Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All



Applies to: Exchange Online, Exchange Server 2016

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-MailboxPermission cmdlet to retrieve permissions on a mailbox.

For information about the parameter sets in the Syntax section below, see Syntax.

Get-MailboxPermission [-User <SecurityPrincipalIdParameter>] <COMMON PARAMETERS>
Get-MailboxPermission [-Owner <SwitchParameter>] <COMMON PARAMETERS>
COMMON PARAMETERS: -Identity <MailboxIdParameter> [-Credential <PSCredential>] [-DomainController <Fqdn>] [-ReadFromDomainController <SwitchParameter>] [-ResultSize <Unlimited>]

This example returns permissions on the mailbox by its SMTP address john@contoso.com.

Get-MailboxPermission -Identity john@contoso.com | Format-List

This example returns permissions that the user Ayla has on John's mailbox.

Get-MailboxPermission -Identity john@contoso.com -User "Ayla"

This example returns the owner information for the resource mailbox Room222.

Get-MailboxPermission -Identity Room222 -Owner

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Permissions and delegation" entry in the Recipients Permissions topic.


Parameter Required Type Description




The Identity parameter identifies the mailbox. You can use one of the following values:

  • GUID

  • ADObjectID

  • Distinguished name (DN)

  • Domain\Account

  • User principal name (UPN)

  • LegacyExchangeDN

  • SmtpAddress

  • Alias




The Credential parameter specifies the user name and password to use to access Active Directory.

This parameter requires you to create a credentials object by using the Get-Credential cmdlet. For more information, see Get-Credential.




This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.




The Owner parameter returns the owner information for the mailbox identified in the Identity parameter.

This parameter can't be used with the User parameter.




The ReadFromDomainController parameter specifies that the user information is read from a domain controller in the user's domain.

If you set the recipient scope to include all recipients in the forest, and if you don't use this parameter, it's possible that the user information is read from a global catalog with outdated information.

If you use this parameter, multiple reads might be necessary to get the information.

By default, the recipient scope is set to the domain that hosts your servers that run Exchange.




The ResultSize parameter specifies the maximum number of recipient objects returned.




The User parameter specifies the UPN, domain\user, or the alias of the user.

This parameter can't be used with the Owner parameter.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft