How to grant full access permissions to all users’ mailboxes using PowerShell

How to grant full access permissions to mailboxes

There are many situations in which permissions to another user’s mailbox should be granted in Exchange Server. Sometimes it is for monitoring purposes, sometimes to send emails on behalf of someone else. Full access permissions give the highest level of access to a mailbox, and are necessary, for example, during a migration process. If you want to learn how to set full access permissions in Exchange 2019, Exchange 2016, Exchange 2013, or Exchange Online, you have come to the right place.

If you want to learn more about how to perform an Exchange Server to Microsoft 365 (Office 365) migration using native means, check this article.

How to set full access permissions with PowerShell

To set those permissions for a user account, you need to use an account that’s added to the Organization Management group.

To check which accounts are members of the group, use this cmdlet:

Get-RoleGroup "Organization Management" | select members

In case the account is not listed in the results, the administrator can add it to the group by using this cmdlet:

Add-RoleGroupMember "Organization Management" -Member "<account name>"

<account name> stands for the name of the desired user.

The next step is granting full access permissions to mailboxes:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User [email protected] -AccessRights fullaccess -InheritanceType all -AutoMapping:$false

This will grant full access rights to all users for the admin account “[email protected]”. The last parameter, ‑AutoMapping:$false is not necessary but recommended. It enables you to turn the auto-mapping feature off. Otherwise, if auto-mapping is enabled, it causes the admin’s Outlook to try and open all mailboxes in the company (to which the admin has now full access). This is rarely desirable and in case there are a lot of mailboxes, performance issues are to be expected. What is more, in many scenarios, users have experienced that removing auto-mapping later on might be problematic, especially with Outlook trying to open multiple mailboxes at once – the email client tends to lag or freeze for some time. To remove automapping with PowerShell, an admin needs to remove full access permissions first and then add them again, with the -AutoMapping $false switch.

If you want to limit the number of mailboxes you assign permissions to, you can:

  • change the arguments used in the -Filter parameter, for example, add another condition to the already specified, like -and (City -eq 'New York'),
  • use Get-DistributionGroupMember instead of Get-Mailbox before the pipeline (separator, |) symbol,
  • If you want to add Full Access permissions to a single mailbox ([email protected] in the example below), simply use the following syntax:
    Add-MailboxPermission -Identity '[email protected]' -AccessRights FullAccess -InheritanceType all -AutoMapping:$false

How to grant other permission types

PowerShell can also be used to assign other permissions to mailboxes. Below is the list of valid parameter values:

  • ChangeOwner – allows to change mailbox owner,
  • ChangePermission – lets the assigned users to change permissions on the mailbox,
  • DeleteItem – allows to delete items from a mailbox,
  • ExternalAccount – indicates the mailbox isn’t in the same domain,
  • ReadPermission – lets you read mailbox items.

To assign one of those permissions, use its name after the -AccessRights parameter, instead of FullAccess.

Alternative to PowerShell

For older Exchange versions (those you shouldn’t see in production environments anymore), you can grant full access permissions using Exchange Management Console (EMC). This is, however, not recommended, as auto-mapping cannot be switched off using EMC. However, if you want to assign mailbox permissions to a single mailbox and automapping is not an issue, go ahead.

For supported Exchange versions, you can use the Exchange admin center (EAC) to assign permissions, by going to Exchange admin center > recipients > mailboxes. Highlight the mailboxes you want to grant access to and click More options in the right pane.

Exchange admin center - more options

Then, still in the right pane, click Add in the Mailbox Delegation section.

Configure mailbox delegation in Exchange admin center

Finally, use the plus button and choose a user (or users) who should have the Full Access permission to the chosen mailboxes.

Bulk add full access delegation

In Exchange Online, the path to mailbox permission assignment settings is similar, the only difference is in the UI layout:

Configure mailbox delegation in Exchange Online admin center

Software tip

If you need any help with administration of your Exchange server or Microsoft 365 tenant, check how CodeTwo products can help you. For example:

  • CodeTwo Exchange Migration – simplifies your move to a more recent Exchange version.
  • CodeTwo Office 365 Migration – gives a helping hand when you want to move mailboxes from on-premises Exchange to the cloud (or between Microsoft 365 tenants).
  • CodeTwo Exchange Rules Pro – unifies branding in email communication and helps manage mail flow in on-premises Exchange.
  • CodeTwo Email Signatures 365 – lets you manage email branding and autoresponders in Microsoft 365.

There are also many useful freeware tools, so be sure to check them out, too.

Tools for Exchange Server

Recommended articles

How to export users from Active Directory

How to export users from Active Directory

You might need to export users from Active Directory in more than one situation. Good examples include Exchange migration and creating a test Exchange environment. You can imagine how painful it would be to do those tasks manually, especially in a large organization. Luckily, users can be exported easily from Active Directory and saved into a CSV (comma separated value) file. In this article I am going to show you how to do it. Watch the video below for a quick walkthrough and read the following article if you want to learn more.
How to migrate Exchange public folders to a shared mailbox in Office 365

How to migrate Exchange public folders to a shared mailbox in Office 365

This article shows, step by step, how to easily migrate Exchange public folders to an Office 365 (Microsoft 365) shared mailbox using CodeTwo Migration software. The article also contains a guide on how to create a shared mailbox in Office 365 and how to access it from a mobile device.
Roles and permissions required to migrate to Microsoft 365

Roles and permissions required to migrate to Microsoft 365

Mailbox migration is a complex process which requires technical skills and knowledge of both the source and the target environment. One of the questions that comes up while planning the migration is roles and permissions required to successfully execute the migration. You could drop the subject by simply stating “get global admin if it’s Microsoft 365 (Office 365) and Organization Management role when on-premises”. However, your company might have a strict policy to follow the principle of least privilege. That’s when knowing the exact required permissions comes in handy.

Comments

  1. Thanks for the article. I was a big help. Please check on your description of ReadPermission. It isn’t related to reading mailbox items but permissions.

    • avatar
      Adam the 32-bit Aardvark says:

      Thanks for the comment! I’ve just looked into this and cannot find any relevant articles. And when I tried setting it up on a test tenant, it just didn’t work. I’ll do some more research soon!

  2. Great script and I’ve used it in the past – however my query is now “post migration” – how do you mass remove that permission from all mailboxes?
    Thanks.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Chris,
      The easiest way would be to change Add-MailboxPermission to Remove-MailboxPermission, and remove -automapping $false which should revert the change. After running this script, you can check the state of permissions with the Get-MailboxPermission cmdlet.

  3. avatar
    Adrian Gates says:

    The Get-RoleGroup and Add-RoleGroupMember have been ran and ran successfully. I’m confused a little bit on the last larger query. Could you not just run the Add-MailboxPermission side by itself? Is the filtering needed at that point? Maybe I’m thinking about it incorrectly.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Adrian,
      You could run only the Add-MailboxPermission part, but then, you are missing the crucial piece of info – whose mailboxes are you giving full access to? The first part defines that and pipelines the result to the Add-MailboxPermission cmdlet.

  4. Hello,
    Virtually all google results for “how to add full rights” to an O365 account refer to “add-mailboxPermission” as the cmdlet to execute. However, in our instance of O365, while connected via a global admin account, the only cmdlet is “Add-MailboxFolderPremission”. I have to assume I’m doing something wrong because of the complete absence of any related info turning up searching the web for details. Any advice based on this observation?

    • avatar
      Adam the 32-bit Aardvark says:

      Hello Terry,
      Do you mean that when you run Get-Command, you do not see the Add-MailboxPermission? Have you tried running the script, nonetheless? If yes, what is the error text you get?
      Please make sure you have connected to the Office 365 successfully and with no errors (How to start remote PowerShell session to Office 365). You can also run the Get-PSSnapin cmdlet and check whether Microsoft.Exchange.Management.PowerShell.SnapIn is included.

  5. i want to grant a user full access to all conference rooms in a particular location using just one script using powershell, i need help with the script.

    • avatar
      Adam the 32-bit Aardvark says:

      You can use the exact same script I have used above, only changing the first part (Get-Mailbox) so that it only lists Conference rooms. You can use the following filter:
      get-mailbox -resultsize unlimited -filter {RecipientTypeDetails -eq 'RoomMailbox'} The rest of the script (Add-MailboxPermission) you can leave without any changes.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.