How to Add-RecipientPermission in Powershell

James Futhey

6 min read
How to Add-RecipientPermission in Powershell

Managing users and user groups in the Exchange environment can be challenging if there are too many mailboxes to check out.

Although the Exchange Admin Center can also be used to manage the permissions for Exchange online users, PowerShell commands offer a wide range of possibilities for larger organizations.

That’s why learning how to use the Add-RecipientPermission cmdlet in PowerShell is so important, and today, we are going to show you how to do it by following three quick steps.

What is the Add-RecipientPermission Cmdlet in PowerShell?

The Add-RecipientPermission cmdlet is a command used to grant permissions to users and group members within the Microsoft Exchange environment.

This command can only be found in the cloud-based service, and provides an easier way to manage and delegate permissions related to mail items and other recipient objects.

The Add-RecipientPermission command is not the same as the Add-MailboxPermission command, as the second one provides permissions for entire mailboxes, whereas the first one focuses on permissions for any specific recipient.

Understanding the Add-RecipientPermission Command

The Add-RecipientPermission cmdlet consists of a few switches and parameters that can be modified to grant permissions as requested.

This is the syntax of the Add-RecipientPermission command in PowerShell:

Add-RecipientPermission

   [-Identity] <RecipientIdParameter>

   -AccessRights <MultiValuedProperty>

   -Trustee <SecurityPrincipalIdParameter>

   [-Confirm]

   [-WhatIf]

   [<CommonParameters>]


This syntax consists of different switches. The meaning of these switches is the following:

  • Identity: This parameter specifies the recipients to which you need to add permissions. It contains an identifier of the recipient, such as account name, user properties, or email address;
  • AccessRights: This value specifies the type of permissions that will be provided to the user. For example, you can decide whether they have full access to an individual or shared mailbox or other mailbox properties;
  • Trustee: Trustee refers to the user or distribution group to whom you wish to grant the overall permissions on individual or shared mailboxes;
  • Confirm: Confirm is an optional parameter that can be included to prompt for your own confirmation before executing the PowerShell command;
  • WhatIf: The WhatIf switch lets you preview the changes on a set mailbox before actually submitting them on PowerShell - it basically works to verify that the default command is working as intended;
  • CommonParameters: CommonParemeters represents other standard parameters that can be used alongside the Add-RecipientPermissions PowerShell command.

Benefits of Using Add-Recipient Permission in PowerShell

As mentioned before, it is possible to manage recipient permissions to mailboxes by using the Add-RecipientPermission PowerShell command. Among the main benefits of this command, we have the following:

  1. Manage Send as Permissions in Office environments to send messages more quickly;
  2. Delegate access to private or public folders based on your needs (by managing Send As, Full-Access, and Send on Behalf permissions);
  3. Efficient distribution group management;
  4. Setting up security group permissions;
  5. Implement custom access control scenarios;
  6. Managing resource mailboxes and Microsoft Office 365 groups.

Exchange Online PowerShell Permissions & Roles

There’s a series of role names and permissions that can be added to users and groups by using the Add-RecipientPermission command.

Before granting permissions to Exchange recipients, it is advisable to check the meaning and permission levels of each role, as mentioned by Microsoft. This table summarizes the most important data pieces of the roles granted through Add-RecipientPermission:

Role Name

Description

Recipient Types in the EAC

Additional Recipient Types in PowerShell

Available Delegate Types

Full Access

Allows other users to open, manage and see all the contents of a mailbox in Outlook, but users cannot send emails from it.

User mailboxes, Shared mailboxes and Resource mailboxes.

Mailboxes with user accounts, mail users with accounts, mail-enabled security groups and discovery mailboxes.

Individual users with proper permissions.

Send As

Send As Permissions allows someone to send an e-mail message from a mailbox as if the email came directly from said mailbox. The “send mail” feature does not indicate that it was sent by a delegate on the messages (as suggested by the Send As Permission name).

Shared mailboxes, user mailboxes, distribution groups, dynamic distribution groups, mail-enabled security groups and Microsoft Office 365 groups.

N/A.

Mail users with accounts, mail-enabled security groups and mailboxes with user accounts.

Send on Behalf

Send on Behalf permissions provide mailbox delegation permissions - when the delegate sends a message, it will indicate that it was sent on behalf of the delegate (as the name Send on Behalf Permission suggests).

User mailboxes, resource mailboxes, mail-enabled security user or group, etc.

Shared mailboxes.

Mailboxes with user accounts, mail-enabled security groups, distribution groups and mail users with accounts.



Prerequisites for Using Add-RecipientPermission in PowerShell

Before using Add-RecipientPermission cmdlets in PowerShell, it is necessary to have sufficient administrator roles and a valid Office account of your organization.

You can check the cmdlet permissions directly via PowerShell by following a series of three quick steps:

  • Step 1: Open PowerShell and make sure to log into your Microsoft Office account;
  • Step 2: Run the “$Perms = Get-ManagementRole -Cmdlet <Cmdlet>” command, but replace cmdlet with “Add-RecipientPermission;”
  • Step 3: Check out the required roles, admin permissions, and credentials to run the aforementioned command.

How to Use Add-RecipientPermission in PowerShell

To use Add-RecipientPermissions in PowerShell, we can first check the existing permissions by running the Get-RecipientPermission command and then modify these permissions with the Add-RecipientPermission command.

This applies to individual mailboxes, users, and different types of groups within the Microsoft Exchange ecosystem.

Follow these three steps to learn how to use Add-RecipientPermission commands in PowerShell.

Step 1: Connect to Exchange Online PowerShell

First, in order to run PowerShell cmdlets, we need to connect to Exchange Online PowerShell.

To connect to PowerShell, it is necessary to launch PowerShell on your computer and run the following command:

Connect-ExchangeOnline -UserPrincipalName [email protected]


Don’t forget to replace the mail contact with your own organization email in order to access full PowerShell features.

Log into your Office profile by using your standard credentials, and once everything looks alright, move on to the second step of this process.

Step 2: Use Get-RecipientPermission to See Current Mailbox Permissions

We are going to use Get-RecipientPermissions (which is another cmdlet) to see the currently assigned permissions.

This step is optional, but using Get-RecipientPermissions is recommended as it allows you to see the current permissions based on user identity.

This is the syntax of the Get-RecipientPermission PowerShell command:

Get-RecipientPermission

   [[-Identity] <RecipientIdParameter>]

   [-AccessRights <MultiValuedProperty>]

   [-ReadFromDomainController]

   [-ResultSize <Unlimited>]

   [-Trustee <SecurityPrincipalIdParameter>]

   [<CommonParameters>]


Let’s take a look at an example. Image that you run the following command:

Get-RecipientPermission "Meeting Rooms"


Running this command returns a list of the users who have SendAs permission on the mailbox Meeting Rooms.

Doing this is a nice way to know if you are managing the correct mailbox or group as needed.

Step 3: Run the Add-RecipientPermission Cmdlet

Now, we are going to run the Add-RecipientPermission cmdlet to assign the permissions as required.

Let’s take a look at this example:

Add-RecipientPermission "Meeting Rooms" -AccessRights SendAs -Trustee "James"


This example gives the user James Send as Permissions to the Meeting Rooms mailbox. From now on, James will be able to send messages from this mailbox that look as if they were sent by the original mailbox owner.

It is also possible to manage permissions for dynamic or other types of Exchange groups, such as in this example:

Set-DynamicDistributionGroup "Meeting Rooms" -GrantSendOnBehalfTo @{Remove="James"}


In this cmdlet, the Set-DynamicDistributionGroup switch represents the type of group that’s being managed.

Since “GrantSendOnBehalfTo” refers to a type of permission added through Add-RecipientPermission (as mentioned above), the command removes all Send of Behalf permissions assigned to James in the Meeting Rooms dynamic distribution group.

Summary: Using Add-RecipientPermission in PowerShell

That’s how we can manage recipient permissions in PowerShell with the help of the Add-RecipientPermission command.

Learning how to use this command can create a smoother environment for administrators, as it is easy to assign or remove mailbox permissions individually or as a group:

  1. The Get-RecipientPermission cmdlet is used to view the existing permissions of recipients on certain groups or mailboxes;
  2. The Add-RecipientPermission cmdlet works to assign, remove, or modify recipient permissions in PowerShell;
  3. Check out the three different roles (Send As, Full Access, and Send on Behalf) before assigning or removing permissions via PowerShell commands.

FAQ

Is the Add-RecipientPermission Available in the On-Premises Exchange Server?

No - the Add-RecipientPermission cmdlet is only available in the cloud-based service and not in the on-premises Exchange server, as mentioned on the official Microsoft website.