When you are granting access for one user to access another mailbox, whether that be another user’s mailbox or a shared mailbox, you can configure the access using either mailbox permissions or mailbox folder permissions. The two approaches are suitable for different scenarios.
Mailbox Permissions
Mailbox permissions are used to grant access to an entire mailbox. Every folder within the mailbox, whether it be the Inbox, Calendar, or Contacts, allows the same level of access, when mailbox permissions are used.
The access granted through mailbox permissions is “Full Access”, meaning that the user can read, write, edit, create, delete, and so on.
When you assign mailbox permissions, you have the option to enable or disable auto-mapping. Auto-mapping will automatically connect Outlook users to mailboxes that they have been granted mailbox permissions to. This happens through Autodiscover, and Auto-mapping is enabled by default. When you grant a user mailbox permission to another mailbox you can optionally disable auto-mapping, in which case the user needs to manually open or add the mailbox to their Outlook profile.
However, Auto-mapping only works if you grant mailbox permissions to a user directly. If you grant mailbox permissions to a security group that the user is a member of, they’ll get access to the mailbox but auto-mapping won’t work at all.
More info:
- How to Grant Full Mailbox Access for a User
- How to List All Users Who Have Access to Other Exchange Mailboxes
- Exchange Best Practices: Administrator Access to User Mailboxes
- Unexpected Permissions Appearing on Exchange Server Mailboxes
- Removing an Auto-Mapped Mailbox from Outlook
Mailbox Folder Permissions
Mailbox Folder Permissions grant access to specific mailbox folders only. So if you grant a user permissions to the Inbox, they won’t get access to the Calendar as well.
Mailbox Folder Permissions can actually be configured by the mailbox owner themselves using Outlook. But administrators can do it as well, and are usually asked to handle it for the users anyway, especially for shared mailboxes.
When you use mailbox folder permissions, there’s a lot more control for the level of access granted. You can grant full access, or editor access, or reviewer access (which is like Read Only access). It’s not an all or nothing approach.
As a potential downside though, when you configure mailbox folder permissions, auto-mapping is not used at all. Users will always need to manually add mailboxes to their Outlook profile, if their access has been granted using mailbox folder permissions.
A common usage of mailbox folder permissions is granting read-only access to a specific mailbox folder. This can be achieved by granting a user the Reviewer role for the folder. Reviewer allows read access to the mailbox folder items, but no other access (e.g. the user can’t create items or delete existing items).
More info:
I am looking for a way to avoid users from changing the default and anonymous folder permissions from none to owner by themselves, is there a policy we can set in place to avoid users from making this on OWA so then it replicates to the outlook client, is not to remove the Default and Anonymous but to disable users ability to do this via desktop client or webmail when sharing permissions on folders
Hi Paul,
Iam having issue with one of my client.He is unable to view folders in shared mailbox.Same goes with the web verion as well.
I have tried all the options i could suggest to the user but still the same issue persist.
Can you please help me out what can be the issue?
How can i give access to a shared mailbox without giving acess to the sub folder
Hi Paul, I have a shared mailbox used by approx 10 users. I want to restrict 4 users so they only access one folder in the shared mailbox but could still reply from/to. Can this be done via outlook?
Thanks
Is there a way to deny a user from modifying the permission on their mailbox or from modifying permissions on a shared mailbox they are owner of? We would rather this be done by the mail team to avoid too much commissioning being done by a user. We see lots of time were the default ends up being given full access.
I’ve delegated access to my calendar to my assistant but did NOT check the box to allow her to see private items. And yet she can see private items. Any idea how to prevent this since apparently not checking the box that is supposed to control that access doesn’t work?
Dito this, there seems to be no solution to this
I assume items meant to be private are indeed marked as “private” when created in your calendar?
If such private items are created on your mobile device, make sure the calendar App you are using is fully compatible with Exchange as many (built-in) calendars do not even feature the possibility to mark items as private!
Also, private means they are still visible to your delegate(s), which makes perfectly sense as your delegate is supposed to check for your free/busy time, however without showing any details.
Hey Paul,
I am trying to create a script that will set everyone in my organization to a reviewer for their calendar permissions so that everyone can read everyone mailbox. The issue im running into is that my script is to broad I need to narrow it down and cut out the shared mailboxes, offboarded users, and service accounts. But am unable to figure out how I can exclude these groups this is the script im currently using any help would be greatly appreciated.
$credential = Get-Credential
$Session = New-PSSession -ConnectionUri “https://outlook.office365.com/powershell-liveid/” -ConfigurationName Microsoft.Exchange -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
$AllMailboxs = Get-Mailbox -Resultsize Unlimited -RecipientTypeDetails UserMailbox
Foreach ($user in $AllMailboxs)
{Set-mailboxfolderpermission –identity ($user.alias+’:\calendar’) –user Default –Accessrights Reviewer}
Remove-PSSession $Session
I have a mailbox name ABC@domain.com
I have a shared mailbox name XYZ@domain.com
ABC has Full access on XYZ
Now I need ABC to have Reviewer permission only on XYZ calendar.
I used powershell command: Add-mailboxfolderpermission –Identity XYZ@domain.com:\calendar -user ABC@domain.com –accessrights reviewer
Note: ABC still have Full Access permission on XYZ
Will Reviewer permission take precedence over Full access permission ?
If a permission already exists for that user, change the ‘Add’ part of the cmdlet to ‘Set’ so that it becomes Set-MailboxFolderPermission. Otherwise the command returns an error stating that permissions already exist on that mailbox for that user.
why can’t i delete a contact folder in my outlook which is synchronized with a gmail account
I have faced a problem, there is 1.default none and 2.default owner in a mailboxfolderpermission,
using owner’soutlook still cannot change from default owner to none/reviewer.
using powershell also nothing change.
If I granted full access to a room mailbox shouldn’t I also see full access when querying the permission set on a specific folder (for example the calendar)? One shows an account with full access to the mailbox, while the other shows nothing assigned on the calendar folder for the same user. I was expecting to see full access?
Get-Mailbox –RecipientTypeDetails ‘RoomMailbox’ | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Format-Table Identity, User, AccessRights –AutoSize
versus
Get-MailboxFolderPermission -Identity “email address”:\Calendar
I wouldn’t assume so, since they are different permission types. Are you only seeing the behavior with room mailboxes? If it’s happening with any mailbox type, then I would assume it’s normal behavior.
Hello,
good article, thanks!
Is it possible to use folder permissions to share a folder that is not a subfolder of the inbox but is located on the same level?
I tried and did not succeed – any hints?
(we move our e-mails from the inbox to a folder structure; we found it cleaner to have these folders not within the inbox – maybe a mistake?)
Thanks a lot!
It should work, but you haven’t described exactly what steps you took, or what “did not succeed” means exactly.
“it should work” is good news, thanks 🙂
My “mail archive” folder is on the root level, i.e. on the same level as inbox and sent items, deleted items, drafts folders, contacts, calendars, etc.
(the English names might not be accurate, sorry, since our Outlook is not English).
There are several subfolders in “mail archive”, one of which I want to share with another Outlook user.
Both our accounts are on the same Exchange server (hosted by Microsoft). We are both using Outlook 2016.
I used folder permissions to give that other user permissions to see the account itself, and the “archive”.
For the folder to be shared I gave additional permissions to read.
In the other user’s Outlook I used File / Open and Export / Folder of another user and chose type as “Inbox”. Outlook seems to retrieve something, but finally does not display anything.
When I do the same but remove the permissions before then Outlook complains so I conclude the permissions are somehow working. Still, I am not able to see any content, and also I do not get the shared folder listed in the folder tree of that user’s Outlook.
Running out of other ideas I started to worry that the location of our “mail archive” might be the cause but now you are giving me hope!
Any hints and ideas are appreciated!
Thanks!
“I used folder permissions to give that other user permissions to see the account itself…”
What permission did you grant?
Also, have you tried adding the mailbox as a secondary mailbox to the profile?
https://support.office.com/en-us/article/open-and-use-a-shared-mailbox-in-outlook-2016-and-outlook-2013-d94a8e9e-21f1-4240-808b-de9c9c088afd
Finally I found some statement on a web site that folder permissions does not work for my folders (just for the inbox).
Another approach seemed to be “Open these additional mailboxes” in the advanced account settings – but this option was greyed out 🙁
Spending more time on research I found that only your primary account can use that, but unfortunately the account in question was not primary.
Simplest work-around for me was to create new profile with this account as primary account, add the other mailbox (which is sharing the folders mentioned above) as additional mailbox and voila, now it works.
So my learnings:
1)
“File / Open and Export / Folder of another user” works only for the standard folders like “Inbox” for e-mail
2)
“File / Open and Export / Folder of another user” is a temporary solution for e-mail since it will not permanently add the shared folder to the folder tree (albeit for Contacts it does – weird)
3)
So “Open these additional mailboxes” was always what I needed but is enabled only for primary accounts – which is not the same thing as the standard or default account.
I hope my learnings might help others.
Thanks a lot, Paul, for trying to help and providing this platform!
Hey,
Good article. But now my question 😉
What in a situation, when I have granted the editor permission on one particular folder (eq. an inbox) and in parallel, there is a mailbox permission set to ReadPermission ?
Which permission will be treated with higher priority ?
Thank you in advance for your reply.
Why not set up a test scenario and find out?
Thanks for the article! We have a shared Office 365 mailbox for all our job applications but need to sometimes prevent users from seeing the folders that relate to their own recruitment. I have no experience with mailbox folder permissions but I take from your article that I can give permission for a user to see the inbox or subfolder where new applications lie but not any of the others? Is this possible to administer via the Office 365 exchange admin center?
Mailbox folder permissions can be managed using PowerShell (by an administrator) or from within Outlook (by an owner of the mailbox).
Fantastic. Very helpful.
Bug in script on line 119. Angled quotes were used in place of standard quotes. Not sure what the word is for them but I hope this helps. I couldn’t use this script until I swapped the quotes out.
Thanks!
S-C
Which script?
Awesome article!!
I want a user to be able to open another users inbox, but not see everything in their mailbox. So I did a command like: Add-MailboxFolderPermission -Identity usersharing@domain.com:\inbox –user needaccess@domain.com -AccessRights owner. When the user needaccess opens outlook I add an additional mailbox usersharing. The mailbox name is displayed, but when I click the triangle to expand it to see the inbox folder an error appears: Cannot expand the folder. What am I missing?
Thanks a million!!
You’ll need to grant permissions to the Top of Information store as well. Read access should be enough. See this post for details.
https://www.practical365.com/exchange-server/grant-read-access-exchange-mailbox/
That fixed it. Thanks a million!!!
Thanks for this, Paul. It’s super-fast and foolproof. I had to restore one particular shared mailbox 5 times (!) in 2017 thanks to the end users wiping out the data.
Hi Paul,
Do you know if there is anyway to deny the Owner Access to his/her Mailbox?
I happen to have a generic Mailbox but I dont want the Owner to access it, only the delegated users.
Thank you!
No. If you want to have a shared mailbox, create a Shared mailbox.
Hi Paul,
nice article, thank you.
What is the difference between setting up folder permissions on EOL via PowerShell and doing the same in Outlook client? Or, in other words, can permissions set in Outlook be seen on the server?
Regards,
Dmitry
Yes I believe that you’ll see folder permissions that have been configured by the user in Outlook when you check with the PowerShell commands. If you’re unsure just set up a test case and try it yourself to see the outcome.
Can I set NonEditingAuthor role for some folder (Contacs by example) for owner of the mailbox?
Have you tried? I’ve never tried, so I don’t know the answer off hand.