Forum Discussion

waihislam's avatar
waihislam
Copper Contributor
Mar 20, 2023

How to give access to calendar of all users for service account, but restrict access for mailbox

We have service account that has access to all users's calendar, we found out that it also has full access to mailbox (read, send e.t.c). How to restrict rights for mailbox ?
Service account need to only read, create calendar items for all users. 

  • Hi waihislam,

     

    In order to remove the Full Access that your service account has over the mailboxes you can run:

     

    Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -User "your service account" -AccessRights FullAccess -Confirm:$false

     

    And to add the required permissions over all the mailboxes calendar folder you can try this script:

     

    $Users=Get-Mailbox -ResultSize Unlimited
    $Permission = "Contributor"
    foreach ($User in $Users) {
    $Cal = $User.Identity.ToString() + ":\Calendar"
    Add-MailboxFolderPermission -Identity $Cal -User "your service account" -AccessRights Contributor -Confirm:$false }

    NOTE: Remember to add your service account to the script. If a permissions entry already exists for it, you'll need to change the "Add-MailboxFolderPermission" to "Set-MailboxFolderPermission".

     

    This is a easy one. You can build one more complete, ( with different Calendar names in the case your users have different languages... Check if the entry already exists and run the "Set" automatically, etc... ), with the help of this article:

     

    Set default calendar permissions for all users with PowerShell - ALI TAJRAN

     

    Regarding the permissions level, I'll say "Contributor" is what you need. But anyway see the differences below:

     

     

    Hope this helps.

     

  • Dan_Snape's avatar
    Dan_Snape
    Steel Contributor
    You can use the add-mailboxfolderpermission cmdlet to give a user access to the calender only:
    Add-MailboxFolderPermission -Identity <mailbox>:\Calendar -User <user requiring access> -AccessRights Editor
    You'll need to check the actual "AccessRights" the user will need

Resources