Mailbox Permissions
This page provides a quick reference for managing Mailbox access, Send As, and Send on Behalf permissions in Exchange Online using PowerShell.
π Connecting to Exchange Online
Connect-ExchangeOnline -UserPrincipalName [email protected]
π View Mailbox Permissions
View all permission types for a specific mailbox:
Get-MailboxPermission -Identity "UserName"
List mailboxes where a user has been granted access:
Get-Mailbox | Where-Object {
(Get-MailboxPermission $_.Identity | Where-Object {$_.User -like "[email protected]"})
}
β Grant Mailbox Permissions
| Permission Type | Command Example | Description |
|---|---|---|
| FullAccess | Add-MailboxPermission -Identity "MailboxName" -User [email protected] -AccessRights FullAccess -InheritanceType All |
Grants full mailbox access (does not include Send As) |
| Send As | Add-RecipientPermission -Identity "MailboxName" -Trustee [email protected] -AccessRights SendAs |
Allows user to send as the mailbox owner |
| Send on Behalf | Set-Mailbox -Identity "MailboxName" -GrantSendOnBehalfTo [email protected] |
Allows user to send βon behalf ofβ the mailbox owner |
β Remove Mailbox Permissions
Remove-MailboxPermission -Identity "MailboxName" -User [email protected] -AccessRights FullAccess
Remove-RecipientPermission -Identity "MailboxName" -Trustee [email protected] -AccessRights SendAs
Set-Mailbox -Identity "MailboxName" -GrantSendOnBehalfTo $null
π Modify or Verify Permissions
Check which users have FullAccess rights:
Get-MailboxPermission -Identity "MailboxName" | Where-Object {$_.AccessRights -eq "FullAccess"}
Check Send As permissions:
Get-RecipientPermission -Identity "MailboxName"
Check Send on Behalf delegates:
Get-Mailbox -Identity "MailboxName" | Select Name, GrantSendOnBehalfTo
βοΈ Common Administrative Tasks
Remove all FullAccess permissions (except owner)
Get-MailboxPermission -Identity "MailboxName" | Where-Object {
($_.User -ne "NT AUTHORITY\\SELF") -and ($_.IsInherited -eq $false)
} | ForEach-Object {
Remove-MailboxPermission -Identity "MailboxName" -User $_.User -AccessRights FullAccess -Confirm:$false
}
Apply FullAccess for a group of users
$Users = @("[email protected]","[email protected]")
foreach ($u in $Users) {
Add-MailboxPermission -Identity "MailboxName" -User $u -AccessRights FullAccess -InheritanceType All
}
π Quick Reference Summary
| Task | Command | Notes |
|---|---|---|
| View mailbox permissions | Get-MailboxPermission -Identity "User" |
Shows all mailbox-level permissions |
| Add FullAccess | Add-MailboxPermission -Identity "User" -User [email protected] -AccessRights FullAccess |
Grants read/write |
| Add Send As | Add-RecipientPermission -Identity "User" -Trustee [email protected] -AccessRights SendAs |
Allows sending as another mailbox |
| Add Send on Behalf | Set-Mailbox -Identity "User" -GrantSendOnBehalfTo [email protected] |
Adds delegate ability |
| Remove Access | See removal commands above | Clean up unwanted access |
| Verify | Use Get-MailboxPermission and Get-RecipientPermission |
Check current settings |
π§° Tips
- Always run permission checks after making changes.
- Remember that FullAccess does not imply Send As rights.
- Changes may take up to 15 minutes to replicate in Exchange Online.
Updated: {{ date }}
Author: Tomas Toohey
Reference Category: Exchange Quick References