Mailbox Permissions with PowerShell
This guide explains how to grant Send on Behalf permissions to a group of users in Exchange Online using PowerShell.
In this example, we grant Send on Behalf permissions to all active users in the Marketing Department for the mailbox mktg.update@your-mailbox.com.
Prerequisitesβ
Before running the script, ensure you have:
-
Exchange Online PowerShell Module
Install or update the module:Install-Module ExchangeOnlineManagement -Scope CurrentUser
Update-Module ExchangeOnlineManagement -
Permissions
You need appropriate admin rights in Exchange Online (e.g., Organization Management role).
Script Breakdownβ
Hereβs a breakdown of each command so you know exactly what it does and why itβs important. You can also see the full-script
Connect to Exchange Onlineβ
Establishes a secure session with Exchange Online using your admin account.
Connect-ExchangeOnline -UserPrincipalName Your.Name@your-mailbox.com
Define Target Mailboxβ
Stores the mailbox name in a variable for easy reuse.
$targetMailbox = "mktg.update@your-mailbox.com"
Get Current Delegatesβ
Retrieves existing Send on Behalf delegates for the target mailbox.
$currentDelegates = (Get-Mailbox -Identity $targetMailbox).GrantSendOnBehalfTo
Filter Users by Departmentβ
Pulls all active user mailboxes from specified departments.
$users = Get-User -ResultSize Unlimited | Where-Object {
($_.Department -eq "Marketing" -or $_.Department -eq "Mktg") -and $_.RecipientTypeDetails -eq "UserMailbox"
}
Add Delegates if Missingβ
Loops through each user:
- Adds them as a delegate if not already present.
- Handles errors gracefully with
try/catch.
foreach ($user in $users) {
if ($currentDelegates -notcontains $user.Identity) {
try {
Set-Mailbox -Identity $targetMailbox -GrantSendOnBehalfTo @{Add=$user.Identity}
Write-Host "Added $($user.DisplayName) as Send on Behalf delegate."
} catch {
Write-Warning "Failed to add $($user.DisplayName): $_"
}
} else {
Write-Host "$($user.DisplayName) already has Send on Behalf permission."
}
}
Disconnect Sessionβ
Closes the session without prompting for confirmation.
Disconnect-ExchangeOnline -Confirm:$false
Troubleshooting Tipsβ
| Issue | Possible Cause | Fix |
|---|---|---|
| Module not found | ExchangeOnlineManagement module not installed | Run Install-Module ExchangeOnlineManagement |
| Authentication fails | MFA or wrong UPN | Use an account with proper permissions and MFA support |
| User not found | Department name mismatch | Verify department names in Azure AD |
| Permission denied | Insufficient admin rights | Ensure you have Organization Management role |
| Script runs but no changes | Users already have permissions | Check $currentDelegates before adding |
Full Scriptβ
Show Entire Code
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName Your.Name@your-mailbox.com
# Define target mailbox
$targetMailbox = "mktg.update@your-mailbox.com"
# Get current Send on Behalf delegates
$currentDelegates = (Get-Mailbox -Identity $targetMailbox).GrantSendOnBehalfTo
# Get active users from departments "Marketing" and "Mktg"
$users = Get-User -ResultSize Unlimited | Where-Object {
($_.Department -eq "Marketing" -or $_.Department -eq "Mktg") -and $_.RecipientTypeDetails -eq "UserMailbox"
}
# Loop through each user and add if not already a delegate
foreach ($user in $users) {
if ($currentDelegates -notcontains $user.Identity) {
try {
Set-Mailbox -Identity $targetMailbox -GrantSendOnBehalfTo @{Add=$user.Identity}
Write-Host "Added $($user.DisplayName) as Send on Behalf delegate."
} catch {
Write-Warning "Failed to add $($user.DisplayName): $_"
}
} else {
Write-Host "$($user.DisplayName) already has Send on Behalf permission."
}
}
# Disconnect session
Disconnect-ExchangeOnline -Confirm:$false
Related Commandsβ
-
Remove a delegate:
Set-Mailbox -Identity $targetMailbox -GrantSendOnBehalfTo @{Remove="user@domain.com"}