user to manage the entire mailbox, but remember this does not grant permission to send emails as the mailbox owner. For example:

Add-MailboxPermission -Identity "Marketing Mailbox" -User "Project Manager" -AccessRights FullAccess -InheritanceType All

In this case, the command gives the "Project Manager" Full Access to the "Marketing Mailbox," allowing complete control over the content and folders.

Step 4: Adjust Auto-Mapping Settings (Optional - Do Only If Needed)

Mailboxes are auto-mapped in Outlook by default when Full Access is granted. To prevent auto-mapping, which can clutter a user’s Outlook profile, use the -AutoMapping $false parameter.For instance:

Add-MailboxPermission -Identity "Finance Mailbox" -User "Controller" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

This command ensures the "Controller" has Full Access without auto-mapping the "Finance Mailbox" to their Outlook profile. Use this setting when the mailbox is not required to be visible by default, helping optimize the user’s mailbox management experience.

Step 5: Verify and Confirm the Permission Changes

Finally, we advise you to double-check that permissions have been correctly assigned. To do this, use the Get-MailboxPermission cmdlet:

Get-MailboxPermission -Identity "Simon Mail" | Where-Object {$_.User -eq "James Smith"}



This command filters and confirms that "James Smith" has the correct permissions on "Simon Mail" mailbox.

Wrapping Up: Executing Add-MailboxPermission in PowerShell

Understanding and properly using the Add-MailboxPermission cmdlet can make a huge difference in how effectively you manage mailbox access in your organization.

Key takeaways from this guide on using the Add-MailboxPermission cmdlet include:

  1. You can use Add-MailboxPermission to grant specific permissions to users on mailboxes, like Full Access, for efficient mailbox management.
  2. Following best practices ensures permissions are accurately assigned, which is necessary to prevent any potential error message.
  3. The cmdlet Add-MailboxPermission is for assigning permissions, while Get-MailboxPermission retrieves and views current permissions.