Granular Outlook Permissions

Recently a customer with a lot of shared mailboxes asked if it was possible to give granular Outlook permissions for some users. They wanted read only permissions to some shared mailboxes – to the Inbox only.

The customer also asked if Automapping was possible even if we only was giving access to the Inbox.

The good news is that it can be done, the bad news is that it is not possible to do via EMC, like giving Full Access. You have to do this with Powershell.

Here is how I did the granular Outlook permissions in Exchange.

First we will give one user access to the inbox of the shared “JobMailbox”.

To do that the user will need permissions to view the folders on top level.

We will do that with:
Add-MailboxFolderPermission “job:\” -User stp -AccessRights FolderVisible

Granular Outlook Permissions

Then we need to give the read only permissions to the inbox:
Add-MailboxFolderPermission “job:\Inbox” -User stp -AccessRights Reviewer

Granular Outlook Permissions

For the automapping to work, we need to set the following attribute in AD.
Set-ADUser job -Add @{msExchDelegateListLink=”CN=Steen Pedersen,CN=Users,DC=contoso,DC=com”}

Granular Outlook Permissions

Now lets login in as Steen Pedersen and start Outlook.

Granular Outlook Permissions

Lets try to delete the message and see what happends.

Granular Outlook Permissions

Also take a look at the “Delete” button if we open the mail. It is greyed out, just like we wish.

Granular Outlook Permissions

Now lets change the scenario. In the most cases we need to give permissions to a group of people. I have created a group “HR” as an security group. This is important since we need it for permissions.

We will now give the group the same permissions as the user Steen Pedersen.

Granular Outlook Permissions

We will also have to “Automap” this mailbox for all the users in the “HR” group. Should we take a look at the msExchDelegateListLink attribute on the JobMailbox before we do this.

As you can see the user “Steen Pedersen” is here. We did this earlier.

Granular Outlook Permissions

Now lets add all the users in the “HR” group. I guess there a more ways to do this, but I found this way usable.* (look in the comments, Michal Rovnani managed to do this with a oneliner)

First I export the users distinguishedname to a csv, and then import it again and add all the users to the JobMailbox msExchDelegateListLink attribute.

Export the users:
Get-ADGroupMember HR | select distinguishedname | Export-Csv c:\Temp\DN.csv -Encoding Unicode

Import the users and set the attribute:
Import-Csv c:\temp\dn.csv | foreach {Set-ADUser Job -Add @{msExchDelegateListLink=$_.distinguishedname}}

Granular Outlook Permissions

Lets see if it worked. Here we take a look again at the msExchDelegateListLink attribute of the JobMailbox and as you can see all our users is there. The JobMailbox Inbox will now be automapped to those users. Don’t mind the names of my testusers 🙂

Granular Outlook Permissions
Summary
In this case we had two challenges. We should give a group of users read only access to the Inbox of a shared mailbox. The mailbox then had to me Automapped for those users.

It was possible to do, but the downside of the sollution is the complexity. Most of the IT departments I meet don’t like to do their work in PowerShell. They want to do it all
in the EMC, but as you now the only permission we can give in the EMC is Full Access.

The best I can do is provide the IT supporters with the cmdlets they need to use and then
they can do it with copy/paste when they need to set granular Outlook permissions.

Thanks for reading
Steen Pedersen

9 thoughts on “Granular Outlook Permissions

  1. Michal Rovnani

    Hi, thank you very much for your article, it is very helpful.

    I just tried to omit that export-import step and do it as a one-liner like this:


    Get-ADGroupMember HR | select distinguishedname | foreach {Set-ADUser Job -Add @{msExchDelegateListLink=$_.distinguishedname}}

    and it works. (It may be unusable for very populated groups).

    Second, I had to Exchange-enable the group to use it like this, simple AD universal/security group didnt work for me.

    Michal

     
    Reply
    1. SteenPedersen

      Hi, thanks. Interesting question. I am not sure. I have not tried. I am looking at it now, and will let you know if I can. I can’t find the attribute but only the function Remove-MailboxPermission -ClearAutoMapping:$true and Automapping:$true. So the function seems to be different in Exchange Online.

       
      Reply
      1. Daniel

        Yeah, “-AutoMapping” only works in conjunction with “FullAccess”. Eventually I contacted Microsoft about AutoMapping with ReadAccess and they told me, that it’s not possible using “msExchDelegateListLink” or any other way.

         
        Reply
  2. Petr

    Hi, this is exactly what I was looking for 🙂 You save us hours of our time with users and addiding mailboxes manualy 🙂
    Cheers
    Petr

     
    Reply
  3. Klaus

    Does someone still read the comment section? That would be great, because i want to know how i could delete all entries from msExchDelegateListLink 🙂

     
    Reply
    1. SteenPedersen

      I do, as the only one I think 🙂

      You can use “Set-AdUser ALIAS -Clear msExchDelegateListLink”

      Then the mailbox will get removed from everyone, but they will still have access to it 🙂

      BR
      Steen

       
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *