Apr 10 2018 09:05 AM
Apr 10 2018 09:05 AM
Is there a way to share a mailbox with another user via Add-MailboxPermission, and still keep a specific folder private?
Explanation:
I have a customer who has chosen to let each user see each other users mailbox (this is unusual, but that's the way the customer wants it). So far, they have achieved this by manually adding each user to the local Outlook profile setting "open additional mailbox".
This is a nightmare on the IT management side and has interestingly also led to duplicate folders and calendars and some unexplainable access issues. Some users might see messages and folders, others might not, althouh they have teh same settings...
Anyway, I believe that sharing the mailboxes on Office 365 level (Add-MailboxPermission) is the better solution. Automapping will do the rest and IT does not have to touch the clients.
There is one issue with that, and this is the question. (Bob is sharing, Peter is accessing)
If I use the "open additional mailbox" approach, the owner of the mailbox (Bob) can easily deny access to a certain folder (i.e. \Inbox\private-stuff) by right-click and setting access permissions to {none}. At the end, Bob had to first add permissions for Peter to access his mailbox by basically the same right-click method ({Reviewer} in this case).
Yet, if I instead share Bob's mailbox to Peter with Add-MailboxPermission, the same will not work since each folder remains with the permissions Standard {none} and Anonymous {none}:
PS C:\> Get-MailboxFolderPermission Bob:\Inbox\private-stuff
FolderName User AccessRights SharingPermissionFlags
---------- ---- ------------ ----------------------
private-stuff Standard {None}
private-stuff Anonym {None}
The following cmdlet will fail with something like "[Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException":
PS C:\> set-MailboxFolderPermission Bob:\Inbox\private-stuff -User Peter - AccessRights none
You get the picture..
So, if I share Bob's mailbox with Add-MailboxPermission, is there another way to prevent Peter to access "private-stuff"?
Thanks
Daniel
Apr 10 2018 09:13 AM
Apr 10 2018 09:13 AM
Apr 10 2018 11:57 AM
Nope. Full Access means Full access. Period.
Apr 11 2018 01:58 AM
Thanks Vasil,
So when wanting to share a mailbox and keep a certain folder still private, is there another server based method? Or do we have to keep using "open additional mailbox" in Outlook?
Daniel
Apr 11 2018 08:59 AM
The permissions are more important here, not the way you open the mailbox in Outlook. If you have Full access, any and all folders will be exposed and accessible for that user.
Apr 11 2018 10:05 AM
Then I see only the method of "open an additional mailbox" on the client. That way I can specifically assign permissions to each shared folder.
But in the meantime I am running into the 500 folder limit of Outlook 2016 anyway. I guess the unreliability of the customer's setup is rather based on that limit.
Daniel