Management of calendar permissions in Microsoft 365 and Exchange Server mailboxes is a common task for email administrators. This tutorial shows how to use PowerShell to list, add, and remove mailbox calendar access on Microsoft 365 (formerly Office 365) and on-premises Exchange Server.
Table of Contents
Managing Calendar Permissions with PowerShell
Calendar in a Microsoft 365 and Exchange Server mailbox is a pre-configured system folder that is displayed in a special calendar view in Outlook/Outlook Web Access. Users can manage calendar permissions themselves from the Outlook GUI interface. However, an administrator cannot manage calendar permissions from the Exchange Admin Center or the Microsoft 365 Admin Portal. Administrators use PowerShell to manage user and shared mailbox calendar permissions.
There are several cmdlets in PowerShell to manage permissions for Calendar (and other folders) in an Exchange Server or Microsoft 365 mailbox:
- Get-MailboxFolderPermission – list current calendar permissions;
- Add-MailboxFolderPermission – grant calendar permissions to a user or group;
- Set-MailboxFolderPermission – modify existing permissions;
- Remove-MailboxFolderPermission – remove calendar permissions;
- Get-MailboxCalendarFolder – get calendar folder information.
To manage calendar permissions in mailboxes, you must first connect to your Microsoft 365 or on-premises Exchange Server tenant from the PowerShell console.
Connect to Microsoft 365 (Exchange Online) Tenant with PowerShell
- Open the PowerShell console;
- Check if the Exchange Online PowerShell V3 (EXO V3) is installed on the computer:
Get-InstalledModule ExchangeOnlineManagement
If the module is missing, install it from the PowerShell Online Gallery by using the following command:
Install-Module ExchangeOnlineManagement -Force
- Connect to your Exchange Online tenant:
Connect-ExchangeOnline -UserPrincipalName kirill@theitbros.onmicrosoft.com -ShowProgress $true
Provide your Microsoft 365 tenant administrator credentials. If you have Multi-Factor Authentication (MFA) enabled for your Azure account, you will need to confirm your account sign-in with your second factor.
Connecting to On-prem Exchange Server with PowerShell
You can remotely connect to your on-prem Exchange Server 2010, 2013, 2016, and 2019 using PowerShell (you do not need to install the Exchange Management Shell on your computer):
- Save your Exchange administrator’s credentials into the PowerShell variable:
$LiveCred = Get-Credential
- Connect to your Exchange server using the Kerberos authentication (replace ny-msg-02 with the FQDN of your on-prem Exchange Server):
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ny-msg-02/powershell/ -Credential $LiveCred -Authentication Kerberos
- Allow local PowerShell script to run by changing PowerShell Execution Policy to RemoteSigned:
Set-ExecutionPolicy RemoteSigned
- Import cmdlets from a remote Exchange Server host to your PowerShell session:
Import-PSSession $Session -DisableNameChecking
Hint. If you logged on directly to the on-premises Exchange Server host, you can use the Exchange Management Shell or can load Exchange cmdlets with the command:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
View Mailbox Calendar Permissions with PowerShell
Use the Get-MailboxFolderPermission cmdlet to list the existing calendar permissions of the specified mailbox:
Get-MailboxFolderPermission cyril@theitbros.onmicrosoft.com:\calendar FolderName User AccessRights SharingPermissionFlags ———- —- ———— ———————- Calendar Default {AvailabilityOnly} Calendar Anonymous {None}
The default AvailabilityOnly role is only assigned to a Calendar folder.
Note. By default, users in Exchange Server organizations and Microsoft 365 (Exchange Online) tenants can’t view other users’ Outlook e-mails or calendar items. The only permission that is granted to all users by default is the ability to view the Free/Busy information in other users’ calendars (this is the AvailabilityOnly role).
Note. If this command returns that ‘username:\calendar’ cannot be found, it is most likely that the user has Outlook language settings other than English. Appropriately, the Calendar folder name can be different (calendar\kalender\calendario\calendrier\календарь). For example, to view calendar permissions for the Dutch Language (nl-NL) use the command:
Get-MailboxFolderPermission username:Agenda
You can get the name of the calendar in the current user’s regional configuration with the command:
(Get-MailboxFolderStatistics username -FolderScope Calendar).Identity
List All Mailbox Calendar Permissions in Exchange
You can get the list of all mailbox calendar permissions in your organizationby using the following command:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\calendar"} | Where {$_.User -like "Default"} | Select Identity, User, AccessRights
Find Calendars a Specific User Has Access To
You can find all the calendars in your organization that a particular user has been granted access to. In this example, we want to display a list of user mailboxes whose calendars are allowed to be accessed by a user named Muller:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\calendar"} | Where {$_.User -like “*Muller*”} | Select Identity, User, AccessRights
The list of users whose calendars the user can access is listed in the Identity column. The AccessRights field shows the current calendar permissions.
Understanding Outlook Calendar Permissions
When managing calendar and Outlook folder permissions, you can use the following predefined permissions levels:
- Owner — gives full control of the mailbox folder: read, create, modify, and delete all items and folders. Also, this role allows to manage item’s permissions;
- PublishingEditor — read, create, modify, and delete items/subfolders (all permissions, except the right to change permissions);
- Editor — read, create, modify, and delete items (can’t create subfolders);
- PublishingAuthor — create, and read all items/subfolders. You can modify and delete only items that you have created;
- Author — create and read items. Edit and delete own items;
- NonEditingAuthor — full read access, and create items. You can delete only your own items;
- Reviewer — read folder items only;
- Contributor — create items and folders (can’t read items);
- AvailabilityOnly — read Free/Busy info from the calendar;
- LimitedDetails — view availability data with calendar item subject and location;
- None — no permissions to access folders and files.
You can also use granular permissions to fine-tune the access rights to the mailbox calendar. The following values are available:
- CreateItems;
- CreateSubfolders;
- DeleteAllItems;
- DeleteOwnedItems;
- EditAllItems;
- EditOwnedItems;
- FolderContact;
- FolderOwner;
- FolderVisible;
- ReadItems.
The Permission Level roles described above are just a set of granular permissions. For example, the Editor role is a set of the following individual permissions:
- CreateItems
- DeleteAllItems
- DeleteOwnedItems
- EditAllItems
- EditOwnedItems
- FolderVisible
- ReadItems
Adding Calendar Permissions in Microsoft 365/Exchange Server with PowerShell
In order to grant user2 the permission to view and edit user1 calendar items, run the following command:
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor
If some of the items in the calendar are marked as Private, you can delegate the permissions to view Private calendar items:
Add-MailboxFolderPermission –Identity user1@domain.com:\calendar –User user2@domain.com -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems
Note. You can grant access to the mailbox calendar not only for an individual user, but also for a Microsoft 365 group or an mail-enable AD security group.
Yon can assign calendar permissions to a specific user’s calendar in bulk. Simply create a CSV text file containing a list of users you want to grant permission to, and run the command:
Import-Csv users.csv | foreach { add-MailboxFolderPermission -Identity "user1@domain.com:\calendar" -User $_.alias -AccessRights Owner }
In some cases, you may need to allow a particular user (for example, a secretary) to manage all the calendars in the organization:
Foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) { Add-MailboxFolderPermission -identity "$($Mailbox.Name):\Calendar" -AccessRights Editor -User secretary }
You can use the SendNotificationToUser parameter of the Set-MailboxFolderPermission cmdlet to generate a “share invitation” email that summarizes your changes. The option -SendNotificationToUser $true can be used only when you set one of the following permissions via the AccessRights parameter: AvailabilityOnly, LimitedDetails, Reviewer, or Editor. The following command will send a sharing invitation to the user2:
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -user user2@domain.com -AccessRights Editor -SendNotificationToUser $true
This is what the sharing invitation will look like in Outlook:
You’re invited to share this calendar.
UserName has invited you to view his or her Calendar. Click the Open button above.
How to Change or Remove Calendar Permissions with PowerShell
You can change the Default permissions for the shared mailbox calendar folder and allow all organization users to view calendar items:
Set-MailboxFolderPermission -Identity projects@domain.com:\calendar -User Default -AccessRights Reviewer
Check the current calendar permissions again with the Get-MailboxFolderPermissions cmdlet. They should change:
Get-MailboxFolderPermission -Identity project@domain.com:\calendar
FolderName User AccessRights
———- —- ————
Calendar Default {Reviewer}
Calendar Anonymous {None}
Calendar user2 {Editor}
You can also assign mailbox permissions to the Exchange distribution group, rather than to an individual user:
New-DistributionGroup -Type Security -Name “Resource Calendar Owners” -Alias “grResourceCalendarAccess”
Add-MailboxFolderPermission -Identity user1@domain.com:\calendar -User grResourceCalendarAccess -AccessRights Owner
You can make this bulk calendar permissions change using a simple PowerShell script. To change the Default calendar permission for all mailboxes to Reviewer:
foreach($usermbx in Get-Mailbox -RecipientTypeDetails UserMailbox) { $usercalendar = $usermbx.alias+":\Calendar" Set-MailboxFolderPermission -Identity $usercalendar -User Default -AccessRights Reviewer }
This will allow all your users to view all the calendars in the organization.
Use the Remove-MailboxFolderPermission cmdlet for removing calendar permissions:
Remove-MailboxFolderPermission -Identity user1@domain.com:\calendar –user user2@domain.com
If you want to reset the user’s calendar permissions to default:
Get-MailboxFolderPermission brett.jackson:\Calendar | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User }
To exclude some “default” permissions entries from the removing script, use the following PowerShell one-liner:
Get-MailboxFolderPermission brett.jackson:\Calendar | ? {$_.User -notmatch "^(Default|Secretary|Anonymous)$"} | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }
Now you can disconnect your PowerShell session from Microsoft 365/Exchange Server:
Remove-PSSession $Session
In order to view other user calendars in Outlook 365/2019/2016 (including room resources, Shared calendars), you should switch to the calendar view and select the calendar type you want to add.
You can select a user from Address Book (Global Address List – GAL), Open Shared Calendar (you should specify user name), Room List, and Internet (web-calendar).
For example, you want to add a calendar from the Global Address List. Find the calendar name you want to add to Outlook and click OK. The shared calendar should appear under the My Calendars in Shared Calendars section.
PowerShell makes it easy to manage user calendar permissions in Microsoft 365 and on-premises Exchange Server environments. While you can’t use the GUI to centrally manage calendar permissions, you can use PowerShell to make bulk changes for for calendar access folder-level permissions.
13 comments
Thanks for the post, still a ton of useful info in here. Quick tip for others: If you want to identify which Calendars one individual user has access to, modify the command:
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights
Replacing “Default” with the name of the specific user for whom you want to identify permissions.
Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:calendar”} | Where {$_.User -like “Miles Morales”} | Select Identity, User, AccessRights
Hello I’m getting this error, when trying to create a new session to 0365:
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12 + $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
Can you help?
Make sure you are signing in with an account with Global Admin privileges.
Thanks for sharing. I have written a script, which can generate 6 different calendar permission report based on your requirement.
https://o365reports.com/2021/11/02/get-calendar-permissions-report-for-office365-mailboxes-powershell/
I know this is a random question, but if you have given someone calendar access and it’s not appearing for them – do you need to give them mailbox access as well? I didn’t think you did unless there has been a change in recent months?
Probably a really dumb question but would I be able to share all the calendars of one security group with another? For instance could I do something like this?
add-MailboxFolderPermission -Identity grResources:\calendar -User grResourceCalendarAccess -AccessRights Owner
Essentially I’m looking only to share the calendars of a specific set of people with another specific set of people within a division.
I have the same question.
Very nice article, thanks for posting!
Many thanks for this useful case.
So… have an Exchange on Prem 2019, CU12. This worked for me.. PARTIALLY…
I am able to create the shared mailbox/calendar and apply all the necessary permissions, the Get command shows the appropriate groups, or individuals, along with the correct permissions assigned. Here is the kicker… any machine, using Outlook, the Shared calendar can be opened by anyone assigned either Viewer or Owner role NP.. BUT from Outlook Owners cannot modify/edit the calendar, make entries etc… The same Owners logon via OWA and can edit appointments, modify , delete etc no issues at all. Workstations use Off 2019 Pro Plus, latest updates as of 3/2023…. outlook is in online mode
hi, I can’t even get past step 2 here. What am I missing? I have run Install-Module PowershellGet but keep getting the following when running Get-InstalledModule ExchangeOnlineManagement
PackageManagement\Get-Package : No match was found for the specified search criteria and module names
‘ExchangeOnlineManagement’.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:2253 char:9
+ PackageManagement\Get-Package @PSBoundParameters | Microsoft. …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power…lets.GetPackage:GetPackage) [Get-Package], Exception
+ FullyQualifiedErrorId : NoMatchFound,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackage
This is a great article. I have a case where my client has requested for all managers to be able to see the full calendar (not just busy/free) for all staff that report to them. We have populated the “Manager” field of AD in hopes this field could be utilized for the purpose of managing this requirement.
In reading a number of articles, I am thinking I may need to create a security group for each manager (containing the staff that reports to them) and run a PS script to associate the security group to a given manager.
Does this request make sense and am I on the right track for achieving this need? I can not think of an easier or more obvious way.
Thank you in Advance,
Chris
Thank you!!!!