Sometimes it’s just more time effective to give the user some extra control. It can be very time consuming to assign the proper rights to shared mailboxes. There is always somebody who needs access en somebody who doesn’t need it any more. The service desk can get a lot of requests. These requests have have to be approved by somebody, and then the request has to be executed. It might be a lot simpler to assigning an owner to the mailbox which can handle the request themselves, and assign the proper rights.
Now in Active Directory you could assign managers to security group which could then edit the group membership. In Office 365 this is a little bit harder to do, but it is possible. In this blog post I will explain how this can be accomplished.
We will need to connect to Office 365 by using PowerShell, you can use the following command to connect.
[cc lang=”powershell” tab_size=”2″]$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session [/cc]
Creating a shared mailbox
For demonstrating purposes I will create a shared mailbox.
[cc lang=”powershell” tab_size=”2″]New-Mailbox -Shared -Name “firstname.lastname@example.org” -Alias “Example” -DisplayName “Example Mailbox”[/cc]
Setting up security groups
The first thing you want to go is to create a mail enabled security group. You can create a group for Full Access, Send As or Send on Behalf rights. The groups are created in the same way. In this example we create a group for Full Access. But I also created a group for Send As and Send on Behalf rights.
[cc lang=”powershell” tab_size=”2″]New-DistributionGroup -Type “security” -Name “example-fa” -PrimarySmtpAddress “email@example.com” -Members User1, User2, User3 -ManagedBy Manager1[/cc]
Assigning security groups
You can only assign the permissions to a shared mailbox by using PowerShell.
[cc lang=”powershell” tab_size=”2″]Add-MailboxPermission -Identity firstname.lastname@example.org -User example-fa -AccessRights FullAccess -InheritanceType All[/cc]
[cc lang=”powershell” tab_size=”2″]Add-RecipientPermission -Identity email@example.com -AccessRights SendAs -Trustee example-sa -Confirm:$false[/cc]
Send on Behalf
[cc lang=”powershell” tab_size=”2″]Set-MailBox -Identity firstname.lastname@example.org -GrantSendOnBehalfTo example-sb[/cc]
OK, so now we assigned security groups to the mailboxes, but how can users actually add users to these mailboxes?
When creating the security groups I assigned managed by rights to Manager1. This is actually an account in my test tenant. So I logged in to https://outlook.office365.com. There you select the settings icon, and choose Mail.
**Please note that it is not possible to hide the group from the address book since the distribution group will show up in the overview of the user.
So there you have it. A very simple yet effective method for giving your users more control and essentially lowering the work load for sys admins or the service desk. If you have have any question or if you want to give some feedback please leave a comment.