To more understand the AccessRights in Mailbox permission

Ajay m 0

Can you explain the specific roles and implications of the following mailbox permission AccessRights values: ChangeOwner, ChangePermission, DeleteItem, ExternalAccount, and ReadPermission?

ChangeOwner: What does this permission enable a user to do in terms of changing the ownership of mailbox items or folders? How does it impact administrative control and delegation within the mailbox?

ChangePermission: What is the effect of this permission on modifying access rights for mailbox items or folders? In what scenarios is it necessary to grant this permission?

DeleteItem: How does this permission affect the ability to delete items within a mailbox? Are there any constraints or additional considerations associated with it?

ExternalAccount: What does this permission allow, particularly in relation to external accounts or access? How does it differ from other permissions and what are its typical use cases?

ReadPermission: What level of access does this permission provide for reading mailbox items or folders? How does it interact with other permissions, and when is it essential to grant this access?

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-23T08:13:07.07+00:00

Hi, @Ajay m

Just circling back to check to see how things are going on with this thread. Should you need more help on this, you can feel free to post back.

1 answer

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-14T02:38:08.0666667+00:00

Hi, @Ajay m

Welcome to the Microsoft Q&A platform!

Below I will give you a detailed description of the specific role and meaning of each parameter.

ChangeOwner: This permission allows the user to change the owner of the mailbox. This means that users can change the owner metadata of an item or folder to themselves or another user. Granting this permission can have a significant impact on administrative control, as ownership often determines who has ultimate control over an item or folder. Typically, this is an advanced privilege that is used in administrative tasks, such as when ownership is reassigned due to a role change or organizational reorganization.

ChangePermission: This permission enables the user to modify access to a mailbox item or folder. This permission must be granted when a user needs to manage who can access or modify mailbox content. This permission is required in situations where delegated control is required, such as in a collaborative environment, where users need to manage who has access to certain mailbox items or folders. This permission is often required by administrators to maintain appropriate access controls and ensure that only authorized users have access to sensitive information.

DeleteItem: This permission allows users to delete items within a mailbox, which includes emails, calendar events, tasks, and other mailbox content. It's important to note that accidental or unauthorized deletions can occur, so you should be cautious about granting this permission, usually only to trusted users, to ensure that users can manage and clean up mailbox contents, but also to guard against the risk of accidental deletion.

ExternalAccount: This permission indicates that the accounts are not in the same domain. It allows external accounts to access mailboxes, which is useful for cross-domain collaboration or when external consultants need access. This permission differs from other permissions in that it focuses on access from accounts that are not the primary organization or domain. It's especially useful for granting access to third-party services or users outside your organization for collaboration or interoperability purposes.

ReadPermission: This permission provides the ability to read a mailbox item or folder, which is a basic level of access that often coexists with other permissions, such as Write or DeleteItem. This access must be granted when a user needs to view content without making changes, such as during a review or moderation process.

Granting and managing these permissions requires an understanding of what they mean and the specific needs of your organization or team. Always ensure that permissions are granted in accordance with the principle of least privilege to minimize security risks.

In addition, the following permissions are assigned to user mailboxes:

More information can be found Get-EXOMailboxPermission (ExchangePowerShell) | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Please sign in to rate this answer.
Ajay m 0 Reputation points

2024-08-14T05:51:54.9966667+00:00

When adding Only the FullAccess Permission we can access another mailbox in outlook.but we adding ReadPermission only to the usermailbox we unable to open in outlook.For the reference to picture given below

1.Only with full access permission

2.Only with Readpermission

Like wise need an reference about ChangeOwner, ChangePermission, DeleteItem, ExternalAccount, and ReadPermission

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-14T06:46:47.9166667+00:00

Hi, @Ajay m

According to your last screenshot of the error, did you add ReadPermission and then use "Open another mailbox" option to achieve the permission function?

In fact, if you implement access by "Opening another mailbox", you must need full access.

If you have successfully configured the ReadPermission, you should follow the steps below:

1.In the left navigation bar of the OWA interface, right-click on your mailbox name and select "Add shared folder or mailbox".

2.In the dialog box that pops up, enter the email address for which you have been granted read permission, and then click "Add".

3.After the addition is successful, you will see the name of the mailbox in the left navigation. Click the name to view the messages in that mailbox.

If you do not configure ReadPermission successfully, the following error message occurs when you click the mailbox.

After my test, the function can be implemented normally, and the following screenshot is for your reference.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-14T06:54:15.7466667+00:00

Hi, @Ajay m

Before I noticed, you updated your third error screenshot.

With your third screenshot, you may not have added ReadPermission exactly correctly, and you can modify your command according to the template in the power shell above.

Add-MailboxPermission -Identity "user1@domain.com" -User "user2@domain.com" -AccessRights ReadPermission

user1@domain.com is the user to whom the mailbox belongs.

user2@domain.com is the user you want to grant read access to.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Ajay m 0 Reputation points

2024-08-14T09:24:35.9+00:00

Thank you @Xintao Qiao-MSFT

I tried to do what you said, but the same error is still occurring.

I only gave Read permission.

How should I check if the read permission is working.

Like wise need an reference about ChangeOwner, ChangePermission, DeleteItem, ExternalAccount .how to work the single permission of above mention permissions.

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-14T10:06:50.0833333+00:00

Hi, @Ajay m

This can be a tricky question.

It may take time for your actions to take effect.

Also, I need to confirm some information to you.

What is your work environment? Is it a hybrid M365 environment or Exchange Server coexistence state?

Do you have both mailboxes in the cloud, or on-premises, or one mailbox in each environment?

I will continue to test it for you, it may take a little time, and I will let you know as soon as there is progress.

Ajay m 0 Reputation points

2024-08-14T12:05:59.58+00:00

Hi @Xintao Qiao-MSFT ,

Thank you for your response and for looking into this issue.

To clarify:

Work Environment: We are working in a M365 environment.

Mailbox Locations: Both mailboxes are in the cloud.

I appreciate your efforts in testing this. Please let me know if you need any more information from my side.

Looking forward to your update.

Additionally you explain this are the permissions ChangeOwner, ChangePermission, DeleteItem, ExternalAccount

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-15T09:24:42.4533333+00:00

Hi, @Ajay m

How should I check if the read permission is working.

You can use the command to see if ReadPermission is configured.

Get-MailboxPermission -Identity user@domain.com | select User,AccessRights

Forgive me for my previous negligence.After a lot of testing by me, the results are exactly what you said. ReadPermission only works if full access is assigned, so it appears that ReadPermission becomes optional.

Unfortunately, there is no official Microsoft documentation mentioning this at the moment. I'll continue to test the latest usage of the feature for you.

However, there is also an alternative, and you can also use the "Sharing and Permissions" feature to accomplish a similar function. It's simpler, faster, and easier to manage.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Ajay m 0 Reputation points

2024-08-16T06:24:24.0666667+00:00

Thank you @Xintao Qiao-MSFT
I need some Additional Information:

“Full permission means assigning all permissions, right?
If Full Access permission is granted, is there any need for other permissions?

I have previously looked into sharing and permissions, but I have no idea about ChangeOwner, ChangePermission, DeleteItem, and ExternalAccount in mailbox permissions. Can you explain these?

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-16T06:58:44.4466667+00:00

Hi, @Ajay m

Glad to hear from you.

When you grant "Full Access" permission to a mailbox, it means that the user can open and fully access the contents of the mailbox, including reading, writing, deleting, and creating items. However, it does not include the ability to send emails from that mailbox unless "Send As" or "Send on Behalf" permissions are also granted. So, while "Full Access" covers most permissions, you might still need to assign additional permissions.

ChangeOwner: This permission allows the user to change the owner of the mailbox. This is an advanced permission that is commonly used in administrative tasks, such as when ownership is reassigned due to a role change or organizational reorganization.

ChangePermission: This permission enables the user to modify access to a mailbox item or folder. This is important for managing who can access or modify mailbox content, especially in a collaborative environment.

DeleteItem: This permission allows users to delete items within a mailbox, including emails, calendar events, tasks, and other mailbox content. This permission needs to be granted with care to prevent accidental or unauthorized deletion.

ExternalAccount: This permission indicates that the accounts are not in the same domain. It allows external accounts to access mailboxes, which is useful for cross-domain collaboration or when external consultants need access.

These permissions can be granted to one user at the same time. This means that users will have the ability to change the owner of the mailbox, modify access to mailbox items or folders, delete items within the mailbox, and allow external accounts to access the mailbox.

You can check out the first reply for the specific roles and meanings of these parameters, or check out the documentation. Get-EXOMailboxPermission (ExchangePowerShell) | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Ajay m 0 Reputation points

2024-08-16T09:06:15.3933333+00:00

Hi @Xintao Qiao-MSFT
Thank you for your response and finally one question:

You’re explaining theoretically, but how can I practically test permissions like ChangePermission, ChangeOwner, DeleteItem, and ExternalAccount? How should I assign these permissions and verify if they are working correctly? Do you have any ideas or references to documentation on this?

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-16T10:10:51.3733333+00:00

Hi, @Ajay m

I totally understand that you need a real-world example to get a feel for the functionality of this parameter.

Unfortunately, there is no clear documentation mentioning the specific operation of this parameter.

In fact, the configuration method of these parameters is similar. You can use the following command to assign these parameters.

Add-MailboxPermission -Identity <MailboxIdentity> -User <UserIdentity> -AccessRights ChangeOwner

All you need to do is modify the parameters in the red box.

After the assignment is complete, you can still use the following command in PoweShell to check whether the configuration is successful.

Get-MailboxPermission -Identity <MailboxIdentity> | Where-Object { $_.User -eq '<UserIdentity>' }

Of course, you can also try to perform the operations that this parameter can perform in the mailbox, and if the operation is successful, you can quickly prove that the command is successfully configured.

If you still have questions, you can continue to click on the Comments, I will test it for you in three days, you can be patient. If the answer is helpful to you, you can also click "Accept Answer".

Ajay m 0 Reputation points

2024-08-16T11:48:57.12+00:00

Hi @Xintao Qiao-MSFT
Thank you for providing the PowerShell commands and the explanation. I appreciate the detailed instructions on assigning and checking permissions.

I already know the PowerShell commands, but my question is about how to verify if specific permissions like ChangeOwner, ChangePermission, or DeleteItem are working for a user. For example, if we assign one of these permissions, how can we check if it’s functioning correctly for the user?

For instance, with FullPermission, we can open another mailbox and access the mailbox to verify it. I’m looking for a similar method to check if ChangeOwner, ChangePermission, or DeleteItem are correctly applied.”

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-19T07:35:24.0633333+00:00

Hi, @Ajay m

I can understand your thoughts now.

It's very simple. All you need to do is log in to the account you have permissions to try to perform the desired permission level, and if the operation is successful, the appropriate permissions should have been correctly assigned.

For example, for a DeleteItem that is successfully assigned, you can:

1.Log in to OWA: Log in to OWA with a user account with DeleteItem permissions.

2.Access a shared mailbox: In OWA, click Shared mailboxes or Other mailboxes in the left navigation bar, and then select the shared mailbox for which you want to verify permissions.

3.Try to delete an item: Once you're in a shared mailbox, try to delete messages or other items in it. If you are able to successfully delete the item, the DeleteItem permission has been successfully assigned.

The same is true for ChangeOwner and ChangPermission.

After entering the shared mailbox, try to change the owner information or related settings of the mailbox (such as adding, modifying, deleting, and reassigning the permissions of the mailbox user), if the operation is successful, you can prove that the ChangeOwner assignment is successful.

Once you're in a shared mailbox, try changing the permission settings for that mailbox (for example, Send As or Send on behalf). If the operation is successful, the ChangePermission assignment is successful.

However, it is worth noting that after the above test, we know that these parameters will only work if they have access to the mailbox, that is, they can be used normally if they have full access, then these parameters will become dispensable. If the conditions for using this feature have not yet been determined, we recommend that you prioritize the use of "Sharing and Permissions".

If you still have questions, you can continue to click on the Comments, I will test it for you in three days, you can be patient. If the answer is helpful to you, you can also click "Accept Answer".

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-20T07:03:59.7966667+00:00

Hi, @Ajay m

If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-21T05:28:50.1433333+00:00

Hi, @Ajay m

Just wanted to check if the answer shared above helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.

Ajay m 0 Reputation points

2024-08-26T10:37:39.0866667+00:00

Can you explain about external accounts and how they work?

In access rights, why is it that external accounts always with the 'descendants' inheritance type, even if a different type is specified?

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-27T03:25:32.1833333+00:00

Hi, @Ajay m

Glad to hear from you.

External Account:

An external account is typically a user account that is not part of an organization's internal user directory but is allowed limited access to specific resources in the organization's systems or network. These users may be partners, contractors, or customer accounts that need to interact with the organization to provide certain services or data.

How External Accounts Work:

1.Creation and authentication: External users are often given a username and password or other authentication credentials. When integrating between different systems, they may authenticate through mechanisms such as single sign-on (SSO) or OAuth.

2.Access control: Access to external accounts is strictly controlled. They are often granted permissions to specific resources or applications, which are often not as comprehensive as internal users.

External accounts can typically only be assigned the "descendants" inheritance type in access rights management, and not other specified inheritance types. This is because the permissions of the external account need to be consistent across all related resources. By using the Descendant inheritance type, you can avoid the problem of inconsistent permissions by ensuring that permissions assigned to external accounts are inherited by all descendant objects, such as subfolders or subprojects. This design ensures the security and control of external accounts when accessing resources.

Here are some of the reasons why 'descendants' are always used for external accounts:

1.Simplified management: By ensuring that permissions are propagated to all descendants, admins can more easily manage and audit access. This reduces the complexity and likelihood of misconfigurations that can lead to security breaches.

2.Principle of least privilege: Using "descendant" inheritance ensures that external accounts get the minimum range of access they need. It prevents external users from accidentally gaining a higher level of access.

3.Consistency and Predictability: It provides a predictable and consistent permission model, which is essential for external accounts that may have different trust levels and need clear boundaries to define what they can and can't access.

If you still have questions, you can continue to click on the Comments, I will test it for you in three days, you can be patient. If the answer is helpful to you, you can also click "Accept Answer".

Xintao Qiao-MSFT 3,995 Reputation points Microsoft Vendor

2024-08-29T09:56:15.94+00:00

Hi, @Ajay m

Just circling back to check to see how things are going on with this thread. Should you need more help on this, you can feel free to post back.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

To more understand the AccessRights in Mailbox permission

1 answer

Your answer