How to Grant Full Access Permissions to All Users’ Mailboxes Using PowerShell or using the GUI.

Introduction:

Microsoft has recently announced significant adjustments to Exchange Online that could potentially affect your utilization of Resource Central, Web Team Central, and Exchange Central applications. As per Microsoft's communication, effective June 2024, new allocations of the ApplicationImpersonation role will be restricted. By February 2025, this permission scope will be entirely phased out.

Here's how these changes will unfold:

• From June 2024: Editing or adding new scopes will no longer be feasible.
• Until February 2025: Existing calendar permissions will remain operational, but no further scopes can be incorporated.
• Post-February 2025: Impersonation for new resource calendars will become unattainable.

For detailed information regarding these modifications from Microsoft, please visit the Exchange Team Blog here.

To effectively address these challenges, we strongly recommend upgrading to the latest version of RealTime Service. This upgrade will facilitate a seamless transition to a full access model.

Setting Full Access Permissions with PowerShell:

1. Verify Organization Management Group Membership:
   • Before proceeding, ensure that the account used for granting permissions is a member of the Organization Management group.
   • To check membership, run: Get-RoleGroup "Organization Management" | select members.
   • If the account is not listed, add it using: Add-RoleGroupMember "Organization Management" -Member "".
2. Granting Full Access Permissions on all mailboxes in the tenant:
   • Use the following Exchange management PowerShell command:

   • Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User admin@example.com -AccessRights fullaccess -InheritanceType all -AutoMapping:$false

   • This PowerShell command gets all user mailboxes except for the one with the alias 'Admin', then grants full access permission to the mailbox 'admin@example.com', with inheritance set to all and auto-mapping disabled.
   • Explanation:             
     • Replace with the desired user account.
     • The -AutoMapping:$false parameter prevents Outlook from auto-mapping all mailboxes, thus enhancing performance.
     • Official Microsoft documentation

   • Adding Full Access Permissions to a Single Mailbox:

     If you want to add Full Access permissions to a single mailbox (e.g., user@example.com), simply use the following syntax:

     Add-MailboxPermission -Identity 'user@example.com' -AccessRights FullAccess -InheritanceType all -AutoMapping:$false

     
     
3. Additional Parameters and Permissions:
   • To assign other permission types, replace FullAccess with the desired permission name in the -AccessRights parameter. Valid options include ChangeOwner, ChangePermission, DeleteItem, ExternalAccount, and ReadPermission.
   • Limiting the Number of Mailboxes: If you want to limit the number of mailboxes you assign permissions to, you can:             
     • Change the arguments used in the -Filter parameter, for example, add another condition to the already specified, like -and (City -eq 'Berlin').
     • Use Get-DistributionGroupMember instead of Get-Mailbox before the pipeline (separator, |) symbol.

Alternative Methods:

• Exchange Management Console (EMC): For older Exchange versions, EMC can be used, but it's discouraged due to limitations, including the inability to disable auto-mapping.
• Office 365 Admin Center (GUI):
  1. Navigate to the Office 365 Admin Center.
  2. Access User Management and select the desired user.
  3. Navigate to "Mail settings" or "Mailbox permissions."
  4. Edit permissions and grant access using the "Add permissions" option.

Considerations:

• Compatibility: Ensure the selected method is compatible with your Exchange version or Office 365 environment.
• Auto-Mapping: Disabling auto-mapping is recommended to prevent performance issues, particularly in large environments.