Add-MailboxPermission

Office 365 Mailbox Delegation

Sometimes you need to grant a user access to another Office 365 mailbox. This is standard practice for shared mailboxes and Room and Equipment mailboxes.

You may also need to delegate access to regular user mailboxes, e.g. if a secretary should manage a manager’s mailbox.

In Office 365, there are three types of delegation on a regular user mailbox:

  • Send As
  • Send on Behalf
  • Full Access

This post will show you how to perform the delegation using the PowerShell command Add-MailboxPermission.

You’ll also see how to do it via the Exchange Admin Center and via the standard AD Users & Computers management console.

Mailbox Delegation Using PowerShell

Use the Add-MailboxPermission PowerShell command to delegate access to your Office 365 mailbox. The below example shows you how:
Connect-ExchangeOnline
Add-MailboxPermission tycho.brahe@observatory.dk -User ole.roemer@observatory.dk -AccessRights FullAccess
  1. Start by establishing a connection with Exchange Online (lines 1).
  2. Delegate access to the mailbox using the Add-MailboxPermission command (line 2).

To review your change, use Get-MailboxPermission. The output may look similar to this:

PS C:\Windows\system32> Get-MailboxPermission tycho.brahe@observatory.onmicrosoft.com | ft User,AccessRights,IsInherited,Deny
User                                           AccessRights                                                            IsInherited Deny
----                                           ------------                                                            ----------- ----
NT AUTHORITY\SELF                              {FullAccess, ReadPermission}                                                  False False
niels.bohr@observatory.onmicrosoft.com         {FullAccess}                                                                  False False
EURP189\Administrator                          {FullAccess}                                                                   True True
EURP189\Domain Admins                          {FullAccess}                                                                   True True
EURP189\Enterprise Admins                      {FullAccess}                                                                   True True
EURP189\Organization Management                {FullAccess}                                                                   True True
EURP189\AM5P18901MB0148$                       {FullAccess}                                                                   True True
NT AUTHORITY\SYSTEM                            {FullAccess}                                                                   True False
NT AUTHORITY\NETWORK SERVICE                   {ReadPermission}                                                               True False
EURP189\Administrator                          {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
EURP189\Domain Admins                          {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
EURP189\Enterprise Admins                      {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
EURP189\Organization Management                {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
EURP189\Public Folder Management               {ReadPermission}                                                               True False
EURP189\Exchange Servers                       {FullAccess, ReadPermission}                                                   True False
EURP189\Exchange Trusted Subsystem             {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
EURP189\Managed Availability Servers           {ReadPermission}                                                               True False
EURP189\AM5P18901MB0148$                       {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}        True False
S-1-5-21-1589316702-2032257147-3807288276-5106 {ReadPermission}                                                               True False
PRDTSB01\JitUsers                              {ReadPermission}                                                               True False

Notice that there are a lot of default permissions.

You can clean up your output by using some filtering:

PS C:\Windows\system32> Get-MailboxPermission tycho.brahe@observatory.onmicrosoft.com | ? {$_.User -like 'ole.roemer*'} | ft User,AccessRights,IsInherited,Deny
User                                   AccessRights     IsInherited Deny
----                                   ------------     ----------- ----
ole.roemer@observatory.onmicrosoft.com {FullAccess}           False False

Mailbox Delegation Using Active Directory Users & Computers

A more convenient option is to perform the mailbox delegation using the Active Directory Users & Computers management console.

You need to have the Easy365Manager snapin installed to follow this procedure. You can download a free, fully-functional 30-day trial here.

Open up user properties and go to the Mailbox tab. Click on Mailbox Delegation. Then add the delegatees to the selected type of delegation:

How to configure shared mailbox access with Easy365Manager

Delegating Mailbox Access Using Exchange Admin Center

You can also delegate mailbox access using the Exchange Admin Center. Follow the below steps to delegate permissions to a mailbox.

Open up the Exchange Admin Center using your admin account and locate the mailbox you want to delegate access to:

Office 365 Mailbox Delegation User Properties

Open up mailbox properties and select Mailbox Delegation:

Select what type of access you want to delegate and add the delegates.

Summary

We’ve been looking at delegating mailbox permissions using PowerShell, AD Users & Computers (with the Easy365Manager snap-in), and Exchange Admin Center.

With Easy365Manager you can

  • Manage all mail attributes and mailbox delegation in AD Users & Computers
  • Manage Office 365 licenses and Office 365 mailboxes in AD Users & Computers
  • Remove your on-premises Exchange Server

For the most common questions regarding installation, licensing and security read our FAQ.

For a complete list of features look here.