I just had to do some additional work in a project we have just finished. One of the main tasks has been adjusting some permissions for shared mailboxes.
In this article, I wrote down some usefull PowerShell commands for managing shared mailboxes.
What is a shared mailbox?
A shared mailbox is a type of user mailbox that doesn’t have its own user name and password. As a result, users can’t log into them directly. To access a shared mailbox, users must first be granted Send As or Full Access permissions to the mailbox. Once that’s done, users sign into their own mailboxes and then access the shared mailbox by adding it to their Outlook profile. In Exchange 2003 and earlier, shared mailboxes were just a regular mailbox to which an administrator could grant delegate access.
To a shared mailbox we can assign the following permissions:
- Send As: The Send As permission lets a user impersonate the shared mailbox when sending mail. For example, if Desmond logs into the shared mailbox Marketing Department and sends an email, it will look like the Marketing Department sent the email.
- Full Access: The Full Access permission lets a user log into the shared mailbox and act as the owner of that mailbox. While logged in, the user can create calendar items; read, view, delete, and change email messages; create tasks and calendar contacts. However, a user with Full Access permission can’t send email from the shared mailbox unless they also have Send As or Send on Behalf permission.
- Send on Behalf: The Send on Behalf permission lets a user send email on behalf of the shared mailbox. For example, if Desmond logs into the shared mailbox Software development and sends an email, it look like the mail was sent by “Desmond on behalf of Software development”. We can’t use the EAC to grant Send on Behalf permissions, we must use Set-Mailbox cmdlet with the GrantSendonBehalf parameter.
Creating shared mailboxes
Creating a shared mailbox is similar as creating any other type of mailbox in the Exchange management shell. The point we need to think about is to specify the type of the Mailbox. That means that the command could look like this:
New-Mailbox –Name ‘Software development’ –Shared
The first example showed us, how to create a simple shared Mailbox. However, normally this is not enough and we need to provide more information. One thing is to define an Alias and an smtp address. This we can do with the following command:
New-Mailbox –Name ‘Software development’ –alias development –Shared –PrimarySmtpAddress [email protected]
Managing permissions
As I have written in the beginning of this article, a shared mailbox is a mailbox without its own user and password. To be able to use a shared mailbox, we need to assign permissions to users. In this chapter we will learn, how to do that using PowerShell.
If we continue with the shared mailbox we have created in the previous chapter, Software development, we want to assign full access to the user Desmond. This can be done by using the following command:
Add-MailboxPermission ‘Software development’ –User Desmond –AccessRights FullAccess –InheritanceType all
If our Exchange has still the default configuration, the Mailbox “Software development” will be auto mapped to the User Desmond.
However, sometimes we want to prevent that a shared mailbox will be auto mapped to a user with full access permissions. In this case, we need to add the following parameter to our command: -AutoMapping $False. In this case, the command will look like this:
Add-MailboxPermission ‘Software development’ –User Desmond –AccessRights FullAccess –InheritanceType all –AutoMapping $False
Note: When we assign “Full Access” permission to a Group, the AutoMap feature is not “activated” because, the Full Access permission granted to “Group Object,” and not for the “User object” (the group members).
In this case, we will need to instruct each of the group members how to add the “additional Mailbox” manually for the Exchange mailbox, which they have “Full access” permission.
To avoid this default behaviour, we can use a “little trick,” by using a PowerShell command.
The PowerShell command will “extract” group members to a “user list” and in the next step assigns the Full Access permission separately, for each user (each of the Group members).
The command for that will look like this:
$DL = Get-DistributionGroupMember “development Department” | Select-Object –ExpandProperty Name ForEach ($Member in $DL) {Add-MailboxPermission –Identity ‘Software development’ –User $Member –AccessRights ‘FullAccess’ –InheritanceType All}
We also can add SendAs or Send on Behalf permissions using Powershell. If we want to do that for a single mailbox, we can do it with the following example:
Add-RecipientPermission ‘development Department’ –Trustee Desmond –AccessRights SendAs –confirm:$false
Of course, we also can set the SendAs permission for Desmond to all of our shared mailboxes. To do that, we need the following command:
Get-Mailbox –Filter ‘(RecipientTypeDetails –eq “SharedMailbox”)’ | Add-RecipientPermission –Trustee Desmond –AccessRights SendAs –confirm:$False
Shared Mailbox Calendar permission
We also can assign dedicated permission to a calendar of a shared mailbox. To be able to do that, we need the specific syntax of the calendar folder.
Note: by working with this syntax, we need to know about the shared mailbox language. If the shared mailbox is set-up in English the syntax will be ‘calendar’, if it is configured in German as example, the syntax will be calendar. To add dedicated permissions to a calendar of a shared mailbox to Desmond, we need to use the following command:
$MailboxCalendar = “development”:\calendar Add-MailboxFolderPermission –Identity $MailboxCalendar –AccessRight PublishingEditor –User Desmond
As we can see in the last command, we need now to define different permissions called AccessRights. If you need to know, which AccessRights can be set for configuring the FolderPermissions, you can follow the Microsoft Link HERE
Display various types of Mailbox permissions
The default output of the PowerShell cmdlet Get-MailboxPermission that we use for view Mailbox permissions and the PowerShell cmdlet Get-RecipientPermission that we use for view SEND AS permissions, displays redundant information, that makes it difficult to understand the information about the Exchange mailbox permissions clearly.
For this reason, we add “filter” that removes that redundant information.
Displaying FullAccess permissions for shared mailboxes:
Get-MailboxPermission “development Department” | Where-Object { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select-Object Identity, user, AccessRights
Displaying SendAs permissions for shared mailboxes:
Get-RecipientPermission “development Department” | Where-Object {($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select-Object Trustee, AccessRights
Displaying Calendar permissions for shared mailboxes:
$MailBoxCalendar = “development Department”:\calendar Get-MailboxFolderPermission $MailBoxCalendar | Select-Object FolderName, user, AccessRights
Converting Mailboxes
Microsoft Exchange allows us to convert our mailboxes into different types between shared mailboxes, resource mailboxes and regular user mailboxes. However, if we have a look on Exchange online at this moment, we need for each user mailbox an Exchange online license. However, by using shared mailboxes an Exchange online license is not needed. If we want to convert a regular user Mailbox to a shared mailbox, we can run the following command:
Set-Mailbox Desmond –Type shared
And if we want to go the opposed way, we just need to change the –Type parameter:
Set-Mailbox Desmond –Type Regular
Configuring Mailbox size
By default every mailbox uses the parameter of the Mailbox Database where the Mailbox was created. However, by using PowerShell we are able to overrule this setting:
Set-Mailbox “development Department” -ProhibitSendReceiveQuota 50GB -ProhibitSendQuota 49.7GB -IssueWarningQuota 49.5GB
Photo by Kasya Shahovskaya on Unsplash