Monitor Mailbox Folder Permission Changes in Exchange Online

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Exchange Admin, or any other privileged admin role.

Option 1 Using Microsoft Purview Portal

Navigate to the Audit section in the Microsoft Purview portal.
Customize the date and time range if required. Then, enter the following operations in the Activities - operation names field as comma-separated values.
AddFolderPermissions, ModifyFolderPermissions, RemoveFolderPermissions, Add-MailboxFolderPermission, Set-MailboxFolderPermission, Remove-MailboxFolderPermission
Click the Search button and wait for the search to be completed.
After the search completion, you can see who changed folder permissions in Exchange Online.
Use the Export option to download the mailbox folder permission changes report for offline access.

Option 1 Using Windows PowerShell

Execute the below cmdlet to connect to the Exchange Online PowerShell.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the following command with the appropriate start and end date to check mailbox folder permission changes over a period.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate <MM/DD/YYYY> -EndDate <MM/DD/YYYY> -Operations AddFolderPermissions, ModifyFolderPermissions, RemoveFolderPermissions, Add-MailboxFolderPermission, Set-MailboxFolderPermission, Remove-MailboxFolderPermission | Format-Table

AdminDroid Solution

More than 150 reports are under free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Open the AdminDroid Office 365 Reporter.
Navigate to Audit»Exchange»Mailbox Permission Changes»Folder Permissions report to track the mailbox folder permission changes and their details.

This report enables you to audit mailbox folder permissions with details like mailbox folder names, who changed the permission, who got access, etc.

Customize the graphical representation chart to visualize the number of Exchange Online folder permission changes that have taken place in various mailbox folders of a user.

Explore a full range of reporting options

Optimize your mailbox folder permission auditing!

AdminDroid provides detailed Exchange mailbox permission auditing with unmatched precision. Harness its capabilities to detect and manage every folder permission change effortlessly.

Witness the report in action using the

Live Demo

Important Tips

Instead of granting full access permission to a mailbox having critical folders, grant access rights only to the required folders to avoid unauthorized sharing of confidential folders.

Configure multi-factor authentication to mailbox folder delegates for enhancing security and prevent any unauthorized access of mail items.

Remember that whenever you create subfolders within a mailbox folder, existing users who have access to the parent folder automatically gain access to the subfolders.

Exchange OnlineEffortlessly Manage Mailbox Folder Permissions Access Rights in Microsoft 365

Showing 1 of 6

What is the difference between mailbox permission and mailbox folder permission in Exchange Online? What are the permission types for mailbox folders? How to get mailbox folder permissions in Exchange Online? How to give folder permissions in Microsoft Outlook? How to access someone else's folder in Outlook? How to manage calendar permissions in Microsoft 365?

What is the difference between mailbox permission and mailbox folder permission in Exchange Online?

In Exchange Online, mailbox permissions and folder permissions determine how users can access and use mailbox contents. Here's a breakdown of the differences between mailbox permissions and mailbox folder permissions.

Mailbox Folder Permissions in Exchange Online

Scope of access: With mailbox folder permissions, users can access and manage mail content within specific folders or subfolders.

Who can manage folder permissions: Users can configure mailbox folder permissions via the Outlook client applications, and admins can do it using PowerShell.

For example, when an employee leaves the organization, share the Inbox and Sent Items folders with another user and grant the Owner permission. This allows the user to access only the emails sent or received by the employee.

Mailbox Permissions in Exchange Online

Scope of access: Mailbox permissions allow delegated users to send emails or access the entire mailbox, including all folders and mailbox items.

Who can manage mailbox permissions: Exchange Online mailbox permissions can be configured and managed by admins using the Exchange admin center or PowerShell.

For example, when an employee is on long-term leave, give mailbox permissions to another user in Office 365 with Full Access and Send As permission. This allows the user to access the employee's entire mailbox contents and send emails from their mailbox.

While users with full access permission can change any mailbox folder permissions, it is important to frequently check the mailbox permissions assigned to a user.

In order to find all the users who have access to a mailbox, we’ve compiled a complete guide on how to export mailbox permission reports.

Here’s a quick snapshot of what the guide provides!

Below are the key methods outlined in the guide to help you retrieve mailbox permissions for all users.

Using Exchange admin center: It explains how to identify users with Full Access, Send As, and Send on Behalf permissions using EAC.
Using Windows PowerShell: For more detailed insights on mailbox permissions across all users, it offers respective PowerShell cmdlets and a script.
Using AdminDroid: It provides the mailbox permission report detailing the user's access rights with extensive options like export, advanced scheduling, etc.

What are the permission types for mailbox folders?

Mailbox folder permissions in Exchange Online can be set to grant various access rights, defining exactly what actions users can perform within the folders. These mailbox folder access rights range from viewing content to managing emails. Refer to the following table to see detailed folder permissions.

In addition to these, users can also set and use custom permission levels that allows them to combine read, delete, and edit access according to their specific requirements.

Monitoring these permissions is crucial for maintaining data security and compliance. However, relying on native reporting methods doesn’t provide a straightforward approach or a detailed overview of all mailbox folder permission changes. To overcome these limitations, AdminDroid simplifies tracking folder activities with a clear view of all changes and who made them.

The Mailbox Folder Changes report from AdminDroid helps Microsoft 365 admins to identify all the mailbox folder activities including the permission changes.

This report helps you observe the mailbox folder operations performed, the folders involved during the changes, and the permissions that were granted or removed.
Filter the report based on the performed operation, performed by, mailbox folders, etc., to get your desired filtered results.

Handy Tip: You can use the Export option to download the filtered report in your desired format (CSV, XLS, PDF, etc.) for offline access.

How to get mailbox folder permissions in Exchange Online?

Microsoft 365 users can view their mailbox folder permission levels through the Outlook client. Additionally, Exchange Online provides admins with the authority to get users' mailbox folder permissions using PowerShell for enhanced governance. Follow the steps outlined below to get mailbox folder permission in Exchange Online using PowerShell and Outlook.

Get mailbox folder permission using Outlook

Refer to the steps below to find mailbox folder permissions in your mailbox or in a mailbox where you’ve been granted delegated access.

Login to your Microsoft 365 Outlook account.
Under the Folder list, click on the ellipsis associated with the folder you want to view permissions.
Choose the Sharing and permissions option.
Here you can view the permission of the respective mailbox folder.

Get mailbox folder permissions using PowerShell

As an admin, you must use Exchange Online PowerShell to get the mailbox folder permissions since this cannot be viewed using the admin centers.

Execute the following cmdlet to find the Exchange Online folder permissions for a specific folder within a mailbox.
```
Get-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path>
```
Run the following cmdlet to identify the permission assigned to a specific user for a specific mailbox folder.
```
Get-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path> -User <Delegated User’s UPN>
```

Note: Replace <Mailbox UPN> with the mailbox owner's email address, <Folder Path> with the folder's path, and <Delegated User’s UPN> with the email address of the delegated user.

How to give folder permissions in Microsoft Outlook?

In Outlook, you can set mailbox folder permissions to grant access to other users. Here's how to share a mailbox folder with another user.

Login to your mailbox via Outlook on the web.
Under the Folder list, click the ellipsis (...) associated with the desired folder you want to share.
Choose the Sharing and permissions option.
Click on the plus (+) icon on the top, enter the name or UPN of the respective users in the Add permissions dialog box, and click the Add button.
Select the respective permission from the Permission level drop-down and click the OK button.

Grant mailbox folder permissions using PowerShell

If you’re an admin you can share user's mailbox folders using PowerShell cmdlets such as Add-MailboxFolderPermission or Set-MailboxFolderPermission.

You might wonder about ‘what is the difference between Add and Set cmdlet?’ If so, the distinction is that Set-MailboxFolderPermission modifies existing mailbox folder permissions, while the Add-MailboxFolderPermission assigns new permissions.

To add the mailbox folder permission for a particular user, execute the cmdlet below.

Add-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path> -AccessRights <Access Rights> -User <Delegated User’s UPN>

To change the mailbox folder permission rights for a delegated user, run the cmdlet below.

Set-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path> -AccessRights <Access Rights> -User <Delegated User’s UPN>

To remove the mailbox folder permission for a specific user using PowerShell, execute the following command.
```
Remove-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path> -User <Delegated User’s UPN>
```

How to access someone else's folder in Outlook?

Users with folder permissions in Microsoft 365 can access another user's mailbox folders using Outlook clients. For accessing another person's folder(s) using Outlook on the web, follow these straightforward steps.

Login to your Outlook account in your preferred browser.
Click the ellipsis on the Folders tab and choose the Add shared folder or mailbox option.
Enter the email address of the mailbox folder to which you have access and click the Add button.
Now, a folder group displaying the user's name will be created with the list of their mailbox folders you can access.

While users with mailbox folder permissions can access other users’ folders, remember that those with broader mailbox access can view and use entire mailboxes.

In such scenarios, AdminDroid’s Mailbox Non-owner Access report helps to identify the user who accessed other users' mailboxes.

This report offers detailed insights such as when the mailbox was accessed, the user who accessed it, the operation performed, client IP, and more.
Identifying unauthorized access to a mailbox by a user becomes simple with the help of this report.

Handy Tip: Schedule this non-owner mailbox access report to receive timely email notifications about who accessed which mailboxes in Microsoft 365.

How to manage calendar permissions in Microsoft 365?

Calendars in Outlook are essential for scheduling and visualizing meetings or events. Similar to mailbox folders, calendar folders can also be shared with other users to coordinate schedules and prevent conflicts. To enable this, calendar permissions can be managed through the Outlook client or PowerShell, offering flexibility in controlling access. Here's how to manage calendar permissions in Exchange Online.

Share your calendar using Outlook on the web

Login to Outlook on the web and navigate to the Calendar tab.
Click on the ellipsis (...) button associated with your calendar and select the Sharing and permissions option.
Enter the UPN of the user to whom the calendar is going to be shared.
Select the appropriate permission level you want to grant and click the Share button to share the calendar with the selected user.

Access other user's calendars via Outlook (web version)

Navigate to the Calendar tab in the Outlook web version and go to the Add calendar section.
Click on the Add from directory tab.
Select your Microsoft 365 account from the ‘Please select an account to search from’ drop-down.
Then, enter the email address of the user for whom you have permission.
Select the calendar group from the Add to drop-down and click on the Add option.

Manage calendar permissions in Office 365 using PowerShell

While calendar permissions cannot be managed directly from any native admin centers, admins can utilize Exchange Online PowerShell to handle them. By default, any user can view other internal users’ calendars with the AvailabilityOnly scope, which shows whether the calendar owners are free/busy.

To view the default calendar permissions for a mailbox, run the following cmdlet.
```
Get-MailboxFolderPermission -Identity <Mailbox UPN>:\Calendar -User Default
```
To change default calendar permissions for a mailbox to allow all other users to view the calendar schedule with the event's subject and location, use the following cmdlet.
```
Set-MailboxFolderPermission -Identity <Mailbox UPN>:\Calendar -User Default -AccessRights LimitedDetails
```

To view specific user’s calendar access rights, run the following command.

Get-MailboxFolderPermission -Identity <Mailbox UPN>:\Calendar -User <Delegated User’s UPN>

To modify a specific user's calendar access rights, use the following cmdlet.

Set-MailboxFolderPermission -Identity <Mailbox UPN>:\Calendar -User <Delegated User’s UPN> -AccessRights <LimitedDetails or AvailabilityOnly>

To remove calendar permissions using PowerShell, execute the following command.

Remove-MailboxFolderPermission -Identity <Mailbox UPN>:\Calendar -User <Delegated User’s UPN>

AdminDroid Exchange Online ReporterAudit Microsoft 365 mailbox folder permissions to prevent unauthorized sharing!

AdminDroid’s Exchange Online auditing tool allows tracking of the mailbox folder permission changes made by different admins and users. These reports help identify unnecessary mailbox folder privileges and prevent sensitive information from being accessed by unauthorized users.

Distinctive features of AdminDroid that help to audit mailbox folder permissions!

By looking at the insights from AdminDroid’s mailbox folder permission reports, you can decide whether to revoke access or provide additional mailbox folder permission. They provide detailed information, including the user's IP address, the user who performed the action, the timestamp of the operation, etc.

A Quick Summary

Real-Time Alerts for Mailbox Folder Permission Changes

Automatically receive instant notifications using the AdminDroid alerting feature whenever there are modifications in mailbox folder permissions.

Delegated Access to Exchange Online Insights

Assign a user as the Exchange Administrator in AdminDroid to grant access to all mailbox permission reports and other Exchange Online insights using the delegation role feature.

Easily Monitor Mailbox Permission Changes

While users with delegated access to a mailbox can also change mailbox folder permissions, AdminDroid helps effectively audit mailbox permission changes to prevent unwanted modifications.

Schedule Mailbox Folder Permission Changes Report

Schedule the mailbox folder permission changes report using the AdminDroid scheduling feature to receive timely insights daily, weekly, or monthly.

Slice and Diced Info on Mailbox Folder Sharing

Refine the EXO folder permission changes report with the advanced filtering feature to extract specific information tailored to your needs.

Comprehensive Public Folder Permission Tracking

Gain insight into Exchange Online public folder changes to track activities such as addition, modification, and removal of public folders.

Overall, AdminDroid’s Exchange Online management tool helps to check folder permission change activities in Microsoft 365 mailboxes. It enables quick identification of unauthorized access, removal of unnecessary permissions, and modifications to mailbox folder permissions, safeguarding sensitive mailbox data.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps When Managing Mailbox Folder Permissions in Microsoft 365

Below are potential errors and troubleshooting tips you might encounter when handling Exchange Online mailbox folder permission modifications.

Error: Can’t complete your request. Your request couldn’t be completed. Please try again later.

This error occurs in Outlook web version when you mistakenly attempt to add your own mailbox or a mailbox that is not found within your organization to the mailbox folder list.

Troubleshooting hint :Enter the correct mailbox UPN to which you have been granted permission.

Error: Microsoft.Exchange.Management.StoreTasks.UserNotFoundInPermissionEntryException|There is no existing permission entry found for user: 'X'.

This error arises in PowerShell when attempting to remove or modify folder permissions that haven't been granted to a specific user.

Troubleshooting hint :Double-check the delegated user's email address and verify the permission settings to resolve the issue.

Error: Microsoft.Exchange.Management.StoreTasks.UserAlreadyExistsInPermissionEntryException|An existing permission entry was found for user: 'X'.

This error occurs in PowerShell when attempting to modify a user to a permission entry that already exists in the mailbox folder using the Add-MailboxFolderPermission cmdlet.

Troubleshooting hint :Use the Set-MailboxFolderPermission cmdlet to modify the existing folder permission.

Set-MailboxFolderPermission -Identity <Mailbox UPN>:\<Folder Path> -AccessRights <Access Rights> -User <Delegated User’s UPN>

Error: Can’t Complete your request. You might not have permission to perform this action.

This error occurs in Outlook on the web when you try to access a mailbox folder without permission or after the permission has been revoked.

Troubleshooting hint :Contact the respective mailbox owner or your administrator to verify and grant the necessary permissions.

Error: Search results might be impacted by audit log retention policies. Activities that happened over 180 days ago will only show up in results for users who have licensing for long-term audit log retention.

This error occurs for Microsoft Purview Audit (Standard) users when the specified time range exceeds 180 days.

Troubleshooting hint :In the Microsoft Purview compliance portal, choose a time range within 180 days. Although many tenants support exporting audit data for up to one year, consider utilizing PowerShell as an alternative.

Error: Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "30/02/2024" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '30/02/2024' was not recognized as a valid DateTime.

This error occurs due to an incorrect date format entry in PowerShell.

Troubleshooting hint :Input the date in the format MM/DD/YYYY.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Find Who Changed Mailbox Folder Permissions in Exchange Online