A shared mailbox is a useful feature in both Exchange Server and Exchange Online. It allows multiple users to access and manage a common mailbox, such as a departmental or project-related mailbox. Managing and sending emails from a shared mailbox can be done in a few steps, and we’ll cover those below.

Accessing and Using a Shared Mailbox in Outlook

  1. Outlook Web App (OWA) or New Outlook:
    • Log in to OWA or the New Outlook client.
    • Right-click on the Folders and select Add Shared Folder or Mailbox
    • Enter the shared mailbox email address and click Add.
  1. Outlook Desktop Client (classic):
    • Click on File
    • Click on Account Settings.
    • Double-click on your account
    • From the Exchange Account Settings, click on More Settings
    • Click on the Advanced tab, and then click on Add
    • Enter the shared mailbox email address and click OK

Outlook usually auto-detects the new accounts you have full access to and automatically maps them to the associated mailbox user. So usually there is no action required from the user.

Differences between User and Shared mailboxes

Shared Mailbox offers a generic email address such as info@domain.com or sales@domain.com that allows the customer to send to without having to remember that of an individual, also it gives a shared email that can be used between all users who are granted permission.

FeatureShared MailboxUser Mailbox
RecipientTypeDetailsSharedMailboxUserMailbox
License RequiredNo, But users accessing it require a licenseYes
Storage Allocated50 GB100 GB
ManagementPowerShell and Exchange InterfacePowerShell and Exchange Interface
AuthenticationNo Direct accessRequire Auth
Use ForShared between usersIndividual Access

To find Shared Mailbox, we can use the following PowerShell line to get all Exchange Online shared mailbox

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox

Granting Full Control Access To a Shared Mailbox

To grant a user full access to a shared mailbox, you can follow these steps

  1. In Exchange Online:
    • Open Exchange Online Admin Center and click on Mailboxes
    • Search for the Shared Mailbox object name and click on it
    • From the side menu, click on Delegate
    • Click on Read and Manage (Full Access)
    • Click on + Add Members to add a new member, search for the user and click Save
Adding Shared Mailbox Full Access
  1. To grant a user full access to a shared mailbox using PowerShell, use the following example: 
    Add-MailboxPermission -Identity "SharedMailbox" -User "User1" -AccessRights FullAccess

You can add a User Mailbox object or a Mail Enabled Security group, adding Microsoft 365 or Distribution groups is not supported.

PS:> Add-MailboxPermission -Identity "MySharedMailbox1" -User "admin" -AccessRights FullAccess

Identity         User                                              AccessRights IsInherited Deny
--------         ----                                              ------------ ----------- ----
MySharedMailbox1 S-1-5-21-2846312615-335574314-3940387591-24728480 {FullAccess} False       False

Automapping Mailbox To The User Who Have Full Control

Autodiscover auto-map the shared mailbox MySharedMailbox1 to the delegated user admin or to whoever has Full Control of the Shared Mailbox. This can be done as long as you are adding the delegated member directly to the shared mailbox permission list, but if you are assigning the permission through the Active Directory groups, then the automapping feature won’t work.

If you need to assign permission to the user and you don’t want the shared mailbox to be discovered automatically, you can disable the automapping when running the Add-MailboxPermission as in the following example

Add-MailboxPermission -Identity "MySharedMailbox1" -User "admin" -AccessRights FullAccess -Automapping $False

Granting SendAs Permission To a Shared Mailbox

To grant a user SendAs to a shared mailbox, you can follow these steps

  1. In Exchange Online:
    • Open Exchange Online Admin Center and click on Mailboxes
    • Search for the Shared Mailbox object name and click on it
    • From the side menu, click on Delegate
    • Click on Send as
    • Click on + Add Members to add a new member, search for the user and click Save

To send emails as the shared mailbox, grant “Send As” permissions:

  1. In Exchange Online:
    • Use EAC or PowerShell to assign “Send As” permissions.
    • Example PowerShell command: Add-RecipientPermission -Identity "SharedMailbox" -Trustee "User1" -AccessRights SendAs
Identity         Trustee                              AccessControlType AccessRights Inherited
--------         -------                              ----------------- ------------ ---------
MySharedMailbox1 7e3b5368-203e-4cc2-94db-776d4b49977d Allow             {SendAs}     False

Granting the user SendAs wont allow the user to open the SharedMailbox, instead if the user try to access the SharedMailbox, the user will get an Access Denied error

MessageCopyForSentAsEnabled and MessageCopyForSendOnBehalfEnabled to Save a Copy of the Sent Message

When a user sends an email from the shared mailbox, the sent messages are stored in the sender Sent Item folder, not the shared mailbox Sent Item. This makes it hard to track email conversations. So in Exchange, there is an option to automatically copy the sent message to the shared mailbox Sent Item folder instead of having the message on the users Sent Item only.

The option depends on the delegation option granted to the user:

  • SendAs: If the user delegated the SendAs permission on the Shared Mailbox, then use the following command Set-Mailbox -Identity "SharedMailbox" -MessageCopyForSentAsEnabled $true
  • Send on Behalf: if the user delegated the Send on Behalf permission on the Shared Mailbox, then use the following command Set-Mailbox -Identity "SharedMailbox" -MessageCopyForSendOnBehalfEnabled $true

You can validate the configuration by running 

PS C:\> Get-Mailbox MySharedMailbox1 | Select-Object Name,MessageCopyForSentAsEnabled,MessageCopyForSendOnBehalfEnabled

Name             MessageCopyForSentAsEnabled MessageCopyForSendOnBehalfEnabled
----             --------------------------- ---------------------------------
MySharedMailbox1                        True                             False

Configure Permissions in Exchange Hybrid

When it comes to hybrid configuration, ADConnect plays a major rule in the game as its the method of pushing changes from on-premise to Exchange online.

Always make sure that ADConnect is updated, and ensure that after each sync you give it sometime for configuration to be reflected on Exchange Online

What is ACLable

Assuming you have Exchange Server 2013 with at least CU10 or later, the only thing you might need to enable hybrid permission is to enable the ACLable object sync. Also you must have the Exchange Hybrid Deployment

ACLable refers to a specific mailbox setting that allows them to participate in access control lists (ACLs) in a hybrid environment. It’s crucial for hybrid deployments (on-premises and Exchange Online) to ensure proper mailbox permission functionality.

Understanding The Permission Challenge in a Hybrid Environment

Both Full Control and Send on Behalf are fully supported in a hybrid environment, and you can grant permission from Exchange online to an Exchange on-premise object, and vice-versa.

But when it comes to SendAs permission ADConnect doesn’t automatically sync the SendAs permission. So this kind of permission is not supported. However, SendAs will work in most scenarios if you manually add the SendAs permissions in both environments, using Exchange Management Shell for on-premises Exchange and Exchange Online PowerShell for Microsoft 365 or Office 365.

Get more information about Permission in Exchange Hybrid Deployment from Microsoft.com

Enabling ACLable and Permissions in a Hybrid Deployment

To check if the ACLable enabled on the organizational level use the following, its better to enable this option on the organization level instead on enabling it on each user.

PS C:\> Get-OrganizationConfig | Format-Table Name,ACLableSyncedObjectEnabled

Name                   ACLableSyncedObjectEnabled
----                   --------------------------
farismalaeb.com                      False

To enable ACLable can be enabled by using

Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

If you want to enable the ACLable on a single mailbox you can use the following 

Set-RemoteMailbox -Identity MySharedMailbox1 -ACLableSyncedObjectEnabled

Make sure to run ADSync synchronization to replicate the changes to Exchange Online.

Conclusion

In this post we took a look on how to grant permission on Exchange online Shared Mailbox, and how to manage some configuration that enhance the collabortion between members, also we cover how to configure permissions in a hybrid deployment. I hope you enjoy this post.

Looking for more thing to learn about Exchange Online and PowerShell, take a look on how to Handling Exchange Online Quarantine Message Using PowerShell

5/5 - (1 vote)