Grant Delegate Permissions to Other Microsoft 365 Mailboxes using PowerShell 

Grant Delegate Permissions to Other Microsoft 365 Mailboxes using PowerShell 

Microsoft 365 allows some users to access other mailbox through delegation. Admins can delegate the permissions to another mailbox based on the organization’s requirements,   

  • Full access – Allows modifying content and reading email from another mailbox  
  • Send as –Allows sending emails from another mailbox  
  • Send-on behalf – Allows sending emails on behalf of another mailbox  

  

How to Set Mailbox Permission?  

Mailbox permission can be set either through Admin Center or PowerShell. Since UI is suitable for small organizations, most admins prefer PowerShell. PowerShell cmdlets Set-Mailbox, Add-MailboxPermission, and Add-RecipientPermission help to set mailbox delegations.  

 

How to Delegate Mailbox Permissions through PowerShell?  

To set mailbox permissions, you must connect to Exchange Online PowerShell and follow the below steps based on the required permission. 

Grant Full Access to an Office 365 Mailbox: 

The Full Access permission allows to open, view, add or remove the content of the delegated mailbox. Additionally, delegated user can create task and calendars in the Shared mailbox. To assign full access permission to Exchange Online mailbox, you can use the Add-MailboxPermission cmdlet as follows. 

Add-MailboxPermission –identity [email protected] -User [email protected] -AccessRights FullAccess 

This example assigns the user Mark Full Access permission to John’s mailbox. 

To grant the admin account full access to all the mailboxes, you can use the below code snippet. 

Get-Mailbox –ResultSize Unlimited | Add-MailboxPermission –User [email protected] -AccessRights FullAccess 

Note: The delegated mailbox should not be hidden from the address lists. If it is hidden, the delegate can’t open the respective mailbox. 

 

Add Send as Permission in Exchange Online Mailbox: 

The SendAs permission allows a user to send emails to recipients that appear to come from the delegated mailbox or shared mailbox. 

Grant send as permission PowerShell Office 365

Add-RecipientPermission [email protected] -AccessRights SendAs –Trustee [email protected] 

The above example grants the user John SendAs permission for the shared mailbox Helpdesk. Now, John can send emails to other users that appear to come directly from the Helpdesk mailbox. 

Set Send as Permission for Bulk Mailboxes (input CSV) 

To allow multiple users to send email from a specific mailbox, you can delegate send as permission using CSV file input. 

The CSV file should contain the UPN of the mailboxes that need access. 

$MailboxIds= Import-CSV <Path> 
Foreach($MailboxId in $MailboxIds) 
{  
 Add-RecipientPermission [email protected]  -AccessRights SendAs -Trustee $MailboxId.UPN 
} 

The above code provides Send As access to users in the CSV file to the Helpdesk mailbox. 

Allow a Specific User to Send Emails From Multiple Mailboxes (input CSV)

To grant access to multiple mailboxes, you can use the below code snippet. 

The CSV file should contain the UPN of the mailboxes to be delegated. 

$MailboxIds=Import-CSV <Path> 
Foreach{$MailboxId in $MailboxIds) 
{ 
 Add-RecipientPermission $MailboxId.UPN -AccessRights SendAs –Trustee [email protected] 
} 

This example allows John to send emails from mailboxes in the CSV file. 

 

Grant Send on Behalf Permission in Microsoft 365 Mailbox: 

The Send on Behalf permission allows the delegate to send emails from another mailbox but the from address shows the delegate’s name. For example, (<Delegate> on behalf of <Mailbox>). 

Grant send on behalf permission Office 365 mailbox

To grant Send on Behalf permission for a mailbox, you can use the Set-Mailbox with GrantSendOnBehalfTo param. 

Set-Mailbox [email protected] -GrantSendOnBehalfTo [email protected] 

This command grants Mark send on behalf permission to John’s mailbox. 

You can also grant permission to multiple users by giving their mailbox names as a comma separates values. 

Set-Mailbox [email protected] -GrantSendOnBehalfTo @{[email protected],[email protected]} 

The above example does not overwrite the existing permission. Instead, it will add the respective users to existing permission. So, now Mark, Tony, and Bob can send emails on behalf of John. 

 

How to View Mailbox Permissions Report? 

To manage mailbox permissions, admins need to monitor mailboxes and their delegates. To view the mailbox delegates, you need to use multiple PowerShell cmdlets like Get-Mailbox, Get-MailboxPermission, Get-RecipientPermission, etc.  

You can also use the pre-built script to export mailbox permissions report to CSV.  

Office 365 Mailbox permission report

I have mentioned a few highlights of the script below.  

  • The script display only “Explicitly assigned permissions” to mailboxes, which means it will ignore “SELF” permission that each user had on their mailbox and inherited permission.  
  • Exports output to CSV file.  
  • The script can be executed with MFA enabled account too.  
  • You can choose to either “export permissions of all mailboxes” or “pass an input file” to get the permissions of specific mailboxes alone.  
  • Output file stores most required attributes like Display Name, User Principal Name, Mailbox Type, Access Type, User with Access, and Admin Roles. You can include more attributes easily by modifying the script.  
  • Allows you to filter the output using your desired permissions like Send-as, Send-on-behalf, or Full access.  
  • Output can be filtered based on user/all mailbox type 
  • Allows you to filter permissions on the admin’s mailbox. So, you can view administrative users’ mailbox permission alone.  

 

I hope this blog will help you manage mailbox permissions in the Exchange Online environment. If you have any queries, reach us through the comment section. 

Grant Delegate Permissions to Other Microsoft 365 Mailboxes using PowerShell 

by Kathy time to read: 3 min
0