Manage Permissions for Recipients

Applies to: Exchange Online

Topic Last Modified: 2013-02-01

You can use the EAC or the Shell to assign permissions to users or groups (called delegates) that allow them to open or send messages from other mailboxes. Permissions can be assigned to user mailboxes, linked mailboxes, resource mailboxes, and shared mailboxes. You can also assign permissions to distribution groups, dynamic distribution groups, and mail-enabled security groups to allow delegates to send messages on behalf of the group. You can assign delegates the following permissions to access mailboxes or send messages on behalf of mailboxes or groups:

Full Access This permission allows a delegate to open a user’s mailbox and access the contents of the mailbox. However, assigning the Full Access permission doesn't allow the delegate to send mail from the mailbox. You have to assign the delegate the Send As or the Send on Behalf permission to send mail.

The Full Access permission isn't available when configuring permissions for groups.

Note:

If you assign the Full Access permission to access a mailbox that is hidden from address lists, the delegate won't be able to open the mailbox.
Send As This permission allows delegates to use the mailbox to send messages. After this permission is assigned to a delegate, any message that the delegate sends from the mailbox will appear to have been sent by the mailbox owner. However, this permission doesn’t allow a delegate to sign in to the user’s mailbox. It only allows users to open the mailbox. If this permission is assigned to a group, a message sent by the delegate will appear to have been sent by the group.
Send on Behalf This permission also allows a delegate to use the mailbox to send messages. After this permission is assigned to a delegate, the From address in any message sent by the delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.

The Send on Behalf permission isn't available when configuring permissions for shared mailboxes.

Note:
If you assign the Full Access permission to access a mailbox that is hidden from address lists, the delegate won't be able to open the mailbox.

What do you need to know before you begin?

Estimated time to complete each procedure: 2 minutes.
Procedures in this topic require specific permissions. See each procedure for its permissions information.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

What do you want to do?

Assign permissions to a mailbox

As previously stated, you can assign delegates permissions to user mailboxes, linked mailboxes, resource mailboxes, and shared mailboxes. You can also use the Shell to assign delegates permissions to access a discovery mailbox.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Permissions and delegation" entry in the "Recipient Provisioning Permissions" section in the Recipients Permissions topic.

Use the EAC to assign permissions

The following procedure shows how to assign permissions to a user mailbox. You follow a similar procedure to assign permissions to resource or shared mailboxes by navigating to the Resources or Shared page in the EAC and selecting the mailbox to assign the permissions to.

In the EAC, navigate to Recipients > Mailboxes.
In the list of mailboxes, click the mailbox that you want to assign permissions for, and then click Edit .
On the mailbox properties page, click Mailbox Delegation.
To assign permissions to delegates, click Add under the appropriate permission to display a page that lists all recipients in your Exchange organization that can be assigned the permission. Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient by typing the recipient’s name in the search box and then clicking Search .

To remove a permission for a recipient, under the appropriate permission, select the recipient and then click Remove .
Click Save to save your changes.

Use the Shell to assign permissions

The following sections show how to use the Shell to manage Full Access, Send As, and Send on Behalf permissions for mailboxes.

Manage the Full Access permission

The following examples show how to use the Add-MailboxPermission and Remove-MailboxPermission cmdlets to manage Full Access permissions.

This example assigns the delegate Raymond Sam the Full Access permission to the mailbox of Terry Adams.

	Copy Code
Add-MailboxPermission -Identity "Terry Adams" -User raymonds -AccessRights FullAccess -InheritanceType all

This example assigns Esther Valle the Full Access permission to the organization's default discovery search mailbox.

	Copy Code
Add-MailboxPermission -Identity "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -User estherv -AccessRights FullAccess -InheritanceType all

This example assigns members of the Helpdesk distribution group the Full Access permission to the Helpdesk Tickets shared mailbox.

	Copy Code
Add-MailboxPermission "HelpdeskTickets" -User helpdesk -AccessRights FullAccess -InheritanceType all

This example removes Jim Hance’s Full Access permission to Ayla Kol's mailbox.

	Copy Code
Remove-MailboxPermission -Identity ayla -User "Jim Hance" -AccessRights FullAccess -Inheritance

For detailed syntax and parameter information, see the following topics:

Manage the Send As permission

The following examples show how to manage Send As permissions in Exchange Server 2013 and in Exchange Online. In Exchange 2013, you have to use the Add-ADPermission and Remove-ADPermission cmdlets; in Exchange Online, you have to use the Add-RecipientPermission and Remove-RecipientPermission cmdlets. In both cases, you use the Identity parameter to specify the name of the mailbox on which the Send As permission should be added or removed and the User or Trustee parameter to specify the delegate (for example, a user or group) that will be assigned or unassigned the Send As permission.

Tip:
Use the Get-Recipient cmdlet to retrieve the Name property for the mailbox and the delegate. Use these values to assign the Send As permission.

Exchange Server 2013

This example assigns the Send As permission to the Helpdesk group on the shared mailbox Helpdesk Support Team.

	Copy Code
Add-ADPermission -Identity helpdesksupport -User helpdeskgroup -ExtendedRights "Send As"

This example removes the Send As permission for the user Pilar Pinilla on the mailbox of James Alvord.

	Copy Code
Remove-ADPermission -Identity "James Alvord" -User pilarp -ExtendedRights "Send As"

For detailed syntax and parameter information, see:

Exchange Online

This example assigns the Send As permission to the Printer Support group on the shared mailbox named Contoso Printer Support.

	Copy Code
Add-RecipientPermission -Identity "Contoso Printer Support" -Trustee "Printer Support" -AccessRights SendAs

This example removes the Send As permission for the user Karen Toh on the mailbox for Yan Li.

	Copy Code
Remove-RecipientPermission -Identity "Yan Li" -Trustee "Karen Toh" -ExtendedRights SendAs

For detailed syntax and parameter information, see:

Add-RecipientPermission
Remove-RecipientPermission

Manage the Send on Behalf permission

The following examples show how to use the Set-Mailbox cmdlet to manage Send on Behalf permissions.

This example assigns the delegate Holly Holt the Send on Behalf permission to the mailbox of Sean Chai.

	Copy Code
Set-Mailbox -Identity seanc@contoso.com -GrantSendOnBehalfTo hollyh

This example removes the Send on Behalf permission on the Contoso Executives shared mailbox that was assigned to the Temporary Executive Assistants group.

	Copy Code
Set-Mailbox "Contoso Executives" -GrantSendOnBehalfTo @{remove="tempassistants@contoso.com"}

For detailed syntax and parameter information, see Set-Mailbox.

How do you know this worked?

To verify that you've successfully assigned permissions to a mailbox or a shared mailbox, do one of the following:

In the EAC:
1. Navigate to Recipients > Mailbox or Shared, click the mailbox, and then click Edit .
2. On the mailbox properties page, click Mailbox Delegation.
3. If you assigned permissions to a recipient, verify that the user or group is listed under the appropriate permission. If you removed permissions, verify that the recipient isn't listed under the appropriate permission.

In the Shell, run one of the following commands, depending on the permission you managed.
- Full Access
  Copy Code
  
  Get-MailboxPermission -Identity <mailbox>
  To verify whether a specific delegate is assigned the Full Access permission to a mailbox, run the following command.
  Copy Code
  
  Get-MailboxPermission -Identity <mailbox> -User <delegate>
- Send As
  
  In Exchange Server 2013, run the following command.
  Copy Code
  
  Get-ADPermission -Identity <name of mailbox> -User <delegate>
  In Exchange Online, run the following command.
  Copy Code
  
  Get-RecipientPermission -Identity <mailbox> -Trustee <delegate>
- Send on Behalf
  Copy Code
  
  Get-Mailbox -Identity <mailbox> | FL GrantSendOnBehalfTo

	Copy Code
Get-MailboxPermission -Identity <mailbox>

	Copy Code
Get-MailboxPermission -Identity <mailbox> -User <delegate>

	Copy Code
Get-ADPermission -Identity <name of mailbox> -User <delegate>

	Copy Code
Get-RecipientPermission -Identity <mailbox> -Trustee <delegate>

	Copy Code
Get-Mailbox -Identity <mailbox> \| FL GrantSendOnBehalfTo

Assign permissions to a group

As previously stated, you can assign the Send As and Send on Behalf permissions to distribution groups, dynamic distribution groups, and mail-enabled security groups to allow delegates to send messages as the group or on behalf of the group.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Distribution groups" and "Dynamic distribution groups" entries in the "Recipient Provisioning Permissions" section in the Recipients Permissions topic.

Use the EAC to assign permissions

In the EAC, navigate to Recipients > Groups.
In the list of groups, click the group that you want to assign permissions for, and then click Edit .
On the group properties page, click Group Delegation.
To assign permissions to delegates, click Add under the appropriate permission to display a page that displays a list of all recipients in your Exchange organization that can be assigned the permission. Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient by typing the recipient’s name in the search box and then clicking Search .

To remove permission for a recipient, under the appropriate permission, select the recipient and then click Remove .
Click Save to save your changes.

Use the Shell to assign permissions

The following sections show how to use the Shell to manage Send As and Send on Behalf permissions for groups.

Manage the Send As permission

The following examples show how to manage Send As permissions for groups in Exchange Server 2013 and in Exchange Online. In Exchange 2013, you have to use the Add-ADPermission and Remove-ADPermission cmdlets. In Exchange Online, you have to use the Add-RecipientPermission and Remove-RecipientPermission cmdlets. In both cases, you use the Identity parameter to specify the name of the group on which the Send As permission should be added or removed and the User or Trustee parameter to specify the delegate (for example, a user or group) that will be assigned or unassigned the Send As permission.

Tip:
Use the Get-Recipient cmdlet to retrieve the Name property for the group and the delegate. Use these values to assign the Send As permission.

Exchange Server 2013

This example assigns the Send As permission to the Sales Admins group for the group named Contoso Sales Info. This allows members of the sales admin group to send messages as the Contoso Sales Information group.

	Copy Code
Add-ADPermission -Identity "Contoso Sales Info" -User "Sales Admins" -ExtendedRights "Send As"

This example removes the Send As permission for the user Alan Shen on the group Corporate IT Admins.

	Copy Code
Remove-ADPermission -Identity "Corporate IT Admins" -User contoso\alans -ExtendedRights "Send As"

For detailed syntax and parameter information, see:

Exchange Online

This example assigns the Send As permission to the Contoso Admins group on the dynamic distribution group named Emergency Broadcast Messages.

	Copy Code
Add-RecipientPermission -Identity emergencybroadcast@contoso.com -Trustee "Contoso Admins" -AccessRights SendAs

This example removes the Send As permission for the user Walter Harp on the Printer Resources security group.

	Copy Code
Remove-RecipientPermission -Identity "Printer Resources" -Trustee walterh@contoso.com ExtendedRights SendAs

For detailed syntax and parameter information, see:

Add-RecipientPermission
Remove-RecipientPermission

Manage the Send on Behalf permission

The following examples show how to use the Set-DistributionGroup and Set-DynamicDistributionGroup cmdlets to manage Send on Behalf permissions for groups.

This example assigns the delegate Sara Davis the Send on Behalf permission to the Printer Support distribution group.

	Copy Code
Set-DistributionGroup -Identity printersupport@contoso.com -GrantSendOnBehalfTo sarad

This example assigns the delegate Administrator the Send on Behalf permission to the All Employees dynamic distribution group.

	Copy Code
Set-DynamicDistributionGroup -Identity "All Employees" -GrantSendOnBehalfTo administrator

This example removes the Send on Behalf permission on the All Employees dynamic distribution group that was assigned to the administrator.

	Copy Code
Set-DynamicDistributionGroup "All Employees" -GrantSendOnBehalfTo @{remove="administrator"}

For detailed syntax and parameter information, see:

How do you know this worked?

To verify that you've successfully assigned permissions to a group, do one of the following:

In the EAC:
1. Navigate to Recipients > Groups, click the group, and then click Edit .
2. On the group properties page, click Group Delegation.
3. If you assigned permissions to a recipient, verify that the user or group is listed under the appropriate permission. If you removed permissions, verify that the recipient isn't listed under the appropriate permission.

In the Shell, run one of the following commands depending on the permission you managed.

Send As

In Exchange Server 2013, run the following command.

	Copy Code
Get-ADPermission -Identity <name of group> -User <delegate>

In Exchange Online, run the following command.

	Copy Code
Get-RecipientPermission -Identity <group> -Trustee <delegate>

Send on Behalf

	Copy Code
Get-DistributionGroup -Identity <group> \| FL GrantSendOnBehalfTo

	Copy Code
Get-DynamicDistributionGroup -Identity <group> \| FL GrantSendOnBehalfTo