Restrict users from deleting emails in Shared Mailbox

Brass Contributor

Hi team,

 

is there a way to restrict ppl from deleting emails in a shared mailbox? We are using Exchange Online.

27 Replies
You can use folder-level permissions for that. If you are using Full Access, there is no way to restrict deleting.
is there any guide about how to utilize folder-level permission? Have no idea aobut how to do it :) ...I can remove full access if required.
Right-click on a folder > Properties > Permissions :) If you want to automate things, use PowerShell and the Add-MailboxFolderPermission cmdlet: https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchang...
ideally I do it via GUI and so.... Not good with PowerShell :)

Folder - should I do it in Outlook? ... I mean... right-click on Inbox folder of shared mailbox and do it there?

How do I remove full access please? Should I remove delegates in EAC?
You can do it in both Outlook or OWA, although if you want to grant Calendar permissions, only Outlook exposes them. For full access, use the EAC or PowerShell.
thanks Vasil for being patient with me :).... One last question I hope - how to remove full access via EAC? Are we talking about removing users from Delegation -> Read/Manage?
Yes, that's how it's shown in the EAC.
cool... that seems to be working..... I've set permission on "Inbox" folder to reviewer in that mailbox and seems to be working fine. Just looks that it does not apply to subfolders..... so would need to manually change permissions for each manually.... For emails stored directly in INBOX, it works fine and cannot delete emails anymore
Yes, you need to configure permissions on each folder individually. Here's a script that can automate the process: https://www.michev.info/Blog/Post/2063/managing-mailbox-permissions-on-the-folder-level-in-bulk
well... so when I rmeoved from Delegation ->Read/Manage (to modify full access) and added reviewer for the testuser on Inbox directly.... The shared mailbox disappeared...... So looks like the Delegation can't be removed like that :\
That's expected, you need to add the mailbox manually, only Full access permissions will result in auto-magically appearing in the list.

ok... so I've tested a little bit and here is the result...

I have used outlook and EAC and tried to follow the steps.... Avoiding powershell for now :) ... Below is what I've done and result:

 

  • I have removed testuser from "Read & Manage" delegation and kept in "Sent as" via EAC for shared folder
  • In outlook, I've modified I've changed permission to REVIEWER on INBOX in that shared mailbox

Result:

  • when kept outlook openend, after a while the persmissions were applied and I could not delete emails. When I checked permissions they were greyed out and were showing Reviewer, so looked nice. 
  • When did restarting outlook, shared maiblox disappeard after a while. So I've added it manually via account/email/more and advanced. The shared mailbox was added BUT I can not expand even to see inbox. I get message "Cannot expand the folder"

:\

You need to add at least "Folder visible" permissions on each folder in the path, including the Root one (the one with the shared mailbox address).
cool.... You were right, ... the problem was with subfolders... When I created a test shared mailbox with Inbox only and no subfolders, it was working fine.... :)
Please, if you can tell me next:
I'm using Office 365 online, and i want to create one shared mailbox for many users.
I want that nobody can delete nothing from Inbox and sub folders.
So my question is this:
1. When new shared mailbox is created, does it have to have some user in members area?
2. I did removed everybody through EAC from members list, and accessed shared mailbox through web, and gave a user A permission of "Reviewer" and nothing happens, when i try to open shared mailbox with that user A, it shows an error message.

Hi @Josipakd .... will share my story with you ;)

 

I could not achieve what I needed using EAC and Outlook to specify Reviewer for users - not sure what I was doing wrong but it was driving me crazy for several days.... So I gave up and eventually, I decided to try that "powershell way" and was really easy and works nicely... Have no problem with adding users to shared mailboxes and restrict "delete" for them... The only annoying thing is that you need to specify all folders you want to set the restrictions for

 

See my template that I use:

Add-MailboxPermission -Identity YourSharedMailboxEmail -User 'YourUserEmail' -AccessRights ReadPermission

 

Add-MailboxFolderPermission -Identity MailboxName:\ -User YourUserEmail -AccessRights Reviewer
Add-MailboxFolderPermission -Identity MailboxName:\Inbox -User YourUserEmail -AccessRights Reviewer
Add-MailboxFolderPermission -Identity MailboxName:\Outbox -User YourUserEmail -AccessRights Reviewer
Add-MailboxFolderPermission -Identity MailboxName:\'Sent Items'-User YourUserEmail -AccessRights Reviewer
Add-MailboxFolderPermission -Identity MailboxName:\'Junk Email' -User YourUserEmail -AccessRights Reviewer

 

  • "YourSharedMailboxEmail" will be email address of your shared mailbox (e.g. ITstuff_at_domain.com)
  • "MailboxName" will be the name of yout shared mailbox (e.g. "ITStuff")

 

Once done the above, you will then manually add the shared mailbox for required users:

  • in Outlook, go to Account -> open user account -> More Settings -> Advanced -> add your shared mailbox into the Mailboxes field.

 

This way, the user will see ONLY the folders mentioned above and will not be able to delete emails etc...

 

 

Hello, thank you for your template, i'll imediatelly try it.

But, i have one question, when i create shared folder, should i put in memebers list admin user, so he can give rights to users who need read access to shared mailbox.
And, second one, i need to toggle, for each user same template?
yes... you need to run those commands for every user you want to add...

About "shared folder".... are you talking about Outlook Web? If so, I'm not sure as I do not use it... But I would say you do not need to add any members etc... as you will specify the members via powershell... But again - not sure as have not used it.... Test it and let us know... I'm quite curious if it will work :)

@MiSum83 

Hello,

for some reason i can't add that shared mailbox to outlook on pc. And when i try to do samthing on outlook for web, this error comes up.

Script went ok. I had, one error on sent folder permission applying.

Josipakd_0-1694036535897.png