Applies to: Exchange Online, Exchange Server 2016

Topic Last Modified: 2018-01-09

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-MailboxPermission cmdlet to retrieve permissions on a mailbox.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Get-MailboxPermission [-User <SecurityPrincipalIdParameter>] <COMMON PARAMETERS>

Get-MailboxPermission [-Owner <SwitchParameter>] <COMMON PARAMETERS>

COMMON PARAMETERS: -Identity <MailboxIdParameter> [-Credential <PSCredential>] [-DomainController <Fqdn>] [-ReadFromDomainController <SwitchParameter>] [-ResultSize <Unlimited>]

This example returns permissions on the mailbox by its SMTP address

Get-MailboxPermission -Identity | Format-List

This example returns permissions that the user Ayla has on John's mailbox.

Get-MailboxPermission -Identity -User "Ayla"

This example returns the owner information for the resource mailbox Room222.

Get-MailboxPermission -Identity Room222 -Owner

The output of this cmdlet shows the following information:

  • Identity: The mailbox in question.

  • User: The security principal (user, security group, Exchange management role group, etc.) that has permission to the mailbox.

  • AccessRights: The permission that the security principal has on the mailbox. The available values are ChangeOwner (change the owner of the mailbox), ChangePermission (change the permissions on the mailbox), DeleteItem (delete the mailbox), ExternalAccount (indicates the account isn't in the same domain), FullAccess (open the mailbox, access its contents, but can't send mail), and ReadPermission (read the permissions on the mailbox). Whether the permissions are allowed or denied is indicated in the Deny column.

  • IsInherited: Whether the permission is inherited (True) or directly assigned to the mailbox (False). Permissions are inherited from the mailbox database and/or Active Directory. Typically, directly assigned permissions override inherited permissions.

  • Deny: Whether the permission is allowed (False) or denied (True). Typically, deny permissions override allow permissions.

By default, the following permissions are assigned to user mailboxes:

  • FullAccess and ReadPermission are directly assigned to NT AUTHORITY\SELF. This entry gives a user permission to their own mailbox.

  • FullAccess is denied to Administrator, Domain Admins, Enterprise Admins, and Organization Management. These inherited permissions prevent these users and group members from opening other users' mailboxes.

  • ChangeOwner, ChangePermission, DeleteItem, and ReadPermission are allowed for Administrator, Domain Admins, Enterprise Admins, and Organization Management. Note that these inherited permission entries also appear to allow FullAccess. However, these users and groups do not have FullAccess to the mailbox because the inherited Deny permission entries override the inherited Allow permission entries.

  • FullAccess is inherited by NT AUTHORITY\SYSTEM and ReadPermission is inherited by NT AUTHORITY\NETWORK.

  • FullAccess and ReadPermission are inherited by Exchange Servers, ChangeOwner, ChangePermission, DeleteItem, and ReadPermission are inherited by Exchange Trusted Subsystem, and ReadPermission is inherited by Managed Availability Servers.

By default, other security groups and role groups inherit permissions to mailboxes based on their location (on-premises Exchange or Office 365).

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Permissions and delegation" entry in the Recipients Permissions topic.


Parameter Required Type Description




The Identity parameter identifies the mailbox. You can use one of the following values:

  • GUID

  • ADObjectID

  • Distinguished name (DN)

  • Domain\Account

  • User principal name (UPN)

  • LegacyExchangeDN

  • SmtpAddress

  • Alias




The Credential parameter specifies the user name and password to use to access Active Directory.

This parameter requires you to create a credentials object by using the Get-Credential cmdlet. For more information, see Get-Credential.




This parameter is available only in on-premises Exchange.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,




The Owner parameter returns the owner information for the mailbox identified in the Identity parameter.

This parameter can't be used with the User parameter.




The ReadFromDomainController parameter specifies that the user information is read from a domain controller in the user's domain.

If you set the recipient scope to include all recipients in the forest, and if you don't use this parameter, it's possible that the user information is read from a global catalog with outdated information.

If you use this parameter, multiple reads might be necessary to get the information.

By default, the recipient scope is set to the domain that hosts your servers that run Exchange.




The ResultSize parameter specifies the maximum number of recipient objects returned.




The User parameter specifies the UPN, domain\user, or the alias of the user.

This parameter can't be used with the Owner parameter.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.