How to give access to calendar of all users for service account, but restrict access for mailbox

Copper Contributor

We have service account that has access to all users's calendar, we found out that it also has full access to mailbox (read, send e.t.c). How to restrict rights for mailbox ?
Service account need to only read, create calendar items for all users. 

3 Replies
In our company we use on premise Outlook + EWS + custom service to read calendar.
I want to know what permission should we set to our service account.
Service account need to read calendars of all users and create events. But no mailbox access.
You can use the add-mailboxfolderpermission cmdlet to give a user access to the calender only:
Add-MailboxFolderPermission -Identity <mailbox>:\Calendar -User <user requiring access> -AccessRights Editor
You'll need to check the actual "AccessRights" the user will need

Hi @waihislam,

 

In order to remove the Full Access that your service account has over the mailboxes you can run:

 

Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -User "your service account" -AccessRights FullAccess -Confirm:$false

 

And to add the required permissions over all the mailboxes calendar folder you can try this script:

 

$Users=Get-Mailbox -ResultSize Unlimited
$Permission = "Contributor"
foreach ($User in $Users) {
$Cal = $User.Identity.ToString() + ":\Calendar"
Add-MailboxFolderPermission -Identity $Cal -User "your service account" -AccessRights Contributor -Confirm:$false }

NOTE: Remember to add your service account to the script. If a permissions entry already exists for it, you'll need to change the "Add-MailboxFolderPermission" to "Set-MailboxFolderPermission".

 

This is a easy one. You can build one more complete, ( with different Calendar names in the case your users have different languages... Check if the entry already exists and run the "Set" automatically, etc... ), with the help of this article:

 

Set default calendar permissions for all users with PowerShell - ALI TAJRAN

 

Regarding the permissions level, I'll say "Contributor" is what you need. But anyway see the differences below:

 

FcoManigrasso_0-1679396556606.png

 

Hope this helps.