{
	"id": "c616551d-e0a7-4426-8cf3-02f8339bd096",
	"created_at": "2026-04-06T00:19:23.370713Z",
	"updated_at": "2026-04-10T03:20:01.970501Z",
	"deleted_at": null,
	"sha1_hash": "84cc690dd3e9a4f9600e5e9df9f62cf307ec3e30",
	"title": "Add-MailboxPermission (ExchangePowerShell)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97237,
	"plain_text": "Add-MailboxPermission (ExchangePowerShell)\r\nBy chrisda\r\nArchived: 2026-04-05 20:11:41 UTC\r\nIn this article\r\n1. Syntax\r\n2. Description\r\n3. Examples\r\n4. Parameters\r\n5. Inputs\r\n6. Outputs\r\nThis cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings\r\nmight be exclusive to one environment or the other.\r\nUse the Add-MailboxPermission cmdlet to add permissions to a mailbox or to an Exchange Server 2016,\r\nExchange Server 2019, or Exchange Online mail user.\r\nFor information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.\r\nSyntax\r\nAccessRights\r\nAdd-MailboxPermission\r\n [-Identity] \u003cMailboxIdParameter\u003e\r\n -AccessRights \u003cMailboxRights[]\u003e\r\n -User \u003cSecurityPrincipalIdParameter\u003e\r\n [-AutoMapping \u003cBoolean\u003e]\r\n [-Confirm]\r\n [-Deny]\r\n [-DomainController \u003cFqdn\u003e]\r\n [-GroupMailbox]\r\n [-IgnoreDefaultScope]\r\n [-InheritanceType \u003cActiveDirectorySecurityInheritance\u003e]\r\n [-WhatIf]\r\n [\u003cCommonParameters\u003e]\r\nOwner\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 1 of 15\n\nAdd-MailboxPermission\r\n [-Identity] \u003cMailboxIdParameter\u003e\r\n -Owner \u003cSecurityPrincipalIdParameter\u003e\r\n [-Confirm]\r\n [-DomainController \u003cFqdn\u003e]\r\n [-GroupMailbox]\r\n [-IgnoreDefaultScope]\r\n [-WhatIf]\r\n [\u003cCommonParameters\u003e]\r\nInstance\r\nAdd-MailboxPermission\r\n [[-Identity] \u003cMailboxIdParameter\u003e]\r\n -Instance \u003cMailboxAcePresentationObject\u003e\r\n [-AccessRights \u003cMailboxRights[]\u003e]\r\n [-User \u003cSecurityPrincipalIdParameter\u003e]\r\n [-AutoMapping \u003cBoolean\u003e]\r\n [-Confirm]\r\n [-Deny]\r\n [-DomainController \u003cFqdn\u003e]\r\n [-GroupMailbox]\r\n [-IgnoreDefaultScope]\r\n [-InheritanceType \u003cActiveDirectorySecurityInheritance\u003e]\r\n [-WhatIf]\r\n [\u003cCommonParameters\u003e]\r\nDescription\r\nNote\r\nYou can use this cmdlet to add a maximum of 500 permission entries (ACEs) to a mailbox. To grant permissions\r\nto more than 500 users, use security groups instead of individual users for the User parameter. Security groups\r\ncontain many members, but only count as one entry.\r\nYou need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for\r\nthe cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to\r\nyou. To find the permissions required to run any cmdlet or parameter in your organization, see Find the\r\npermissions required to run any Exchange cmdlet.\r\nExamples\r\nExample 1\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 2 of 15\n\nAdd-MailboxPermission -Identity \"Terry Adams\" -User \"Kevin Kelly\" -AccessRights FullAccess -InheritanceType All\r\nThis example assigns the user Kevin Kelly Full Access permission to Terry Adams's mailbox.\r\nExample 2\r\nAdd-MailboxPermission -Identity \"Room 222\" -Owner \"Tony Smith\"\r\nThis example sets the user Tony Smith as the owner of the resource mailbox named Room 222.\r\nExample 3\r\nAdd-MailboxPermission -Identity \"Jeroen Cool\" -User \"Mark Steele\" -AccessRights FullAccess -InheritanceType All\r\nThis example assigns the user Mark Steele Full Access permission to Jeroen Cool's mailbox, prevents Outlook\r\nfrom opening Jeroen Cool's mailbox when Mark Steele opens Outlook.\r\nExample 4\r\nGet-Mailbox -ResultSize unlimited -Filter \"(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')\"\r\nIn Exchange Online, this example assigns the administrator account admin@contoso.com Full Access permission\r\nto all user mailboxes in the contoso.com organization.\r\nParameters\r\n-AccessRights\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe AccessRights parameter specifies the permission that you want to add for the user on the mailbox. Valid\r\nvalues are:\r\nChangeOwner\r\nChangePermission\r\nDeleteItem\r\nExternalAccount\r\nFullAccess\r\nReadPermission\r\nYou can specify multiple values separated by commas.\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 3 of 15\n\nYou can't use this parameter with the Owner parameter.\r\nParameter properties\r\nType: MailboxRights[]\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: True\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nInstance\r\n-AutoMapping\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe AutoMapping parameter includes or excludes the mailbox from the auto-mapping feature in Microsoft\r\nOutlook. Auto-mapping uses Autodiscover to automatically add mailboxes to a user's Outlook profile if the user\r\nhas Full Access permission to the mailbox. However, Autodiscover doesn't enumerate security groups that have\r\nFull Access permission to the mailbox. Valid values are:\r\n$true: The mailbox is automatically added to the user's Outlook profile if the user has Full Access\r\npermission. This value is the default.\r\n$false: The mailbox is not automatically added to the user's Outlook profile if the user has Full Access\r\npermission.\r\nNote: To disable auto-mapping for a mailbox where the user was already assigned Full Access permission, you\r\nneed to remove the user's Full Access permission by using the Remove-MailboxPermission cmdlet, and then\r\nreassign the user Full Access permission on the mailbox using the AutoMapping parameter with the value $false.\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 4 of 15\n\nParameter properties\r\nType: Boolean\r\nDefault value: $true\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nInstance\r\n-Confirm\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the\r\ncmdlet depends on if the cmdlet requires confirmation before proceeding.\r\nDestructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge\r\nthe command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this\r\nexact syntax: -Confirm:$false .\r\nMost other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets,\r\nspecifying the Confirm switch without a value introduces a pause that forces you acknowledge the\r\ncommand before proceeding.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 5 of 15\n\nDontShow: False\r\nAliases: cf\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-Deny\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe Deny switch specifies that the permissions you're adding are Deny permissions. You don't need to specify a\r\nvalue with this switch.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 6 of 15\n\nInstance\r\n-DomainController\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE\r\nThis parameter is available only in on-premises Exchange.\r\nThe DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or\r\nwrite data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For\r\nexample, dc01.contoso.com.\r\nParameter properties\r\nType: Fqdn\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-GroupMailbox\r\nApplicable: Exchange Online\r\nThis parameter is available only in the cloud-based service.\r\nThe GroupMailbox switch is required to add permissions to a Microsoft 365 Group mailbox. You don't need to\r\nspecify a value with this switch.\r\nParameter properties\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 7 of 15\n\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nOwner\r\nInstance\r\n-Identity\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe Identity parameter specifies the mailbox where you want to assign permissions to the user. You can use any\r\nvalue that uniquely identifies the mailbox. For example:\r\nName\r\nAlias\r\nDistinguished name (DN)\r\nCanonical DN\r\nDomain\\Username\r\nEmail address\r\nGUID\r\nLegacyExchangeDN\r\nSamAccountName\r\nUser ID or user principal name (UPN)\r\nParameter properties\r\nType: MailboxIdParameter\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 8 of 15\n\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: 1\r\nMandatory: True\r\nValue from pipeline: True\r\nValue from pipeline by property name: True\r\nValue from remaining arguments: False\r\nOwner\r\nInstance\r\n-IgnoreDefaultScope\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe IgnoreDefaultScope switch tells the command to ignore the default recipient scope setting for the Exchange\r\nPowerShell session, and to use the entire forest as the scope. You don't need to specify a value with this switch.\r\nThis switch enables the command to access Active Directory objects that aren't currently available in the default\r\nscope, but also introduces the following restrictions:\r\nYou can't use the DomainController parameter. The command uses an appropriate global catalog server\r\nautomatically.\r\nYou can only use the DN for the Identity parameter. Other forms of identification, such as alias or GUID,\r\naren't accepted.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 9 of 15\n\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-InheritanceType\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe InheritanceType parameter specifies how permissions are inherited by folders in the mailbox. Valid values\r\nare:\r\nNone\r\nAll (this is the default value)\r\nChildren\r\nDescendents [sic]\r\nSelfAndChildren\r\nParameter properties\r\nType: ActiveDirectorySecurityInheritance\r\nDefault value: All\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 10 of 15\n\nValue from remaining arguments: False\r\nInstance\r\n-Instance\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE\r\nThis parameter is available only in on-premises Exchange.\r\nThis parameter is deprecated and no longer used.\r\nParameter properties\r\nType: MailboxAcePresentationObject\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nInstance\r\nPosition: Named\r\nMandatory: True\r\nValue from pipeline: True\r\nValue from pipeline by property name: True\r\nValue from remaining arguments: False\r\n-Owner\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe Owner parameter specifies the owner of the mailbox object. You can specify the following types of users or\r\ngroups (security principals) for this parameter:\r\nMailbox users\r\nMail users\r\nSecurity groups\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 11 of 15\n\nYou can use any value that uniquely identifies the user or group. For example:\r\nName\r\nAlias\r\nDistinguished name (DN)\r\nCanonical DN\r\nDomain\\Username\r\nEmail address\r\nGUID\r\nLegacyExchangeDN\r\nSamAccountName\r\nUser ID or user principal name (UPN)\r\nThe default mailbox owner is NT AUTHORITY\\SELF.\r\nYou can't use this parameter with the AccessRights or User parameters.\r\nParameter properties\r\nType: SecurityPrincipalIdParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nOwner\r\nPosition: Named\r\nMandatory: True\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-User\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe User parameter specifies who gets the permissions on the mailbox. You can specify the following types of\r\nusers or groups (security principals) for this parameter:\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 12 of 15\n\nMailbox users\r\nMail users\r\nMail-enabled security groups (non-mail-enabled security groups are selectable, but they don't work)\r\nNote: When a mail-enabled security group is used to specify Full Access permissions, the auto-mapping feature\r\ndoesn't automatically add the mailbox in Outlook for the group member. For more information, see Mailboxes to\r\nwhich your account has full access aren't automapped to Outlook profile.\r\nFor the best results, we recommend using the following values:\r\nUPN: For example, user@contoso.com (users only).\r\nDomain\\SamAccountName: For example, contoso\\user .\r\nOtherwise, you can use any value that uniquely identifies the user or group. For example:\r\nName\r\nAlias\r\nDistinguished name (DN)\r\nCanonical DN\r\nDomain\\Username\r\nEmail address\r\nGUID\r\nLegacyExchangeDN\r\nSamAccountName\r\nUser ID or user principal name (UPN)\r\nYou can't use this parameter with the Owner parameter.\r\nParameter properties\r\nType: SecurityPrincipalIdParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nAccessRights\r\nPosition: Named\r\nMandatory: True\r\nValue from pipeline: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 13 of 15\n\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nInstance\r\n-WhatIf\r\nApplicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server\r\n2019, Exchange Server SE, Exchange Online\r\nThe WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would\r\noccur without actually applying those changes. You don't need to specify a value with this switch.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: wi\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nCommonParameters\r\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -\r\nInformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction,\r\nand -WarningVariable. For more information, see about_CommonParameters.\r\nInputs\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 14 of 15\n\nInput types\r\nTo see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a\r\ncmdlet is blank, the cmdlet doesn't accept input data.\r\nOutputs\r\nOutput types\r\nTo see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and\r\nOutput Types. If the Output Type field is blank, the cmdlet doesn't return data.\r\nSource: https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nhttps://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps"
	],
	"report_names": [
		"add-mailboxpermission?view=exchange-ps"
	],
	"threat_actors": [],
	"ts_created_at": 1775434763,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84cc690dd3e9a4f9600e5e9df9f62cf307ec3e30.pdf",
		"text": "https://archive.orkl.eu/84cc690dd3e9a4f9600e5e9df9f62cf307ec3e30.txt",
		"img": "https://archive.orkl.eu/84cc690dd3e9a4f9600e5e9df9f62cf307ec3e30.jpg"
	}
}