When you are granting access for one user to access another mailbox, whether that be another user’s mailbox or a shared mailbox, you can configure the access using either mailbox permissions or mailbox folder permissions. The two approaches are suitable for different scenarios.

Mailbox Permissions

Mailbox permissions are used to grant access to an entire mailbox. Every folder within the mailbox, whether it be the Inbox, Calendar, or Contacts, allows the same level of access, when mailbox permissions are used.

The access granted through mailbox permissions is “Full Access”, meaning that the user can read, write, edit, create, delete, and so on.

When you assign mailbox permissions, you have the option to enable or disable auto-mapping. Auto-mapping will automatically connect Outlook users to mailboxes that they have been granted mailbox permissions to. This happens through Autodiscover, and Auto-mapping is enabled by default. When you grant a user mailbox permission to another mailbox you can optionally disable auto-mapping, in which case the user needs to manually open or add the mailbox to their Outlook profile.

However, Auto-mapping only works if you grant mailbox permissions to a user directly. If you grant mailbox permissions to a security group that the user is a member of, they’ll get access to the mailbox but auto-mapping won’t work at all.

More info:

Mailbox Folder Permissions

Mailbox Folder Permissions grant access to specific mailbox folders only. So if you grant a user permissions to the Inbox, they won’t get access to the Calendar as well.

Mailbox Folder Permissions can actually be configured by the mailbox owner themselves using Outlook. But administrators can do it as well, and are usually asked to handle it for the users anyway, especially for shared mailboxes.

When you use mailbox folder permissions, there’s a lot more control for the level of access granted. You can grant full access, or editor access, or reviewer access (which is like Read Only access). It’s not an all or nothing approach.

As a potential downside though, when you configure mailbox folder permissions, auto-mapping is not used at all. Users will always need to manually add mailboxes to their Outlook profile, if their access has been granted using mailbox folder permissions.

A common usage of mailbox folder permissions is granting read-only access to a specific mailbox folder. This can be achieved by granting a user the Reviewer role for the folder. Reviewer allows read access to the mailbox folder items, but no other access (e.g. the user can’t create items or delete existing items).

More info:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Charles Smith

    I am looking for a way to avoid users from changing the default and anonymous folder permissions from none to owner by themselves, is there a policy we can set in place to avoid users from making this on OWA so then it replicates to the outlook client, is not to remove the Default and Anonymous but to disable users ability to do this via desktop client or webmail when sharing permissions on folders

  2. Mahdi Bagali

    Hi Paul,

    Iam having issue with one of my client.He is unable to view folders in shared mailbox.Same goes with the web verion as well.

    I have tried all the options i could suggest to the user but still the same issue persist.

    Can you please help me out what can be the issue?

  3. Taino

    How can i give access to a shared mailbox without giving acess to the sub folder

  4. Fi Gibson

    Hi Paul, I have a shared mailbox used by approx 10 users. I want to restrict 4 users so they only access one folder in the shared mailbox but could still reply from/to. Can this be done via outlook?
    Thanks

  5. Kwise87

    Is there a way to deny a user from modifying the permission on their mailbox or from modifying permissions on a shared mailbox they are owner of? We would rather this be done by the mail team to avoid too much commissioning being done by a user. We see lots of time were the default ends up being given full access.

  6. CC

    I’ve delegated access to my calendar to my assistant but did NOT check the box to allow her to see private items. And yet she can see private items. Any idea how to prevent this since apparently not checking the box that is supposed to control that access doesn’t work?

    1. PHILIP M HARE

      Dito this, there seems to be no solution to this

      1. Martin

        I assume items meant to be private are indeed marked as “private” when created in your calendar?
        If such private items are created on your mobile device, make sure the calendar App you are using is fully compatible with Exchange as many (built-in) calendars do not even feature the possibility to mark items as private!
        Also, private means they are still visible to your delegate(s), which makes perfectly sense as your delegate is supposed to check for your free/busy time, however without showing any details.

  7. ZACH WARD

    Hey Paul,

    I am trying to create a script that will set everyone in my organization to a reviewer for their calendar permissions so that everyone can read everyone mailbox. The issue im running into is that my script is to broad I need to narrow it down and cut out the shared mailboxes, offboarded users, and service accounts. But am unable to figure out how I can exclude these groups this is the script im currently using any help would be greatly appreciated.

    $credential = Get-Credential

    $Session = New-PSSession -ConnectionUri “https://outlook.office365.com/powershell-liveid/” -ConfigurationName Microsoft.Exchange -Credential $credential -Authentication Basic -AllowRedirection
    Import-PSSession $Session

    $AllMailboxs = Get-Mailbox -Resultsize Unlimited -RecipientTypeDetails UserMailbox

    Foreach ($user in $AllMailboxs)

    {Set-mailboxfolderpermission –identity ($user.alias+’:\calendar’) –user Default –Accessrights Reviewer}

    Remove-PSSession $Session

  8. Aswath

    I have a mailbox name ABC@domain.com
    I have a shared mailbox name XYZ@domain.com

    ABC has Full access on XYZ

    Now I need ABC to have Reviewer permission only on XYZ calendar.

    I used powershell command: Add-mailboxfolderpermission –Identity XYZ@domain.com:\calendar -user ABC@domain.com –accessrights reviewer

    Note: ABC still have Full Access permission on XYZ

    Will Reviewer permission take precedence over Full access permission ?

    1. Gary McGarry

      If a permission already exists for that user, change the ‘Add’ part of the cmdlet to ‘Set’ so that it becomes Set-MailboxFolderPermission. Otherwise the command returns an error stating that permissions already exist on that mailbox for that user.

  9. Susana

    why can’t i delete a contact folder in my outlook which is synchronized with a gmail account

  10. bc

    I have faced a problem, there is 1.default none and 2.default owner in a mailboxfolderpermission,
    using owner’soutlook still cannot change from default owner to none/reviewer.
    using powershell also nothing change.

  11. DL

    If I granted full access to a room mailbox shouldn’t I also see full access when querying the permission set on a specific folder (for example the calendar)? One shows an account with full access to the mailbox, while the other shows nothing assigned on the calendar folder for the same user. I was expecting to see full access?

    Get-Mailbox –RecipientTypeDetails β€˜RoomMailbox’ | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Format-Table Identity, User, AccessRights –AutoSize

    versus

    Get-MailboxFolderPermission -Identity “email address”:\Calendar

  12. Matthias

    Hello,

    good article, thanks!

    Is it possible to use folder permissions to share a folder that is not a subfolder of the inbox but is located on the same level?
    I tried and did not succeed – any hints?

    (we move our e-mails from the inbox to a folder structure; we found it cleaner to have these folders not within the inbox – maybe a mistake?)

    Thanks a lot!

      1. Matthias

        “it should work” is good news, thanks πŸ™‚

        My “mail archive” folder is on the root level, i.e. on the same level as inbox and sent items, deleted items, drafts folders, contacts, calendars, etc.
        (the English names might not be accurate, sorry, since our Outlook is not English).

        There are several subfolders in “mail archive”, one of which I want to share with another Outlook user.
        Both our accounts are on the same Exchange server (hosted by Microsoft). We are both using Outlook 2016.

        I used folder permissions to give that other user permissions to see the account itself, and the “archive”.
        For the folder to be shared I gave additional permissions to read.

        In the other user’s Outlook I used File / Open and Export / Folder of another user and chose type as “Inbox”. Outlook seems to retrieve something, but finally does not display anything.

        When I do the same but remove the permissions before then Outlook complains so I conclude the permissions are somehow working. Still, I am not able to see any content, and also I do not get the shared folder listed in the folder tree of that user’s Outlook.

        Running out of other ideas I started to worry that the location of our “mail archive” might be the cause but now you are giving me hope!

        Any hints and ideas are appreciated!
        Thanks!

        1. Avatar photo

          “I used folder permissions to give that other user permissions to see the account itself…”

          What permission did you grant?

          Also, have you tried adding the mailbox as a secondary mailbox to the profile?

          https://support.office.com/en-us/article/open-and-use-a-shared-mailbox-in-outlook-2016-and-outlook-2013-d94a8e9e-21f1-4240-808b-de9c9c088afd

          1. Matthias

            Finally I found some statement on a web site that folder permissions does not work for my folders (just for the inbox).
            Another approach seemed to be “Open these additional mailboxes” in the advanced account settings – but this option was greyed out πŸ™

            Spending more time on research I found that only your primary account can use that, but unfortunately the account in question was not primary.
            Simplest work-around for me was to create new profile with this account as primary account, add the other mailbox (which is sharing the folders mentioned above) as additional mailbox and voila, now it works.

            So my learnings:

            1)
            “File / Open and Export / Folder of another user” works only for the standard folders like “Inbox” for e-mail

            2)
            “File / Open and Export / Folder of another user” is a temporary solution for e-mail since it will not permanently add the shared folder to the folder tree (albeit for Contacts it does – weird)

            3)
            So “Open these additional mailboxes” was always what I needed but is enabled only for primary accounts – which is not the same thing as the standard or default account.

            I hope my learnings might help others.

            Thanks a lot, Paul, for trying to help and providing this platform!

  13. Krzysztof

    Hey,
    Good article. But now my question πŸ˜‰
    What in a situation, when I have granted the editor permission on one particular folder (eq. an inbox) and in parallel, there is a mailbox permission set to ReadPermission ?
    Which permission will be treated with higher priority ?
    Thank you in advance for your reply.

  14. Ben Dyke

    Thanks for the article! We have a shared Office 365 mailbox for all our job applications but need to sometimes prevent users from seeing the folders that relate to their own recruitment. I have no experience with mailbox folder permissions but I take from your article that I can give permission for a user to see the inbox or subfolder where new applications lie but not any of the others? Is this possible to administer via the Office 365 exchange admin center?

  15. Sean-Colin

    Fantastic. Very helpful.

    Bug in script on line 119. Angled quotes were used in place of standard quotes. Not sure what the word is for them but I hope this helps. I couldn’t use this script until I swapped the quotes out.

    Thanks!

    S-C

  16. David

    Awesome article!!
    I want a user to be able to open another users inbox, but not see everything in their mailbox. So I did a command like: Add-MailboxFolderPermission -Identity usersharing@domain.com:\inbox –user needaccess@domain.com -AccessRights owner. When the user needaccess opens outlook I add an additional mailbox usersharing. The mailbox name is displayed, but when I click the triangle to expand it to see the inbox folder an error appears: Cannot expand the folder. What am I missing?
    Thanks a million!!

      1. David

        That fixed it. Thanks a million!!!

  17. David Geiger

    Thanks for this, Paul. It’s super-fast and foolproof. I had to restore one particular shared mailbox 5 times (!) in 2017 thanks to the end users wiping out the data.

  18. Gonzalo

    Hi Paul,

    Do you know if there is anyway to deny the Owner Access to his/her Mailbox?
    I happen to have a generic Mailbox but I dont want the Owner to access it, only the delegated users.
    Thank you!

  19. Dmitry

    Hi Paul,

    nice article, thank you.

    What is the difference between setting up folder permissions on EOL via PowerShell and doing the same in Outlook client? Or, in other words, can permissions set in Outlook be seen on the server?

    Regards,
    Dmitry

  20. Tomas Kundrat

    Can I set NonEditingAuthor role for some folder (Contacs by example) for owner of the mailbox?

Leave a Reply