Applies to: Exchange Online, Exchange Server 2016

Topic Last Modified: 2016-07-22

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Add-MailboxPermission cmdlet to add permissions to a mailbox.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Add-MailboxPermission -AccessRights <MailboxRights[]> -Identity <MailboxIdParameter> -User <SecurityPrincipalIdParameter> [-AutoMapping <$true | $false>] [-Deny <SwitchParameter>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] <COMMON PARAMETERS>

Add-MailboxPermission -Identity <MailboxIdParameter> -Owner <SecurityPrincipalIdParameter> <COMMON PARAMETERS>

Add-MailboxPermission -Instance <MailboxAcePresentationObject> [-AccessRights <MailboxRights[]>] [-AutoMapping <$true | $false>] [-Deny <SwitchParameter>] [-Identity <MailboxIdParameter>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-User <SecurityPrincipalIdParameter>] <COMMON PARAMETERS>

Add-MailboxPermission -Identity <MailboxIdParameter> <COMMON PARAMETERS>

Add-MailboxPermission -Identity <MailboxIdParameter> <COMMON PARAMETERS>

COMMON PARAMETERS: [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-IgnoreDefaultScope <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

This example grants Kevin Kelly full access to Terry Adams's mailbox.

The Identity parameter requires the full name of the user to be enclosed in quotation marks (").
Add-MailboxPermission -Identity "Terry Adams" -User KevinKelly -AccessRights FullAccess -InheritanceType All

This example sets Tony Smith as the owner of the resource mailbox Room 222.

Add-MailboxPermission -Identity "Room 222" -Owner "Tony Smith"

This example grants the user Mark Steele Full Access permission to Jeroen Cool's mailbox and disables the auto-mapping feature.

Add-MailboxPermission -Identity JeroenC -User 'Mark Steele' -AccessRights FullAccess -InheritanceType All -AutoMapping $false

This example assigns full access permissions to all user mailboxes in an Exchange Online or Office 365 environment.

  1. Connect to Exchange Online by using remote PowerShell. For info about how to do this, go to the following Microsoft website:Connect to Exchange Online PowerShell.

  2. Enter a command using the following syntax to assign full access permissions to all user mailboxes:

    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User <user, role group or security group> -AccessRights fullaccess -InheritanceType all

    For example, to assign full access permissions to all user mailboxes for the administrator account, run the following command.

    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User -AccessRights fullaccess -InheritanceType all

Running this cmdlet updates the Active Directory object specified by the Identity parameter.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Permissions and delegation" entry in the Recipients Permissions topic.


Parameter Required Type Description




The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:

  • FullAccess

  • ExternalAccount

  • DeleteItem

  • ReadPermission

  • ChangePermission

  • ChangeOwner




The Identity parameter specifies the identity of the mailbox that's getting permissions added.

This parameter accepts the following values:

  • Alias

    Example: JPhillips

  • Canonical DN

    Example: Atlanta.Corp.Contoso.Com/Users/JPhillips

  • Display Name

    Example: Jeff Phillips

  • Distinguished Name (DN)

    Example: CN=JPhillips,CN=Users,DC=Atlanta,DC=Corp,DC=contoso,DC=com

  • Domain\Account

    Example: Atlanta\JPhillips

  • GUID

    Example: fb456636-fe7d-4d58-9d15-5af57d0354c2

  • Immutable ID


  • Legacy Exchange DN

    Example: /o=Contoso/ou=AdministrativeGroup/cn=Recipients/cn=JPhillips

  • SMTP Address


  • User Principal Name





The Instance parameter is no longer used and will be deprecated.




The Owner parameter specifies the owner of the mailbox object.




The User parameter specifies the user mailbox that the permissions are being granted to on the other mailbox.




The AutoMapping parameter specifies whether to ignore the auto-mapping feature in Microsoft Outlook. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. This parameter accepts $true or $false values.




The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.




The Deny switch specifies whether to deny permissions to the user on the mailbox.




This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,




The IgnoreDefaultScope switch tells the command to ignore the default recipient scope setting for the Exchange Management Shell session, and to use the entire forest as the scope. This allows the command to access Active Directory objects that aren't currently available in the default scope.

Using the IgnoreDefaultScope switch introduces the following restrictions:

  • You can't use the DomainController parameter. The command uses an appropriate global catalog server automatically.

  • You can only use the DN for the Identity parameter. Other forms of identification, such as alias or GUID, aren't accepted.




The InheritanceType parameter specifies whether permissions are inherited by folders within the mailbox.




The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.