Managing Office 365 Exchange Online shared mailboxes can be done in the Office 365 Admin Center, but managing them in PowerShell is much quicker and gives additional options not available in the GUI. In this article, I’ll show you how to work with shared mailboxes in Office 365 with PowerShell.

Managing mailboxes in Office 365 Exchange Online with PowerShell gives you access to more options, and in some cases, is faster than using the Office 365 Admin Center. To manage Exchange Online with PowerShell, you’ll first need to install the Microsoft Online Service Sign-in Assistant for IT Professionals and the Azure Active Directory Module for Windows PowerShell. (Please note: Both downloads are for 64-bit Windows; support for the 32-bit Azure Active Directory PowerShell module ended in October 2014.)

Connecting to Exchange Online

Before connecting to Office 365, you’ll need to update the Execution Policy on your management station to RemoteSigned. To do this, run a PowerShell session as Administrator, run the following, and answer Y when prompted:

Set-ExecutionPolicy RemoteSigned

Next, you’ll need to connect to Office 365 Exchange Online. I usually keep a copy of the three lines of PowerShell below in a standalone .ps1 file for quick access when I need to connect:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

This script will prompt for your Office 365 administrator credentials, connect to Exchange Online, and make the Office 365 PowerShell cmdlets available to you.

Creating and configuring a shared mailbox

Now that you’re connected to Exchange Online, you can create your first shared mailbox with PowerShell. The bare minimum you’ll need is:

New-Mailbox -Shared -Name $shared_mailbox_name

This is really just the bare bones and will get you a new shared mailbox that uses $shared_mailbox_name as the display name and email address. But where’s the fun in that? You’ll probably want something more like this:

New-Mailbox -Shared -DisplayName $shared_mailbox_displayname -Name $shared_mailbox_name -Alias $shared_mailbox_alias -PrimarySmtpAddress $shared_mailbox_primarysmtp

In our last one-liner, we added some new parameters. First off is the DisplayName parameter; this sets the name that shows when someone sends from the shared mailbox. The Name field is a required parameter that uniquely identifies the account. The Alias parameter sets the Exchange alias and will set the email address using the default domain that you’ve configured in Office 365. The PrimarySmtpAddress parameter specifies the default address for the mailbox. If you don’t specify PrimarySmtpAddress, the New-Mailbox will use the Alias parameter to set primary SMTP.

Adding a user to the shared mailbox

Adding users to the shared mailbox is a two-step process. First, we’ll need to give the user access to the mailbox:

Add-MailboxPermission -Identity $shared_mailbox_primarysmtp -AccessRights FullAccess -InheritanceType All -AutoMapping:$true -User $mailbox_user

The Add-MailboxPermission cmdlet is responsible for giving users access to the shared mailbox. The Identity parameter accepts just about anything about the shared mailbox: alias, display name, SMTP address, etc. I typically use the primary SMTP address because that’s how most customers know the mailbox. The AccessRights parameter specifies what level of access the user needs; in almost all situations for a shared mailbox, you need FullAccess. The InheritanceType parameter set to All specifies that folders inherit the permissions. AutoMapping set to $true has Outlook automatically map the shared mailbox; setting it to $false prevents it from being mapped automatically. And finally, the User parameter is the end user you’re adding.

Next, we’ll need to give the end user permission to send as the account:

Add-RecipientPermission -Identity $shared_mailbox_primarysmtp -AccessRights SendAs -Confirm:$false -Trustee $mailbox_user

The Add-RecipientPermission cmdlet adds the user’s ability to send from the shared mailbox using its display name and primary SMTP instead of his or her own. The Identity parameter, like before, will take most input that can identify the mailbox. The AccessRights parameter sets the user’s permission and must be set to SendAs. Using Confirm set to $false ensures that your command runs without additional prompts. Finally, Trustee is the delegated user of the mailbox.

One other note—you can also use groups for granting access to shared mailboxes. Just be aware that groups don’t support automapping in Outlook.

Removing a user from a shared mailbox

Removing access simply changes the verb in the PowerShell cmdlets to Remove:

Remove-MailboxPermission -Identity $shared_mailbox_primarysmtp -AccessRights FullAccess -Confirm:$false -User $mailbox_user
Remove-RecipientPermission -Identity $shared_mailbox_primarysmtp -AccessRights SendAs -Confirm:$false -Trustee $mailbox_user

Viewing shared mailbox permissions

To view the permissions of a shared mailbox, you can use the Get-MailboxPermission and Get-RecipientPermission cmdlets. By default, both these cmdlets show all of the inherited permissions and NT AUTHORITY\SELF accounts. However, you can use Where-Object to strip out that information and only display the users in your Office 365 tenant:

Get-MailboxPermission -Identity $shared_mailbox_primarysmtp | Where-Object {($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")}
Get-RecipientPermission -Identity $shared_mailbox_primarysmtp | Where-Object {($_.IsInherited -eq $false) -and -not ($_.Trustee -like "NT AUTHORITY\SELF")}

Other shared mailbox tricks

There are a few other useful tricks with shared mailboxes. The first is hiding the mailbox from the GAL so other users in the organization can’t see it:

Set-Mailbox -Identity $shared_mailbox_primarysmtp -HiddenFromAddressListsEnabled:$true

If you want to hide the calendar of the shared mailbox, you can remove the default permissions using this command:

Set-MailboxFolderPermission -Identity "testbox@atlts.org:\calendar" -User Default -AccessRights None

Finishing up

Once you’re done, you’ll need to run one last PowerShell command to disconnect from your session:

Subscribe to 4sysops newsletter!

Remove-PSSession $Session

Your session will eventually time out if you leave it idle. However, it’s always a best practice to disconnect when you’re done.

avatar
11 Comments
  1. Marcus 7 years ago

    Hello.

    How do I manage shared pool by security group in my AD?

  2. anand 6 years ago

    How do I make sure that when email sent from shared mailbox it shows the email in sent item of the shared folder and not in the person’s sent folder.

    any powershell script to enable ?

  3. Bill 6 years ago

    How do we get user mailboxes to also be sent copies of any email sent to shared folder address?

  4. Bill 6 years ago

    UGH, to change sent behavior is now different!  Why does MS always have to fix what isn’t broken (and leave what is broken the same or worse?!)?

    https://social.technet.microsoft.com/Forums/lync/en-US/d1106ae3-1684-43c1-a831-4b7ef2e0c347/where-is-setmailboxsentitemsconfiguration-getmailboxsentitemsconfiguration?forum=exchangesvradmin

  5. MS 6 years ago

    Is there a way to set Read-Only permissions to Shared Mailbox?  Specifically the calendar?  We want to be able to restrict some users from being able to modify entries in Shared Mailbox Calendar.  Is this possible?

    Thanks.

    MS

  6. Sud 5 years ago

    Is there a way to enable “Share calendar” option for shared mailbox via powershell command. “Share Calendar” option is greyed out for shared mailboxes in outlook. Please help

  7. Thank you 4sysops for this resource and awesome theme for the site.

    Thank you Kyle Beckman for the helpful post.

    I find ps useful for example to get output copied to a file first thing to do is:
    Start-Transcript
    Use this to get a list of inboxes by name from Exchange.

    get-mailbox | where {$_.litigationholdenabled -match “true”} | ft name,litigationholdenabled

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account