How to grant Exchange and Outlook mailbox permissions in Office 365 dedicated

Applies to: Exchange OnlineMicrosoft Business Productivity Online DedicatedMicrosoft Business Productivity Online Suite Federal

This article describes the various kinds of mailbox permissions that can be granted and how those permissions are granted in Microsoft Exchange Online and in Microsoft Outlook in Microsoft Office 365 dedicated/ITAR. There are several kinds of mailbox permissions that can be granted. Each permission is administered separately.

Note If full access permissions and "Send on Behalf" permissions are granted to a mailbox, users will actually send as the mailbox owner. This is expected behavior. For more information about this behavior and about a workaround that involves Microsoft Outlook 2010, click the following article number to view the article in the Microsoft Knowledge Base:
3045224 Can't send an email message when Full Access permission is granted to a shared mailbox in Exchange Server

How to add full access permissions


Full access permissions let a user directly sign in to a mailbox by using Outlook or Outlook Web Access (OWA) and then add that mailbox as a secondary mailbox in Outlook. However, full access permissions do not let the user send as or send on behalf of the mailbox. Those permissions are granted separately.

Exchange 2016
 
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation. This should not be confused with the “Delegate” type of permissions granted via Outlook. They are not the same types of permissions.

Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.
 
Exchange 2013
 
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation.  This should not be confused with the “Delegate” type of permissions granted via Outlook.  They are not the same types of permissions.

Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.

Exchange 2010
 
Customer Management Portal (CMP)
Remote PowerShell (RPS)

You can find more information about the RPS Add-MailboxPermission cmdlet at Add-MailboxPermission.

How to add "send on behalf" permissions (end-user)


End users can grant "send on behalf" only when adding a delegate via Outlook. Delegates can be granted permissions to folders, can receive meeting invites, and can receive "send on behalf" permissions for the mailbox. Starting in Exchange 2010, users can set delegates in Outlook only for their own mailboxes. Users cannot set delegates for shared mailboxes.

These permissions are added through Outlook. For more information, see the following articles.
 

Once you add someone as a delegate, they can add your Exchange mailbox folders to their Outlook profile. For instructions, see Manage another person's mail and calendar items.

Delegates added by the users in Outlook are granted "send on behalf" permissions automatically.

How to add "send on behalf" permissions (administrator)


"Send on behalf" permissions grant the user the ability to send mail from another user's mailbox.

These permissions can be added in two ways:
 
  1. In legacy dedicated, they can be synced from the partner's environment through MMSSPP. These permissions are synced through Microsoft Managed Solutions Service Provisioning Provider (MMSSPP) from the company's source environment. The value of this attribute, publicDelegates, overwrites any value that is set in the managed domain by Outlook or by Microsoft Online Services Support. After a mailbox is migrated, this value in the customer's source environment should be removed. 
  2. Administrators can also grant "send on behalf" permissions in the managed environment. They will need to include any existing objects and along with any new values.

Note If an administrator with access to a user's mailbox adds a delegate via Outlook, you will receive an warning that send-on-behalf has not been applied. See the following for more information:

2545238 "Delegates settings were not saved correctly" error when you try to add a delegate in Outlook in an Office 365 dedicated/ITAR environment

Exchange 2016
 
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation. This should not be confused with the “Delegate” type of permissions granted via Outlook. They are not the same types of permissions.
Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.
 
Exchange 2013
 
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation. This should not be confused with the “Delegate” type of permissions granted via Outlook. They are not the same types of permissions.
Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.

Exchange 2010
 
Customer Management Portal (CMP)
Remote PowerShell (RPS)

You can find more information about the RPS Set-Mailbox cmdlet at Set-Mailbox.

How to add "send as" permissions


"Send as" permissions grant the ability to send as a specific mailbox from Outlook and from OWA.

The following permissions can be added:
  • They can be synced from the customer's environment through Microsoft Managed Solutions Service Provisioning Provider. "Send as" permissions in the customer's environment are added to any "send as" permissions in the managed environment.
  • Administrators can also grant "send on behalf" permissions in the managed environment.
Exchange 2016
 
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation. This should not be confused with the “Delegate” type of permissions granted via Outlook. They are not the same types of permissions.

Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.
 
Exchange 2013
Exchange Admin Center (EAC) - This function is available when editing a Recipient and selecting mailbox delegation. This should not be confused with the “Delegate” type of permissions granted via Outlook. They are not the same types of permissions.
Remote PowerShell (RPS)

You can find step-by-step instructions for EAC and RPS at Manage Permissions for Recipients.


Exchange 2010
 
Customer Management Portal (CMP)

Remote PowerShell (RPS)

You can find more information about the RPS Add-ADPermission cmdlet at Add-ADPermission.

How to add mailbox folder permissions (end-user)


Mailbox folder permissions grant access to specific folders in a mailbox through Outlook. With folder-level permissions, an individual will not be able to access the actual mailbox of the owner, but only the folders in which folder-level permissions are given. There are different levels of access rights that can be given to an individual on a specific folder. Once the owner gives other individuals folder permissions, the folder becomes shared.

These permissions can be added by using the method that is described in the following Outlook articles.

Outlook 2016, 2013 and 2010

This article goes over what the end-user granting the permissions has do to as well as the steps the end-user receiving the permissions has to do to make the folders visible.

How to add mailbox folder permissions (administrator)


Use the Add-MailboxFolderPermission cmdlet to manage folder-level permissions for all folders in a user's mailbox.

Exchange 2016

Remote PowerShell (RPS)
You can find step-by-step instructions for the RPS Add-MailboxFolderPermission cmdlet at Add-MailboxFolderPermission.
 

Exchange 2013

Remote PowerShell (RPS)
You can find step-by-step instructions for the RPS Add-MailboxFolderPermission cmdlet at Add-MailboxFolderPermission.
 
Exchange 2010
Remote PowerShell (RPS)
You can find more information about the RPS Add-MailboxFolderPermission cmdlet at Add-MailboxFolderPermission.