How to Add Calendar Permissions in Office 365/Exchange via PowerShell?

This is a tutorial on how to view, add and remove mailbox calendar permissions on Microsoft 365 (ex-Office-365) and on-premises Exchange Server via PowerShell. For example, you need to grant read permissions to the room mailbox calendar for a few users. You can grant room mailboxes calendar permissions for specific users or an AD group. With this approach, you only need to grant access to the mailbox calendar to a specific group of users once. After that, to grant access to the calendar to a new user you should simply add a user to the Active Directory group (without changing mailbox calendar permissions via PowerShell).

Users can independently grant the necessary permissions for Outlook mailbox folders and items to other users (from the Outlook/OWA interface). Unfortunately, in Exchange 2019/2016/2013 and Exchange Online (Office 365), the administrator cannot centrally manage calendar permissions from the GUI (Exchange MMC, EAC — Exchange Administration Center, or Microsoft 365 admin portal). However, you can use a built-in Add-MailboxFolderPermission cmdlet, which allows managing user permissions on any user’s mailbox folder from PowerShell. You can use this cmdlet to manage calendar permissions in on-premises Exchange Server organizations and Microsoft 365 tenants.

Connecting Microsoft 365 or Exchange Server from PowerShell

First, you need to connect to your Microsoft 365 or on-premises Exchange tenant.

Connecting to Microsoft 365 (Exchange Online) tenant with PowerShell:

1. Open the Windows PowerShell console;
2. Check if the Exchange Online PowerShell V2 (EXO V2) is installed on the computer:

   Get-InstalledModule ExchangeOnlineManagement

   If the module is missing, you can install it from the PowerShell Online Gallery using the following command:

   Install-Module PowershellGet

   

3. Run the following command to connect to your Exchange Online tenant:

   Connect-ExchangeOnline -UserPrincipalName kirill@theitbros.onmicrosoft.com -ShowProgress $true

   

By default, Microsoft Modern Authentication is used to sign in. Specify your Microsoft 365 tenant admin credentials. If you have MFA (Multi-Factor Authentication) enabled for your Azure account, you must confirm your account login with your second factor.

Connecting to On-prem Exchange Server with PowerShell:

You can remotely connect to your on-prem Exchange Server 2010, 2013, 2016, and 2019 using PowerShell (you do not need to install the Exchange Management Shell on your computer):

1. Save your Exchange administrator’s credentials into the PowerShell variable:

   $LiveCred = Get-Credential

2. Establish a remote PowerShell session with your Exchange CAS server over HTTPS using the Kerberos authentication (replace ny-msg-02 with the FQDN of your on-prem Exchange Server):

   $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ny-msg-02/powershell/ -Credential $LiveCred -Authentication Kerberos

3. Allow running digitally signed scripts by setting the PowerShell Execution Policy value to RemoteSigned:

   Set-ExecutionPolicy RemoteSigned

4. The next step is to import Exchange management commands from a remote Exchange Server host to your PowerShell console:

   Import-PSSession $Session -DisableNameChecking

   
   

Hint. If you logged in directly to the on-premises Exchange server, you can either start the Exchange Management Shell right away, or run a regular PowerShell.exe CLI, and load Exchange cmdlets with the command:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

You can use the following basic PowerShell cmdlets to manage calendar permissions in Exchange or Microsoft 365:

• Add-MailboxFolderPermission;
• Set-MailboxFolderPermission;
• Get-MailboxCalendarFolder;
• Remove-MailboxFolderPermission;
• Get-MailboxFolderPermission.

How to Get Mailbox Calendar Permissions Using PowerShell?

You can view current calendar (folder-level) permissions of the specified mailbox by using the Get-MailboxFolderPermission cmdlet (change the username to the user account you want to check calendar permissions for):

Get-MailboxFolderPermission cyril@theitbros.onmicrosoft.com:\calendar

FolderName User AccessRights SharingPermissionFlags
———- —- ———— ———————-
Calendar Default {AvailabilityOnly}
Calendar Anonymous {None}
Calendar Alex {Reviewer}
Calendar Henrietta {Editor}

Note. If this command returns that ‘username:\calendar’ cannot be found, most likely the user has Outlook language settings other than English. Appropriately, the Calendar folder name can be different (calendar\kalender\calendario\calendrier\календарь). For example, to view calendar permissions for the Dutch Language (nl-NL) use the command:

Get-MailboxFolderPermission username:Agenda

You can get the name of the calendar in the current user’s regional configuration with the command:

(Get-MailboxFolderStatistics username -FolderScope Calendar).Identity

As you can see, the default AvailabilityOnly role is assigned on a calendar folder only.

Note. By default, in Exchange Server organization and Microsoft 365 (Exchange Online) tenant users can’t view Outlook e-mails or calendar items of other users. The only permission that is provided to all users by default is the ability to view the Free/Busy information in other users’ calendars (this is the AvailabilityOnly role).

You can get the list of all mailbox calendars permissions in your organization using the following command:

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:\calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights

Tip. In on-premise Exchange, you can view a user’s calendar settings in a specific mailbox database using the following command (Change mbxdbname to the name of your Exchange mailbox database):

Get-Mailbox –database mbxdbname | ForEach-Object {get-MailboxFolderPermission $_”:\calendar”}

Using PowerShell, you can find all the calendars in your organization/tenant that a particular user has been granted access to. In this example, we want to display a list of user mailboxes whose calendars are allowed to be accessed by a user named Muller:

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\calendar"} | Where {$_.User -like “*Mueller*”} | Select Identity, User, AccessRights

The list of users whose calendars the user can access are listed in the Identity column. The AccessRights field specifies the current calendar permissions.

Tip. You can use the Get-EXOMailboxFolderPermission cmdlet instead of Get-MailboxFolderPermission to view the permissions of mailbox items in the Exchange Online PowerShell V2 module.

Outlook Calendar Roles and Permissions

When managing calendar and Outlook folder permissions, you can use the following predefined permissions level roles:

• Owner — gives full control of the mailbox folder: read, create, modify, and delete all items and folders. Also, this role allows to manage item’s permissions;
• PublishingEditor — read, create, modify, and delete items/subfolders (all permissions, except the right to change permissions);
• Editor — read, create, modify, and delete items (can’t create subfolders);
• PublishingAuthor — create, and read all items/subfolders. You can modify and delete only items you create;
• Author — create and read items. Edit and delete own items;
• NonEditingAuthor — full read access, and create items. You can delete only your own items;
• Reviewer — read folder items only;
• Contributor — create items and folders (can’t read items);
• AvailabilityOnly — read Free/Busy info from the calendar;
• LimitedDetails — view availability data with calendar item subject and location;
• None — no permissions to access folders and files.

You can also use granular permissions to fine-tune the access rights to the mailbox calendar. The following values are available:

• CreateItems;
• CreateSubfolders;
• DeleteAllItems;
• DeleteOwnedItems;
• EditAllItems;
• EditOwnedItems;
• FolderContact;
• FolderOwner;
• FolderVisible;
• ReadItems.

The Permission Level roles described above are just a set of granular permissions. For example, the Editor role is a set of the following individual permissions:

• CreateItems
• DeleteAllItems
• DeleteOwnedItems
• EditAllItems
• EditOwnedItems
• FolderVisible
• ReadItems

These permissions can be set using the –AccessRights parameter of the Set-MailboxFolderPermission cmdlet.

Adding Calendar Permissions in Office 365 or Exchange Server Using PowerShell

In order to grant user2 the permission to view and edit user1 calendar items, run the following command:

Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor

If some of the items in the calendar are marked as Private, you can allow delegating the permissions to view Private calendar items. Use the command:

Add-MailboxFolderPermission –Identity user1@domain.com:\calendar –User user2@domain.com -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems

Also, you can prepare a CSV file with a list of users, and assign them permissions to access a specific user’s calendar:

Import-Csv users.csv | foreach { add-MailboxFolderPermission -Identity "user1@domain.com:\calendar" -User $_.alias -AccessRights Owner }

In some cases, you need to grant a specific user (for example, a secretary) the permission to manage all calendars in the organization:

Foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) { Add-MailboxFolderPermission -identity "$($Mailbox.Name):\Calendar" -AccessRights Editor -User secretary }

You can use the parameter SendNotificationToUser of the Set-MailboxFolderPermission cmdlet to generate a “share invitation” email that summarizes your changes. The option -SendNotificationToUser $true can be used only when you set one of the following permissions via the AccessRights parameter: AvailabilityOnly, LimitedDetails, Reviewer, or Editor. The following command will send a sharing invitation to the user2:

Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor -SendNotificationToUser $true

This is what the sharing invitation will look like in Outlook:

You’re invited to share this calendar.
UserName has invited you to view his or her Calendar. Click the Open button above.

How to Change or Remove Mailbox Calendar Permissions with PowerShell?

If you need to change the Default permissions for the calendar folder (to allow all organization users to view a calendar of the specified user), run the command:

Set-MailboxFolderPermission -Identity user1@domain.com:\calendar -User Default -AccessRights Reviewer

Check the current calendar permissions again with the Get-MailboxFolderPermissions cmdlet. They should change:

Get-MailboxFolderPermission -Identity user1@domain.com:\calendar

FolderName User AccessRights
———- —- ————
Calendar Default {Reviewer}
Calendar Anonymous {None}
Calendar user2 {Editor}

You can also grant permissions for the mailbox not to an individual user, but to the Exchange distribution group:

New-DistributionGroup -Type Security -Name “Resource Calendar Owners” -Alias “grResourceCalendarAccess” 

add-MailboxFolderPermission -Identity user1@domain.com:\calendar -User grResourceCalendarAccess -AccessRights Owner

In some cases, you need to grant Reviewer permissions on a calendar folder in all user’s mailboxes in your Exchange organization. You can make this bulk calendar permissions change using a simple PowerShell script. To change the Default calendar permission for all mailboxes to Reviewer:

foreach($usermbx in Get-Mailbox  -RecipientTypeDetails UserMailbox) { 

$usercalendar = $usermbx.alias+":\Calendar" 

Set-MailboxFolderPermission -Identity $usercalendar -User Default -AccessRights Reviewer 

}

Use the Remove-MailboxFolderPermission cmdlet to remove the calendar permissions:

Remove-MailboxFolderPermission -Identity user1@domain.com:\calendar –user user2@domain.com

If you want to reset the user’s calendar permissions to default, then run:

Get-MailboxFolderPermission brett.jackson:\Calendar | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User }

To exclude some “default” permissions entries from the removing script, use the following PowerShell one-liner:

Get-MailboxFolderPermission brett.jackson:\Calendar | ? {$_.User -notmatch "^(Default|Secretary|Anonymous)$"} | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }

Now you can disconnect your PowerShell session from Microsoft 365/Exchange Server:

Remove-PSSession $Session

Adding Shared Calendar in Outlook 365/2019/2016?

In order to view other calendars in Outlook 365/2019/2016 (including room resources, Shared calendars), you should switch to the calendar view and select the calendar type you want to add. You can select a user from Address Book (Global Address List – GAL), Open Shared Calendar (you should specify user name), Room List, and Internet (web-calendar).

For example, you want to add a calendar from the Global Address List. Find the calendar name you want to add to Outlook and click OK. The shared calendar should appear under the My Calendars in Shared Calendars section.

• About
• Latest Posts

Brian Jackson

Brian Jackson started this blog in 2011. Brian has a huge passion for WordPress and technology for over a decade. Brian enjoys blogging, movies, and hiking.

Latest posts by Brian Jackson (see all)

• How to Add Calendar Permissions in Office 365/Exchange via PowerShell? - October 6, 2022
• Using Tnsnames.ora File in SQL Developer - July 12, 2022
• Activate Windows with KMS Server - July 2, 2022