How Add or Set MailboxFolderPermission in Powershell

Imagine this: you're an IT administrator in a fast-paced tech company. It's Monday morning, and you're already swamped with work when you get an urgent email from your HR department.

They can't access an important mailbox folder that holds time-sensitive documents for new hires. You quickly realize that this folder was recently migrated and now has incorrect permissions.

Not only does HR need access ASAP, but you also realize that this shared mailbox is currently accessible to employees who should have restricted access.

Now, you're racing against the clock to fix a ticking security time bomb.

In this guide, we'll walk you through the essentials of how to add or set MailboxFolderPermission in PowerShell, so you never have to face a situation like this.

What is Add-MailboxFolderPermission Command?

The problem described above brings us to the topic of managing MailboxFolderPermissions in PowerShell.

The MailboxFolderPermission command allows you to configure who can access specific mailbox folders in an Exchange environment, whether it's on-premises or online via Office 365. With PowerShell, you can add, modify, or remove permissions in bulk, which becomes especially handy in larger organizations.

Properly setting up MailboxFolderPermissions ensures that only authorized individuals can access sensitive information, thereby enhancing security while also facilitating collaboration where necessary.

Likewise, the Set-MailboxFolderPermission is a cmdlet available on-prem Exchange server and cloud-based service that works to modify existing permissions on mailboxes.

Therefore, both of these commands have their own yet similar purpose: one allows you to add permissions, and the other one works to modify permissions that already exist, all within PowerShell.

Understanding the Set and Add-MailboxFolderPermission Commands

Managing multiple mailboxes is easier by using PowerShell commands on Microsoft Exchange.

However, before we get to manage these commands, it is important to understand them.

The syntax of the Add-MailboxFolderPermission command consists of multiple values separated by a comma, and each variable has a meaning. This is what the complete Add MailboxFolderPermission command looks like:

Likewise, this is the complete syntax of the Set-MailboxFolderPermission:

Each one of these parameters are called switches, and they all have a meaning. First, let’s talk about AccessRights.

AccessRights Parameter refers to the permissions that can be granted to individual or multiple users:

• None: The user has no permission to see or interact with the folder or its contents.
• CreateItems: The user can make new items within the chosen folder.
• CreateSubfolders: The user can create subfolders within the chosen folder.
• DeleteAllItems: The user has the ability to remove all items in the chosen folder.
• DeleteOwnedItems: The user can exclusively delete items they personally created from the chosen folder.
• EditAllItems: The user has the authority to modify all items in the chosen folder.
• EditOwnedItems: The user is permitted to modify only the items they themselves created within the chosen folder.
• FolderContact: The user is listed as the point of contact for the specified public folder.
• FolderOwner: The user holds ownership of the designated folder. They can view, move, and make subfolders, but are unable to read, modify, delete, or create items.
• FolderVisible: The user can observe the chosen folder, yet they cannot read or alter the items within it.
• ReadItems: The user has permission to read the items inside the selected folder.
  

Likewise, there are different management roles that can be assigned to users on the mailbox by using the aforementioned commands:

Let’s briefly explain what the other switches mean:

• Confirm: This switch decides whether to display a confirmation prompt, impacting the command's behavior based on whether confirmation is needed; for certain commands, -Confirm:$false can be used to skip the prompt.
• DomainController: This parameter is used in on-premises Exchange environments to specify the domain controller from which the cmdlet reads or writes Active Directory data.
• Identity: This parameter specifies the target mailbox and folder using the format MailboxID:\ParentFolder[\SubFolder], which allows you to identify the specific mailbox folder using previously set values.
• SendNotificationToUser: In the cloud-based service, it determines if a sharing invitation is sent to a user when calendar permissions are added.
• SharingPermissionFlags Parameter: In the cloud-based service, it sets calendar delegate permissions; used with AccessRights Editor, it offers values like Delegate (user becomes delegate and creates the meeting message rule, ) and CanViewPrivateItems.
• User: Specifies the recipient who receives permission to the mailbox folder, accepting identifiers like name, alias, email address, etc.
• WhatIf: This switch simulates the command's actions without actually applying changes, letting you preview outcomes before committing.
  

By understanding the meaning of each parameter, modifying or adding permissions to users through PowerShell commands becomes easier.

Prerequisites to Add or Set Mailbox Folder Permissions on PowerShell

It is worth noting that not all users can run cmdlets on PowerShell.

For starters, it is important to find the Microsoft Exchange PowerShell permissions required to run cmdlets such as Add MailboxFolderPermission and Set MailboxFolderPermission

According to Microsoft, this is the best way to check what roles you need to run the desired commands:

1. Open PowerShell: Open the PowerShell environment on your computer. You can usually find it by searching for "PowerShell" in the Windows Start menu.
2. Connect to Exchange: Depending on the version of Exchange you're using, you need to connect to the appropriate PowerShell environment.
3. Run the Following Command: Run this command on PowerShell: “$Perms = Get-ManagementRole -Cmdlet <Cmdlet>.” Replace cmdlet with the desired command, for instance, Add-MailboxFolderPermission.
4. Interpret the Results: The results display the granted access level (role), the type of entity assigned the role (such as user or group), and the entity's name. This will let you know what role or permissions you need in order to run the desired cmdlet command. The roles are provided by administrators, who are in charge of setting existing permissions for users within an organization.
   

How to Add or SetMailboxFolder Permission in PowerShell

Now, we are going to learn the process of adding or changing permissions on mailboxes using PowerShell commands.

To manage existing mailbox folder permissions, we’ll use the Set MailboxFolderPermission cmdlet, whereas if we want to assign permissions from the beginning, we will use the Add Mailbox Folder Permissions cmdlet. These are the steps you need to follow.

Step 1: Connect to the Exchange Online PowerShell Module

First, you need to connect to the Exchange Online PowerShell Module.

In order to do this, it is necessary to have administrator roles with sufficient permissions. Afterward, go to the PowerShell window, and run the following command:

Go to the PowerShell window, and run the following command:

Log into your Office account by using your credentials, and access the PowerShell module. From here, we can start using rich cmdlets.

Step 2: Preview Specified Folder Permissions

Before making any change, the wisest thing to do is to preview the existing permissions on the folder.

To do this, we are going to use the Get-MailboxFolderPermissions cmdlet.

The Get-MailboxFolderPermissions cmdlet allows us to see all the permission levels that have been assigned to a specific folder.

This is an example of how to use this command:

By doing this, a list of individual permissions will be returned for the calendar user.

It is important to specify the folder to view complete folder-level permissions. This can also be done for a specific user by changing the Identity switch.

After you view existing calendar permissions, it’s time to modify them.

Step 3: Run the Add MailboxFolderPermission PowerShell Command

Now, we are going to add permissions to users by using the Add MailboxFolderPermission cmdlet.

To do this, we are going to grant access to the users by filling in the valid values on the command syntax, as mentioned above.

Go to PowerShell, grab the command syntax above, and modify it. This is what the command should look like:

This command provides Simon with calendar permission as Delegate for James’s mailbox, but as stated before, Simon cannot access private calendar items due to the nature of the Delegate function.

In this case, it is possible to edit items on the syntax in order to add calendar permissions to a deeper level.
For instance, let’s take a look at this command:

In this case, the mailbox folder permission roles granted to Simon are greater - the permissions assigned allow him to take ownership of James’s mailbox, and this can apply to other user mailboxes by modifying each default value on the syntax.

He can now access private items and make greater modifications at the mailbox folder level.

If you want to add owner, contributor, or editor permissions to a whole group, it is necessary to create a mail-enabled security group via the Microsoft 365 Admin Center. Then, the group can be later modified.

The command can look like this:

The calendar is identified with any value that has been previously determined by the creator, such as calendar name, alias, canonical DN, and more.

Step 4: Change or Modify Existing Permissions with Set MailboxFolderPermission PowerShell Command

Additionally, it is also possible to set or change the existing permissions by using the Set MailboxFolderPermission command.

To do this, we need to modify the command based on our needs. For example:

This command overwrites Simon’s original permissions on the calendar. Instead of being just a viewer or editor, Simon now has owner access level to James’s mailbox.

Remember that editing the multiple switches on the command will determine its outcome.

How to Remove Existing Permissions with Remove-MailFolderPermission cmdlet

The Remove MailFolderPermission works to remove mailbox folder permissions or remove calendar permissions at a greater level.

Removing calendar permissions can be achieved by using this command on PowerShell.

To lift up the previously granted permission to a user, this is the syntax of the command we are going to use:

It is necessary to specify both the user and the mailbox we want to remove permissions from.

Run the command on PowerShell by replacing the switches with the desired outcome. For example:

In this example, James will no longer have access to the Marketing folder in Simon’s inbox.

Moreover, you can also send a notification about the removal of permissions by adding the SendNotificationtoUser parameter:

Summary: How to Manage Mailbox Permissions in PowerShell

By taking advantage of PowerShell commands, it is possible to administrate mailbox folder permissions more easily, grant permissions to individual or multiple users, and save a lot of time inside an organization.

Let’s summarize the three most important points of this guide to learn how to make the best out of these three fundamental MailboxFolderPermission commands:

1. The Add-MailboxFolderPermission command allows you to grant permissions to one or multiple users to individual or varied mailboxes.
2. The Set-MailboxFolderPermission command is used to modify existing permissions and change them based on the mailbox’s needs.
3. Finally, if you don’t want to change the permissions and instead wish to remove them, use the Remove-MailboxFolderPermission command.