0

as the title says, I need to limit certain permissions on a office365 shared mailbox. The users should be able to: Read, Send As, use categories/tags. They should not be able to move/delete mails. I know I have to use Powershell, this is what I gathered so far:

// Setting SendAs, seems simple.
Add-RecipientPermission <SharedMailbox> -AccessRights SendAs -Trustee <User>
// Setting visibility. Reviewer: FolderVisible, ReadItems
Add-MailboxFolderPermission -Identity <SharedMailbox> -User <User> -AccessRights Reviewer

If there are entries already, I guess I should use Set-*.

Now for the tricky part: removing the permission to move/delete and add/keep permission to use tags. I've read through multiple resources, some telling the same, others different things. What I've got so far:

// I actually dont know why I should use this
Add-MailboxFolderPermission -Identity <SharedMailbox> -User <User> -AccessRights CreateItems
// Allow tagging
Add-MailboxFolderPermission -Identity <SharedMailbox> -User<User> -AccessRights EditAllItems
// Remove permission to move/delete
Remove-MailboxPermission -Identity <SharedMailbox> -User <User> -AccessRights DeleteItem

Now I've read somewhere, that the refreshing of permissions can take up to two hours, which makes trial-and-error a fairly timeconsuming task. So if you have any idea if I'm on the right track or not, please let me know!

Thanks in advance

Edit: I did it, finally. In case anyone finds this useful, here's how I did it:

Add-MailboxPermission -Identity $order -User $user -AccessRights ReadPermission
Add-MailboxFolderPermission -Identity $order -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-MailboxFolderPermission -Identity ${order}:\Inbox -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-MailboxFolderPermission -Identity ${order}:\Calendar -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-RecipientPermission -Identity $order -Trustee $user -AccessRights SendAs

The permission on the calendar is neccessary to use the mailbox-tags instead of your own.

user2898518
  • 21
  • 1
  • 5
  • Are you sure this is possible within Exchange Online? You could perhaps micro-manage some stuff on folder scopes, but generally speaking that goes against the principle of a SHARED mailbox, IMO? Normally it is permission or not. You can have read access (Full Access) + optionally Send and/or SendOnBehalf permissions. – IT M Jun 06 '23 at 12:45

1 Answers1

0

I did it, finally. In case anyone finds this useful, here's how I did it:

Add-MailboxPermission -Identity $order -User $user -AccessRights ReadPermission
Add-MailboxFolderPermission -Identity $order -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-MailboxFolderPermission -Identity ${order}:\Inbox -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-MailboxFolderPermission -Identity ${order}:\Calendar -User $user -AccessRights ReadItems, FolderVisible, CreateItems,EditAllItems
Add-RecipientPermission -Identity $order -Trustee $user -AccessRights SendAs

The permission on the calendar is neccessary to use the mailbox-tags instead of your own.

user2898518
  • 21
  • 1
  • 5