Managing permissions

In this topic, we will look at ways by which we can assign permissions to users or groups called delegates. It allows the delegates to open and send messages from other mailboxes. Permissions can be assigned to mailboxes, distribution groups, and mail-enabled security groups. The following permissions can be assigned to delegates:

• Full Access: A delegate of a mailbox has full access to open a mailbox and access the content. This permission, however, will not allow the delegate to send mail from that mailbox.
• Send As: The Send As permission will allow the delegate to send messages from the other mailbox. The message in this case will appear to be coming from the mailbox owner. If Send As is used for a group, the message will appear to be originating from this group.
• Send on Behalf: This permission will also allow a delegate to send messages from other user's mailbox. Unlike the Send As permission, the message from this field will indicate that this message was sent by the delegate on behalf of the mailbox owner.

Manage Full Access permissions

The following example assigns the Full Access permission to Holly for Amy's mailbox:

Add-MailboxPermission -Identity "Amy Alberts" -User hollyh -AccessRights FullAccess -InheritanceType all

If you are the administrator and there is a need to look at the content of some user's mailboxes, you can assign this permission using the following command. This example will provide full access permissions to <admin@contoso.com> for all the mailboxes:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User admin@contoso.com -AccessRights fullaccess -InheritanceType all

You can view the Full Access permission using the following syntax:

Get-MailboxPermission –identity mailbox –User Delegate

For example, if you want to check if the permissions are set as per the first example, you need to type this:

Get-MailboxPermission –identity "Amy Alberts" –User hollyh

The Full Access permission, once granted, can be removed using the Remove-Mailbox permission. The following command will remove the full access granted to Holly Holt on Amy Albert's mailbox:

Remove-MailboxPermission -Identity "Amy Alberts" -User hollyh -AccessRights FullAccess -InheritanceType All

Manage Send As permission

The Send As permission can be granted and revoked using the Add-AD and Remove-AD permissions. For example, the following command will assign the Send As permission to the Tier 1 Helpdesk Support Group on the shared mailbox of Helpdesk:

Add-ADPermission -Identity helpdeskshared -User Tier1helpdeskgroup -ExtendedRights "Send As"

To view the permission, type this:

Get-ADPermission –identity helpdeskshared –User Tier1helpdeskgroup

If you are using Exchange Online, you need to replace –User with the –Trustee parameter.

The example removes the Send As permission for the user called John Doe from Holly Holt's mailbox:

Remove-ADPermission -Identity "Holly Holt" -User Johnd -ExtendedRights "Send As"

Manage Send On Behalf permission

The Send on Behalf permission is managed using the Set-Mailbox cmdlet. The following cmdlet assigns the Send on Behalf to John Doe on Holly Holt's mailbox:

Set-Mailbox -Identity hollyh@contoso.com -GrantSendOnBehalfTo JohnD

The following command will remove the send on Behalf permission of the admin assistant group from the Executives shared mailbox:

Set-Mailbox "Executives" -GrantSendOnBehalfTo @{remove="adminassistant@contoso.com"}

To view the send on behalf permission, type this:

Get-Mailbox –identity hollyh | FL GrantSendOnBehalfTo