Office 365: Let users assign permissions for shared mailboxes

Sometimes it’s just more time effective to give the user some extra control. It can be very time consuming to assign the proper rights to shared mailboxes. There is always somebody who needs access en somebody who doesn’t need it any more. The service desk can get a lot of requests. These requests have have to be approved by somebody, and then the request has to be executed. It might be a lot simpler to assigning an owner to the mailbox which can handle the request themselves, and assign the proper rights.

Now in Active Directory you could assign managers to security group which could then edit the group membership. In Office 365 this is a little bit harder to do, but it is possible. In this blog post I will explain how this can be accomplished.

We will need to connect to Office 365 by using PowerShell, you can use the following command to connect.

[cc lang=”powershell” tab_size=”2″]$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session [/cc]

Creating a shared mailbox

For demonstrating purposes I will create a shared mailbox.

[cc lang=”powershell” tab_size=”2″]New-Mailbox -Shared -Name “” -Alias “Example” -DisplayName “Example Mailbox”[/cc]

Setting up security groups

The first thing you want to go is to create a mail enabled security group. You can create a group for Full Access, Send As  or Send on Behalf rights. The groups are created in the same way. In this example we create a group for Full Access. But I also created a group for Send As and Send on Behalf rights.

[cc lang=”powershell” tab_size=”2″]New-DistributionGroup -Type “security” -Name “example-fa” -PrimarySmtpAddress “” -Members User1, User2, User3 -ManagedBy Manager1[/cc]

Assigning security groups

You can only assign the permissions to a shared mailbox by using PowerShell.

Full Access

[cc lang=”powershell” tab_size=”2″]Add-MailboxPermission -Identity -User example-fa -AccessRights FullAccess -InheritanceType All[/cc]

Send As

[cc lang=”powershell” tab_size=”2″]Add-RecipientPermission -Identity -AccessRights SendAs -Trustee example-sa -Confirm:$false[/cc]

Send on Behalf

[cc lang=”powershell” tab_size=”2″]Set-MailBox -Identity -GrantSendOnBehalfTo example-sb[/cc]

Manage groups

OK, so now we assigned security groups to the mailboxes, but how can users actually add users to these mailboxes?

When creating the security groups I assigned managed by rights to Manager1. This is actually an account in my test tenant. So I logged in to There you select the settings icon, and choose Mail.

In the settings you need to select General. Here you will find Distribution Groups. If will give an overview of distribution group of which the user is “owner”.

Here the user can edit the group memberships by adding or removing users.

**Please note that it is not possible to hide the group from the address book since the distribution group will show up in the overview of the user.

Et voilà

So there you have it. A very simple yet effective method for giving your users more control and essentially lowering the work load for sys admins or the service desk. If you have have any question or if you want to give some feedback please leave a comment.



Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: