Granting access to and modifying calendar permissions in Office 365/Exchange will undoubtedly be a common task for administrators. This tutorial is on viewing, adding, and removing mailbox calendar access on Microsoft 365 ( formerly Office 365) and on-premises Exchange Server via PowerShell.
How to grant calendar permissions in Office 365, and why you may need it?
What if you need to add calendar permission to a specific calendar? For example, you need to modify calendar permissions and add permissions, including “read” permissions, to the room mailbox calendar for a few users.
You can grant room mailbox calendar permissions for specific users or an AD group. With this approach, you only need to grant access to the mailbox calendar to a specific group of users once.
After that, to grant access to the calendar to a new user you should add a user to the Active Directory group (without the need to modify existing permissions via PowerShell).
Users can independently grant the necessary permissions for Outlook mailbox folders and items to other users (from the Outlook/OWA interface).
Manage users permissions with Add-MailboxFolderPermission cmdlet
Unfortunately, in Exchange 2019/2016/2013 and Exchange Online (Office 365), the administrator cannot centrally manage default user calendar permissions from the GUI (Exchange MMC, EAC — Exchange Administration Center, or Microsoft 365 admin portal), including adding permissions and viewing existing calendar permissions.
However, you can use a built-in Add-MailboxFolderPermission cmdlet to manage user permissions on any user’s mailbox folder from PowerShell, including modifying existing permissions, and you can change default calendar permission settings.
This cmdlet can use the add calendar permissions in Office 365 PowerShell approach to manage calendar permissions in on-premises Exchange Server organizations and Microsoft 365 tenants.
Set Calendar permissions through PowerShell
First, connect to your Microsoft 365 or on-premises Exchange tenant.
Connecting to Microsoft 365 (Exchange Online) tenant with PowerShell
- Open the Windows PowerShell console;
- Check if the Exchange Online PowerShell V3 (EXO V3) is installed on the computer:
Get-InstalledModule ExchangeOnlineManagement
If the module is missing, you can install it from the PowerShell Online Gallery using the following command:
Install-Module PowershellGet
- Run the following command to connect to your Exchange Online tenant:
Connect-ExchangeOnline -UserPrincipalName kirill@theitbros.onmicrosoft.com -ShowProgress $true
By default, Microsoft Modern Authentication is used to sign in. Specify your Microsoft 365 tenant admin credentials. If you have MFA (Multi-Factor Authentication) enabled for your Azure account, you must confirm your account login with your second factor.
Connecting to On-prem Exchange Server with PowerShell
You can remotely connect to your on-prem Exchange Server 2010, 2013, 2016, and 2019 using PowerShell (you do not need to install the Exchange Management Shell on your computer):
- Save your Exchange administrator’s credentials into the PowerShell variable:
$LiveCred = Get-Credential
- Establish a remote PowerShell session with your Exchange CAS server over HTTPS using the Kerberos authentication (replace ny-msg-02 with the FQDN of your on-prem Exchange Server):
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ny-msg-02/powershell/ -Credential $LiveCred -Authentication Kerberos
- Allow running digitally signed scripts by setting the PowerShell Execution Policy value to RemoteSigned:
Set-ExecutionPolicy RemoteSigned
- The next step is to import Exchange management commands from a remote Exchange Server host to your PowerShell console:
Import-PSSession $Session -DisableNameChecking
Hint. If you logged in directly to the on-premises Exchange server, you can either start the Exchange Management Shell right away, or run a regular PowerShell.exe CLI, and load Exchange cmdlets with the command:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
You can use the following basic PowerShell cmdlets to manage calendar permissions in Exchange or Microsoft 365:
- Add-MailboxFolderPermission;
- Set-MailboxFolderPermission;
- Get-MailboxCalendarFolder;
- Remove-MailboxFolderPermission;
- Get-MailboxFolderPermission.
Getting mailbox calendar permissions using PowerShell
You can view existing calendar permissions, calendar folders permissions of the specified mailbox by using the Get-MailboxFolderPermission cmdlet (change the username to the user account you want to check calendar permissions for):
Get-MailboxFolderPermission cyril@theitbros.onmicrosoft.com:\calendar
FolderName User AccessRights SharingPermissionFlags
———- —- ———— ———————-
Calendar Default {AvailabilityOnly}
Calendar Anonymous {None}
Calendar Alex {Reviewer}
Calendar Henrietta {Editor}
Note. If this command returns that ‘username:\calendar’ cannot be found, most likely the user has Outlook language settings other than English. Appropriately, the Calendar folder name can be different (calendar\kalender\calendario\calendrier\календарь). For example, to view calendar permissions for the Dutch Language (nl-NL) use the command:
Get-MailboxFolderPermission username:Agenda
You can get the name of the calendar in the current user’s regional configuration with the command:
(Get-MailboxFolderStatistics username -FolderScope Calendar).Identity
As you can see, the default AvailabilityOnly role is assigned on a calendar folder only.
Note. By default, in Exchange Server organization and Microsoft 365 (Exchange Online) tenant users can’t view Outlook e-mails or calendar items of other users. The only permission that is provided to all users by default is the ability to view the Free/Busy information in other users’ calendars (this is the AvailabilityOnly role).
List all mailbox calendars permissions in Office 365
You can get the list of all mailbox calendars permissions in your organization using the following command:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:\calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights
Tip. In on-premise Exchange, you can view a user’s calendar settings in a specific mailbox database using the following command (Change mbxdbname to the name of your Exchange mailbox database):
Get-Mailbox –database mbxdbname | ForEach-Object {get-MailboxFolderPermission $_”:\calendar”}
Find calendars a user has been granted access to
Using PowerShell, you can find all the calendars in your organization/tenant that a particular user has been granted access to. In this example, we want to display a list of user mailboxes whose calendars are allowed to be accessed by a user named Muller:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\calendar"} | Where {$_.User -like “*Mueller*”} | Select Identity, User, AccessRights
The list of users whose calendars the user can access are listed in the Identity column. The AccessRights field specifies the current calendar permissions.
Tip. You can use the Get-EXOMailboxFolderPermission cmdlet instead of Get-MailboxFolderPermission to view the permissions of mailbox items in the Exchange Online PowerShell V3 module.
Understanding Outlook calendar roles and permissions
When managing calendar and Outlook folder permissions, you can use the following predefined permissions level roles:
- Owner — gives full control of the mailbox folder: read, create, modify, and delete all items and folders. Also, this role allows to manage item’s permissions;
- PublishingEditor — read, create, modify, and delete items/subfolders (all permissions, except the right to change permissions);
- Editor — read, create, modify, and delete items (can’t create subfolders);
- PublishingAuthor — create, and read all items/subfolders. You can modify and delete only items you create;
- Author — create and read items. Edit and delete own items;
- NonEditingAuthor — full read access, and create items. You can delete only your own items;
- Reviewer — read folder items only;
- Contributor — create items and folders (can’t read items);
- AvailabilityOnly — read Free/Busy info from the calendar;
- LimitedDetails — view availability data with calendar item subject and location;
- None — no permissions to access folders and files.
You can also use granular permissions to fine-tune the access rights to the mailbox calendar. The following values are available:
- CreateItems;
- CreateSubfolders;
- DeleteAllItems;
- DeleteOwnedItems;
- EditAllItems;
- EditOwnedItems;
- FolderContact;
- FolderOwner;
- FolderVisible;
- ReadItems.
The Permission Level roles described above are just a set of granular permissions. For example, the Editor role is a set of the following individual permissions:
- CreateItems
- DeleteAllItems
- DeleteOwnedItems
- EditAllItems
- EditOwnedItems
- FolderVisible
- ReadItems
These permissions can be set using the –AccessRights parameter of the Set-MailboxFolderPermission cmdlet.
Adding calendar permissions in Office 365 or Exchange Server using PowerShell
In order to grant user2 the permission to view and edit user1 calendar items, run the following command:
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor
If some of the items in the calendar are marked as Private, you can allow delegating the permissions to view Private calendar items. Use the command:
Add-MailboxFolderPermission –Identity user1@domain.com:\calendar –User user2@domain.com -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems
Also, you can prepare a CSV file with a list of users, and assign them permissions to access a specific user’s calendar:
Import-Csv users.csv | foreach { add-MailboxFolderPermission -Identity "user1@domain.com:\calendar" -User $_.alias -AccessRights Owner }
In some cases, you need to grant a specific user (for example, a secretary) the permission to manage all calendars in the organization:
Foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) { Add-MailboxFolderPermission -identity "$($Mailbox.Name):\Calendar" -AccessRights Editor -User secretary }
You can use parameter SendNotificationToUser of the Set-MailboxFolderPermission cmdlet to generate a “share invitation” email that summarizes your changes. The option -SendNotificationToUser $true can be used only when you set one of the following permissions via the AccessRights parameter: AvailabilityOnly, LimitedDetails, Reviewer, or Editor. The following command will send a sharing invitation to the user2:
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor -SendNotificationToUser $true
This is what the sharing invitation will look like in Outlook:
You’re invited to share this calendar.
UserName has invited you to view his or her Calendar. Click the Open button above.
How to Change or Remove Calendar Permissions with PowerShell?
If you need to change the Default permissions for the calendar folder (to allow all organization users to view a calendar of the specified user), run the command:
Set-MailboxFolderPermission -Identity user1@domain.com:\calendar -User Default -AccessRights Reviewer
Check the current calendar permissions again with the Get-MailboxFolderPermissions cmdlet. They should change:
Get-MailboxFolderPermission -Identity user1@domain.com:\calendar
FolderName User AccessRights
———- —- ————
Calendar Default {Reviewer}
Calendar Anonymous {None}
Calendar user2 {Editor}
You can also grant permissions for the mailbox not to an individual user, but to the Exchange distribution group:
New-DistributionGroup -Type Security -Name “Resource Calendar Owners” -Alias “grResourceCalendarAccess” add-MailboxFolderPermission -Identity user1@domain.com:\calendar -User grResourceCalendarAccess -AccessRights Owner
Sometimes, you need to grant Reviewer permissions on a calendar folder in all user’s mailboxes in your Exchange organization.
You can make this bulk calendar permissions change using a simple PowerShell script. To change the Default calendar permission for all mailboxes to Reviewer:
foreach($usermbx in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$usercalendar = $usermbx.alias+":\Calendar"
Set-MailboxFolderPermission -Identity $usercalendar -User Default -AccessRights Reviewer
}
Use the Remove-MailboxFolderPermission cmdlet for removing calendar permissions:
Remove-MailboxFolderPermission -Identity user1@domain.com:\calendar –user user2@domain.com
If you want to reset the user’s calendar permissions to default, then run:
Get-MailboxFolderPermission brett.jackson:\Calendar | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User }
To exclude some “default” permissions entries from the removing script, use the following PowerShell one-liner:
Get-MailboxFolderPermission brett.jackson:\Calendar | ? {$_.User -notmatch "^(Default|Secretary|Anonymous)$"} | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }
Now you can disconnect your PowerShell session from Microsoft 365/Exchange Server:
Remove-PSSession $Session
Adding Shared Calendar in Outlook
In order to view other calendars in Outlook 365/2019/2016 (including room resources, Shared calendars), you should switch to the calendar view and select the calendar type you want to add.
You can select a user from Address Book (Global Address List – GAL), Open Shared Calendar (you should specify user name), Room List, and Internet (web-calendar).
For example, you want to add a calendar from the Global Address List. Find the calendar name you want to add to Outlook and click OK. The shared calendar should appear under the My Calendars in Shared Calendars section.
Add Calendar Permissions in Office 365 FAQs
What are the minimum requirements for running PowerShell commands to add calendar permissions in Office 365?
- You must have an active Office 365 subscription with Exchange Online licenses
- You need Windows PowerShell 5.1 or higher installed on your computer
- You need to connect to Office 365 using PowerShell cmdlets for Exchange Online
How can I view the current calendar permissions of a user in Office 365 using PowerShell?
- You can use the Get-MailboxFolderPermission cmdlet to view the current calendar permissions of a user in Office 365
- You need to specify the user’s email address and the type of folder (such as Calendar) in the cmdlet
How can I add a user to a shared calendar in Office 365 using PowerShell?
- You can use the Add-MailboxFolderPermission cmdlet to add a user to a shared calendar in Office 365
- You need to specify the user’s email address, the type of folder (such as Calendar), and the level of access you want to grant (such as Reviewer or Editor)
Can I add multiple users to a shared calendar in Office 365 using PowerShell?
- You can add multiple users to a shared calendar in Office 365 using PowerShell
- You need to create a CSV file with the email addresses of the users you want to add, and then use the Import-CSV and ForEach-Object cmdlets in PowerShell to add the users one by one
Wrapping up
Managing user permissions in office 365 and on-premises environments is easily accomplished using PowerShell. While you can’t centrally manage calendar permissions using the GUI, you can use PowerShell to accomplish bulk permissions changes for calendar access folder-level permissions.
Adding, removing, and modifying permissions can be accomplished with PowerShell scripting. However, since changes can be made in bulk to add calendar permissions in office 365, admins must thoroughly test and ensure the script results in the desired outcome.
41 comments
I am getting the error that the [FailureCategory=Cmdlet-UserAlreadyExistsInPermissionEntryException]
I am pretty sure they tried to setup sharing themselves and they have away/busy information only. Do you know of a way to change the permissions or remove them so I can add the PublishingEditor permissions they need?
Thanks, this is very helpful! (Jason’s comment about Use Set-MailboxFolderPermission for existing users was also helpful.)
A couple things to add:
– “None” is also an available role
– You can specify “Default” for the user parameter
Awesome! Thanks!
Is there an option to set everyones mailbox to reviewer access? i.e so everyone can have review access?
Great info
Is it possible to use a group ( security / distribution ) to assign permissions rather than individual users ? We are looking at our resource calendars to do this on
Hey, Daniel!
Create new security distribution group:
New-DistributionGroup -Type Security -Name “Access to Resource Calendars” -Alias “grResourceCalendAcess”
And add users to this group.
Grant permissions to resource calendar:
add-MailboxFolderPermission -Identity user_name:Calendar -User grResourceCalendAcess -AccessRights Owner
Hey
Awesome! Thanks for the reply!
Cheers
Daniel
STEP 2: Connecting to remote server failed…..
I get an error when trying Import-PSSession $Session. It says “The term ‘Import’ is not recognized as the name of a cmdlet…etc.”
This is quite archaic. Is there no way to do this through the admin portal?
Worked fantastically!
If used in tandem with the PowerShell for Office 365 tool (which essentially has all of the modules built in and starts you at the domain admin login step) then it’s literally a one command job.
Very awesome :)
Getting the following error in step 7 when I run
Get-Mailbox –database mbxdbname | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}
I get:
A parameter cannot be found that matches parameter name ‘database’.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Get-Mailbox
+ PSComputerName : ps.outlook.com
Getting this error too.
remove: –database mbxdbname
Works well thanks. Annoying there is no GUI option in Exchange online but this will do.
I recieve and error about Get-MailboxFolderPermission username:\calendar.
Get-MailboxFolderPermission : The term ‘Get-MailboxFolderPermission’
is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MailboxFolderPermission
username:\calenda …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MailboxFolderPermis
sion:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Anyone else seeing this?
Thanks
Receiving the same error:
A positional parameter cannot be found that accepts argument ‘Get-MailboxFolderPermission $_”:\calendar”’.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Get-Mailbox
+ PSComputerName : ps.outlook.com
Heyhey!
For me it says for “username:\calendar” that it cannot be found… Just “username” is found. Any ideas how to access the calendar now? :(
Hi, if the person has outlook in a different language then you need to use that language for the :\calendar.
Example user1@domain.com:\calendar\kalender\calendario\calendrier
Hi all, i have read the comments and advise above and think that it will work. However, to me the remark was made that it should be possible to read someone else’s calender, but the items that are put in the calender and are marked as private should not be (or just be basic) visible to the person accessing the calender. Does “-AccessRights Reviewer” do that or do i need more? Our Personnel Officer needs access to the CEO’s calender except for the private items.
In ExchangeOnline the option is:
-SharingPermissionFlags Delegate,CanViewPrivateItems
Nice write-up, thanks for the help.
1) I’d like to hear an answer to Paul’s question as well.
2) Trying to see the default user calendar permissions throws an error for me. When I run this:
” Get-MailboxFolderPermission Default:\calendar”
I get this:
“The specified mailbox “Default” doesn’t exist.
+ CategoryInfo : NotSpecified: (:) [Get-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=BYAPR11MB3510,RequestId=929235a4-b9f6-4188-8fd1-2ea5ce344d0b,TimeStamp=7/8/2019 7:35:43 PM
] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] F470BBDC,Microsoft.Exchange.Management.StoreTasks.GetMailboxFol
derPermission
+ PSComputerName : outlook.office365.com”
Thank you so much for putting up this tutorial, It really helped me a lot!
for you information
Step 5. Viewing Current Calendar Permissions with PowerShell
last script are CHANGING permissions not only viewing.
Get-Mailbox –database mbxdbname | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}
I would like to see if there is a way to change the calendar permissions for an entire group. Just like how you gave a group permissions, I want the group to be the object with the calendar.
Hi
I am struggle to find out how to allow one user to add user defined fields to another users calendar
I have a COM integration that works fine for my own calendar but I cannot find any way to set for another user to set their permissions on their calendar to allow me to add the field
I can create/update/delete appointments fine
Specifically I need this to return an odd number https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/cc979218(v=office.12)
But no matter what I try in the user interface I cannot get it to return anything other than 18 which is MAPI_ACCESS_READ+MAPI_ACCESS_CREATE_CONTENTS
Thanks
Hi,
i can see that the access has been granted, but the calander does not appear on the OWA or on outlook
thanks
When running:
> Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
I get the error:
Add-PSSnapin : No snap-ins have been registered for Windows PowerShell version 5.
At line:1 char:1
+ Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Excha…werShell.SnapIn:String) [Add-PSSnapin], PSArgumentEx
ception
+ FullyQualifiedErrorId : AddPSSnapInRead,Microsoft.PowerShell.Commands.AddPSSnapinCommand
I keep getting an error for the Identity.
Cannot process argument transformation on parameter ‘Identity’. Cannot convert value “User@Domain.com:calendar” to type
“Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter”.
Input the correct Username and domain “Adminxxxx@xxxxx.xxx” then it will connect.
Great article.
Thank you for writing this.
1) DO NOT open PowerShell as Administrator as it makes no sense: local administrative permission doesn’t affect the remote system anyhow!
2) Microsoft is going or already moved connection to the Modern Authentication, which requires these commands:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@youdomain.com -ShowProgress $true
Thanks for the post, still a ton of useful info in here. Quick tip for others: If you want to identify which Calendars one individual user has access to, modify the command:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights
Replacing “Default” with the name of the specific user for whom you want to identify permissions.
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:calendar”} | Where {$_.User -like “Miles Morales”} | Select Identity, User, AccessRights
Hello I’m getting this error, when trying to create a new session to 0365:
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12 + $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
Can you help?
Make sure you are signing in with an account with Global Admin privileges.
Thanks for sharing. I have written a script, which can generate 6 different calendar permission report based on your requirement.
https://o365reports.com/2021/11/02/get-calendar-permissions-report-for-office365-mailboxes-powershell/
I know this is a random question, but if you have given someone calendar access and it’s not appearing for them – do you need to give them mailbox access as well? I didn’t think you did unless there has been a change in recent months?
Probably a really dumb question but would I be able to share all the calendars of one security group with another? For instance could I do something like this?
add-MailboxFolderPermission -Identity grResources:\calendar -User grResourceCalendarAccess -AccessRights Owner
Essentially I’m looking only to share the calendars of a specific set of people with another specific set of people within a division.
Very nice article, thanks for posting!
Many thanks for this useful case.
So… have an Exchange on Prem 2019, CU12. This worked for me.. PARTIALLY…
I am able to create the shared mailbox/calendar and apply all the necessary permissions, the Get command shows the appropriate groups, or individuals, along with the correct permissions assigned. Here is the kicker… any machine, using Outlook, the Shared calendar can be opened by anyone assigned either Viewer or Owner role NP.. BUT from Outlook Owners cannot modify/edit the calendar, make entries etc… The same Owners logon via OWA and can edit appointments, modify , delete etc no issues at all. Workstations use Off 2019 Pro Plus, latest updates as of 3/2023…. outlook is in online mode
hi, I can’t even get past step 2 here. What am I missing? I have run Install-Module PowershellGet but keep getting the following when running Get-InstalledModule ExchangeOnlineManagement
PackageManagement\Get-Package : No match was found for the specified search criteria and module names
‘ExchangeOnlineManagement’.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:2253 char:9
+ PackageManagement\Get-Package @PSBoundParameters | Microsoft. …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power…lets.GetPackage:GetPackage) [Get-Package], Exception
+ FullyQualifiedErrorId : NoMatchFound,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackage