Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All



Applies to: Exchange Online, Exchange Server 2016

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-MailboxFolderPermission cmdlet to modify folder-level permissions for users in mailboxes. The cmdlet differs from the Add-MailboxFolderPermission cmdlet in that it modifies existing permission entries.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Set-MailboxFolderPermission -Identity <MailboxFolderIdParameter> -AccessRights <MailboxFolderAccessRight[]> -User <MailboxFolderUserIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-WhatIf [<SwitchParameter>]]

This example overwrites Ed's existing permissions for the Marketing folder in Ayla's mailbox. Ed is now granted the Owner role on the folder.

Set-MailboxFolderPermission -Identity ayla@contoso.com:\Marketing -User ed@contoso.com -AccessRights Owner

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Mailbox folders" entry in the Recipients Permissions topic.


Parameter Required Type Description




The AccessRights parameter specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.

You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

The following individual permissions are available:

  • CreateItems   The user can create items in the specified folder.

  • CreateSubfolders   The user can create subfolders in the specified folder.

  • DeleteAllItems   The user can delete all items in the specified folder.

  • DeleteOwnedItems   The user can only delete items that they created from the specified folder.

  • EditAllItems   The user can edit all items in the specified folder.

  • EditOwnedItems   The user can only edit items that they created in the specified folder.

  • FolderContact   The user is the contact for the specified public folder.

  • FolderOwner   The user is the owner of the specified folder. The user can view the folder, move the move the folder, and create subfolders. The user can't read items, edit items, delete items, or create items.

  • FolderVisible   The user can view the specified folder, but can't read or edit items within the specified public folder.

  • ReadItems   The user can read items within the specified folder.

The roles that are available, along with the permissions that they assign, are described in the following list:

  • Author   CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems

  • Contributor   CreateItems, FolderVisible

  • Editor   CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems

  • None   FolderVisible

  • NonEditingAuthor   CreateItems, FolderVisible, ReadItems

  • Owner   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems

  • PublishingEditor   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems

  • PublishingAuthor   CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems

  • Reviewer   FolderVisible, ReadItems

The following roles apply specifically to calendar folders:

  • AvailabilityOnly   View only availability data

  • LimitedDetails   View availability data with subject and location




The Identity parameter specifies the target mailbox and folder. The syntax is <Mailbox>:\<Folder>. For the value of <Mailbox>, you can use any value that uniquely identifies the mailbox.

For example:

  • Name

  • Display name

  • Alias

  • Distinguished name (DN)

  • Canonical DN

  • <domain name>\<account name>

  • Email address

  • GUID

  • LegacyExchangeDN

  • SamAccountName

  • User ID or user principal name (UPN)

Example values for the Identity parameter are john@contoso.com:\Calendar or John:\Marketing\Reports.




The User parameter specifies the mailbox, mail user, or mail-enabled security group (security principal) that's granted permission to the mailbox folder. You can use any value that uniquely identifies the user or group.

For example:

  • Name

  • Display name

  • Alias

  • Distinguished name (DN)

  • Canonical DN

  • Email address

  • GUID




The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.




This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.




The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft