This is a tutorial on how to view, add and remove mailbox calendar permissions on Office 365 (and on-premises Exchange) for your users via PowerShell. For example, you need to grant read permissions to room mailbox calendar for a few users. You can grant room mailboxes calendar permissions for specific users or for an AD security group. In most cases, you should to assign calendar permissions to a security group. In this case in order to grant access to the specific mailbox calendar, all you have to do is add the user to the Active Directory group (without changing mailbox calendar permissions via PowerShell).
By default, in Exchange and Office 365organization users can’t view Outlook e-mails or calendar items of other users. The only permission that is provided to all users by default is the ability to view the Free/Busy data in other user calendars (this is AvailabilityOnly role).
Users can independently grant the necessary permissions to Outlook mailbox folders and items to other users from the Outlook/OWA interface. Unfortunately, in Exchange 2016/2013 and Exchange Online (Office 365), the administrator cannot centrally manage calendar permissions from the GUI (Exchange MMC, EAC—Exchange Administration Center or Office 365 admin portal). But you can use a built-in Add-MailboxFolderPermission cmdlet, which allows you to manage user permissions on any users’ mailbox folder from PowerShell (this cmdlet first appeared in Exchange Server 2010). This cmdlet is also supported in Office 365.
Connecting Office 365/Exchange from PowerShell
First off all, you need to connect to your Office 365 or on-premises Exchange tenant.
Run the Windows PowerShell CLI as an Administrator.
Run the following command to save your administrator’s credentials into the PowerShell variable:
$LiveCred = Get-Credential
If you are trying to connect to Office 356, specify your Office 365 tenant admin credentials.
Note. How to connect and manage Office 365 using PowerShell.
Now you need to create a new session.
For Office 365:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $LiveCred -Authentication Basic –AllowRedirection
For Exchange Server 2010, 2013, 2016 and 2019:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<your-target-exchange-server-address>/powershell/ -Credential $LiveCred
Note. In our case when we try to run previous command to connect Exchange 2010 we’ve received an error:
[ny-msg-02] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The WinRM client tried to use Negotiate authentication mechanism, but the destination computer (ny-msg-02:443) returned an ‘access denied’ error. Change the configuration to allow Negotiate authentication mechanism to be used or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify the local computer name as the remote destination. Also verify that the client computer and the destination computer are joined to a domain. To use Basic, specify the local computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by server.
In our environment in order to connect to the target Exchange CAS server we should use the http connection (instead of https) and Kerberos authentication. The connection command should look like this:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ny-msg-02/powershell/ -Credential $LiveCred -Authentication Kerberos
Next step is to import Office 365/ Exchange management commands from another session to your PowerShell console:
Import-PSSession $Session
Tip. It happens that when you run the Import-PSSession command, you get an error:
Import-PSSession : Files cannot be loaded since running scripts has been disabled on this system. Provide a valid certificate with which to sign the files.
In this case, you need to allow script executing, by setting the execution policy to RemoteSigned:
Set-ExecutionPolicy RemoteSigned
Hint. If you logged in directly to the on-premises Exchange server, you can either start the Exchange Management Shell right away, or start a regular Exchange Management Shell session and load Exchange cmdlets with the command:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Get-MailboxFolderPermission: Get Calendar Permissions Using PowerShell
You can view current calendar (folder-level) permissions of the specified mailbox by using the Get-MailboxFolderPermission cmdlet (this cmdlet is available in the cloud-based service and in on-premises Exchange):
Get-MailboxFolderPermission username:\calendar
Change the username to the user account you want to check calendar permissions for.
Hint. If, when executing the following commands, you get an error:
Get-MailboxFolderPermission : The term ‘Get-MailboxFolderPermission’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
This means that you did not complete the steps to connect to your Exchange/Office 365 tenant and did not import PowerShell Exchange cmdlets into your session. Carefully read and follow the steps from the previous paragraph.
Note. If this command returns that ‘username:calendar’cannot be found, it most likely means that the user has Outlook language settings other than English. Appropriately, the Calendar folder can be called differently (calendar\kalender\calendario\calendrier\календарь). For example, for the Dutch Language (nl-NL), to view calendar permissions, use the command:
Get-MailboxFolderPermission username:\Agenda
You can get the name of the calendar in the current user’s language configuration with the command:
(Get-MailboxFolderStatistics username -FolderScope Calendar).Identity
Check the current calendar permissions with the command:
Get-MailboxFolderPermission brett.jacson:\calendar
As you can see, the default AvailabilityOnly role is assigned on a calendar folder only.
You can get the list of all mailbox calendars permissions in your organization using the following command:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:\calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights
Tip. In on premise Exchange, you can view user calendar settings in a specific mailbox database with the command:
Get-Mailbox –database mbxdbname | ForEach-Object {get-MailboxFolderPermission $_”:\calendar”}
Change mbxdbname to the name of your Exchange mailbox database.
Built-in Calendar and Mail Folder Access Roles
When managing calendar and mail folder permissions, you can use the following built-in Exchange roles:
- Owner — gives full control of the mailbox folder: read, create, modify and delete all items and folders. Also this role allows to manage items permissions;
- PublishingEditor — read, create, modify and delete items/subfolders (all permissions except the right to change permissions);
- Editor — read, create, modify and delete items (can’t create subfolders);
- PublishingAuthor — create, read all items/subfolders. You can modify and delete only items you create;
- Author — create and read items; edit and delete own items;
- NonEditingAuthor – full read access and create items. You can delete only your own items;
- Reviewer — read folder items only;
- Contributor — create items and folders (can’t read items);
- AvailabilityOnly — read Free/Busy info from the calendar;
- LimitedDetails;
- None — no permissions to access folder and files.
How to Add Office 365/Exchange Calendar Permissions Using PowerShell?
In order to grant user2 the permissions to view and edit user1 calendar items, run the following command:
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor
If you need to change the Default permissions for the calendar folder (to allow all organization users view a calendar of the specified user), run the command:
Set-MailboxFolderPermission -Identity user1@domain.com:\calendar -User Default -AccessRights Reviewer
Check the current calendar permissions again using the Get-MailboxFolderPermissions cmdlet, they should change:
Get-MailboxFolderPermission -Identity user1@domain.com:\calendar
FolderName User AccessRights
———- —- ————
Calendar Default {Reviewer}
Calendar Anonymous {None}
Calendar user2 {Editor}
You can also grant permissions to the mailbox not to an individual user, but the Exchange distribution group.
New-DistributionGroup -Type Security -Name “Resource Calendar Owners” -Alias “grResourceCalendarAccess” add-MailboxFolderPermission -Identity user1@domain.com:\calendar -User grResourceCalendarAccess -AccessRights Owner
In some cases, you need to grant Reviewer permissions on a calendar folder in all user mailboxes in your Exchange organization. You can make this bulk calendar permissions change using a simple PowerShell script. To change Default calendar permission for all mailboxes to Reviewer:
Get-Mailbox | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}
Also, you can prepare a CSV file with a list of users and assign them permissions to access a specific user’s calendar:
Import-Csv users.csv | foreach { add-MailboxFolderPermission -Identity "user1@domain.com:\calendar" -User $_.alias -AccessRights Owner }
How to Add a Shared Calendar in Outlook 2016?
In order to view other calendars in Outlook 2016 (including room resources, Shared calendars) switch to the calendar view and select the calendar type that you want to add to. You can select user from Address Book (Global Address List – GAL), Open Shared Calendar (you should specify user name), Room List, Internet (web-calendar).
For example, you want to add calendar from the Global Address List. Find the calendar name you want to add to Outlook and click OK, The shared calendar should appear under My Calendars in Shared Calendars section.
Remove-MailboxFolderPermission: How to Remove and Reset Calendar Permissions via PowerShell?
To remove permission use Remove-MailboxFolderPermission cmdlet:
Remove-MailboxFolderPermission -Identity user1@domain.com:\calendar –user user2@domain.com
If you want to reset the user’s calendar permissions to default ones, run:
Get-MailboxFolderPermission brett.jackson:\Calendar | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User }
To exclude some “default” permissions entries from the removing script, use the following PowerShell one-liner:
Get-MailboxFolderPermission brett.jackson:\Calendar | ? {$_.User -notmatch "^(Default|Secretary|Anonymous)$"} | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }
Now you can disconnect your PowerShell session from Office 365/Exchange:
Remove-PSSession $Session
Alternative Script
Also see this PowerShell script on TechNet Gallery for setting calendar permissions in Office 365: Set Calendar Permission in Office 365 Exchange Online.
I am getting the error that the [FailureCategory=Cmdlet-UserAlreadyExistsInPermissionEntryException]
I am pretty sure they tried to setup sharing themselves and they have away/busy information only. Do you know of a way to change the permissions or remove them so I can add the PublishingEditor permissions they need?
Thanks, this is very helpful! (Jason’s comment about Use Set-MailboxFolderPermission for existing users was also helpful.)
A couple things to add:
– “None” is also an available role
– You can specify “Default” for the user parameter
Awesome! Thanks!
Is there an option to set everyones mailbox to reviewer access? i.e so everyone can have review access?
Great info
Is it possible to use a group ( security / distribution ) to assign permissions rather than individual users ? We are looking at our resource calendars to do this on
Hey, Daniel!
Create new security distribution group:
New-DistributionGroup -Type Security -Name “Access to Resource Calendars” -Alias “grResourceCalendAcess”
And add users to this group.
Grant permissions to resource calendar:
add-MailboxFolderPermission -Identity user_name:Calendar -User grResourceCalendAcess -AccessRights Owner
Hey
Awesome! Thanks for the reply!
Cheers
Daniel
STEP 2: Connecting to remote server failed…..
I get an error when trying Import-PSSession $Session. It says “The term ‘Import’ is not recognized as the name of a cmdlet…etc.”
This is quite archaic. Is there no way to do this through the admin portal?
Worked fantastically!
If used in tandem with the PowerShell for Office 365 tool (which essentially has all of the modules built in and starts you at the domain admin login step) then it’s literally a one command job.
Very awesome 🙂
Getting the following error in step 7 when I run
Get-Mailbox –database mbxdbname | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}
I get:
A parameter cannot be found that matches parameter name ‘database’.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Get-Mailbox
+ PSComputerName : ps.outlook.com
Getting this error too.
remove: –database mbxdbname
Works well thanks. Annoying there is no GUI option in Exchange online but this will do.
I recieve and error about Get-MailboxFolderPermission username:\calendar.
Get-MailboxFolderPermission : The term ‘Get-MailboxFolderPermission’
is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MailboxFolderPermission
username:\calenda …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MailboxFolderPermis
sion:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Anyone else seeing this?
Thanks
Receiving the same error:
A positional parameter cannot be found that accepts argument ‘Get-MailboxFolderPermission $_”:\calendar”’.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Get-Mailbox
+ PSComputerName : ps.outlook.com
Heyhey!
For me it says for “username:\calendar” that it cannot be found… Just “username” is found. Any ideas how to access the calendar now? 🙁
Hi, if the person has outlook in a different language then you need to use that language for the :\calendar.
Example user1@domain.com:\calendar\kalender\calendario\calendrier
Hi all, i have read the comments and advise above and think that it will work. However, to me the remark was made that it should be possible to read someone else’s calender, but the items that are put in the calender and are marked as private should not be (or just be basic) visible to the person accessing the calender. Does “-AccessRights Reviewer” do that or do i need more? Our Personnel Officer needs access to the CEO’s calender except for the private items.
Nice write-up, thanks for the help.
1) I’d like to hear an answer to Paul’s question as well.
2) Trying to see the default user calendar permissions throws an error for me. When I run this:
” Get-MailboxFolderPermission Default:\calendar”
I get this:
“The specified mailbox “Default” doesn’t exist.
+ CategoryInfo : NotSpecified: (:) [Get-MailboxFolderPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=BYAPR11MB3510,RequestId=929235a4-b9f6-4188-8fd1-2ea5ce344d0b,TimeStamp=7/8/2019 7:35:43 PM
] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] F470BBDC,Microsoft.Exchange.Management.StoreTasks.GetMailboxFol
derPermission
+ PSComputerName : outlook.office365.com”
Thank you so much for putting up this tutorial, It really helped me a lot!
for you information
Step 5. Viewing Current Calendar Permissions with PowerShell
last script are CHANGING permissions not only viewing.
Get-Mailbox –database mbxdbname | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}
I would like to see if there is a way to change the calendar permissions for an entire group. Just like how you gave a group permissions, I want the group to be the object with the calendar.
Hi
I am struggle to find out how to allow one user to add user defined fields to another users calendar
I have a COM integration that works fine for my own calendar but I cannot find any way to set for another user to set their permissions on their calendar to allow me to add the field
I can create/update/delete appointments fine
Specifically I need this to return an odd number https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/cc979218(v=office.12)
But no matter what I try in the user interface I cannot get it to return anything other than 18 which is MAPI_ACCESS_READ+MAPI_ACCESS_CREATE_CONTENTS
Thanks
Hi,
i can see that the access has been granted, but the calander does not appear on the OWA or on outlook
thanks