Set-MailboxFolderPermission  
	This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings might be exclusive to one environment or the other.
Use the Set-MailboxFolderPermission cmdlet to modify folder-level permissions for users in mailboxes. This cmdlet differs from the Add-MailboxFolderPermission cmdlet in that it modifies existing permission entries. To configure calendar publishing or sharing settings for a mailbox so calendar information is visible to external users, use the Set-MailboxCalendarFolder cmdlet.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Default (Default)
Set-MailboxFolderPermission
    [-Identity] <MailboxFolderIdParameter>
    -AccessRights <MailboxFolderAccessRight[]>
    -User <MailboxFolderUserIdParameter>
    [-Confirm]
    [-DomainController <Fqdn>]
    [-SendNotificationToUser <Boolean>]
    [-SharingPermissionFlags <MailboxFolderPermissionFlags>]
    [-WhatIf]
    [<CommonParameters>]
Description
In Exchange Online PowerShell, if you don't use the SendNotificationToUser or SharingPermissionFlags parameters, there are no changes to the functionality of the cmdlet. For example, if the user is an existing delegate, and you change their permissions to Editor without using the SendNotificationToUser or SharingPermissionFlags parameters, the user remains a delegate. But, if you use the SendNotificationToUser parameter ($true or $false), the SharingPermissionFlags parameter has the default value None, which can affect delegate access for existing users. For example, you change an existing delegate's permission to Editor, and you use SendNotificationToUser with the value $true. The user is no longer a delegate and has only Editor permissions to the folder.
You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Marketing -User ed@contoso.com -AccessRights Owner
This example overwrites Ed's existing permissions for the Marketing folder in Ayla's mailbox. Ed is now granted the Owner role on the folder.
Example 2
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User ed@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate -SendNotificationToUser $true
In Exchange Online, this example resends the sharing invitation to an existing delegate without changing their effective permissions (Ed is already a delegate with Editor permissions to Ayla's mailbox).
Example 3
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User ed@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate
In Exchange Online, this example removes access to private items for an existing delegate.
Example 4
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User ed@contoso.com -AccessRights Editor -SharingPermissionFlags None
In Exchange Online, this example changes an existing calendar delegate to Editor.
Example 5
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User ed@contoso.com -AccessRights Editor
In Exchange Online, this example changes an existing user's permissions to Editor without changing their current delegate status.
Example 6
Set-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User ed@contoso.com -AccessRights Editor -SendNotificationToUser $false
In Exchange Online, this example changes an existing user's permissions to Editor and removes their current delegate status.
Parameters
-AccessRights 
		Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online
The AccessRights parameter specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.
You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.
The following individual permissions are available:
- None: The user has no access to view or interact with the folder or its contents.
- CreateItems: The user can create items in the specified folder.
- CreateSubfolders: The user can create subfolders in the specified folder.
- DeleteAllItems: The user can delete all items in the specified folder.
- DeleteOwnedItems: The user can only delete items that they created from the specified folder.
- EditAllItems: The user can edit all items in the specified folder.
- EditOwnedItems: The user can only edit items that they created in the specified folder.
- FolderContact: The user is the contact for the specified public folder.
- FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can't read items, edit items, delete items, or create items.
- FolderVisible: The user can view the specified folder, but can't read or edit items within the specified public folder.
- ReadItems: The user can read items within the specified folder.
The roles that are available, along with the permissions that they assign, are described in the following list:
- Author: CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
- Contributor: CreateItems, FolderVisible
- Editor: CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
- NonEditingAuthor: CreateItems, DeleteOwnedItems, FolderVisible, ReadItems
- Owner: CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
- PublishingAuthor: CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
- PublishingEditor: CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
- Reviewer: FolderVisible, ReadItems
The following roles apply specifically to calendar folders:
- AvailabilityOnly: View only availability data
- LimitedDetails: View availability data with subject and location
When the Editor role is applied to calendar folders, delegates can accept or decline meetings by manually selecting the meeting request in the mailbox. In Exchange Online, to send meeting requests to delegates where they can accept or decline meetings, also use the SharingPermissionFlags parameter with the value Delegate.
Parameter properties
| Type: | MailboxFolderAccessRight[] | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | True | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-Confirm
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
- Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Parameter properties
| Type: | SwitchParameter | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
| Aliases: | cf | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | False | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-DomainController 
		Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
This parameter is available only in on-premises Exchange.
The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.
Parameter properties
| Type: | Fqdn | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | False | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-Identity
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online
The Identity parameter specifies the target mailbox and folder. The syntax is MailboxID:\ParentFolder[\SubFolder].
For the value of MailboxID, you can use any value that uniquely identifies the mailbox. For example:
- Name
- Alias
- Distinguished name (DN)
- Canonical DN
- Domain\Username
- Email address
- GUID
- LegacyExchangeDN
- SamAccountName
- User ID or user principal name (UPN)
Example values for this parameter are john@contoso.com:\Calendar or John:\Inbox\Reports.
Parameter properties
| Type: | MailboxFolderIdParameter | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | 1 | 
| Mandatory: | True | 
| Value from pipeline: | True | 
| Value from pipeline by property name: | True | 
| Value from remaining arguments: | False | 
-SendNotificationToUser  
		Applicable: Exchange Online
This parameter is available only in the cloud-based service.
The SendNotificationToUser parameter specifies whether to send a sharing invitation to the user when you modify their calendar permissions. The message is a normal calendar sharing invitation that can be accepted by the recipient. Valid values are:
- $true: A sharing invitation is sent.
- $false: No sharing invitation is sent. This value is the default.
This parameter only applies to calendar folders and can only be used with the following AccessRights parameter values:
- AvailabilityOnly
- LimitedDetails
- Reviewer
- Editor
Parameter properties
| Type: | Boolean | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | False | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-SharingPermissionFlags  
		Applicable: Exchange Online
This parameter is available only in the cloud-based service.
The SharingPermissionFlags parameter assigns calendar delegate permissions. This parameter only applies to calendar folders and can only be used when the AccessRights parameter value is Editor. Valid values are:
- None: Removes delegate permissions and updates the meeting message rule so the user stops receiving meeting invites and responses for the mailbox. This value is the default when you use the SendNotificationToUser parameter without specifying a value for the SharingPermissionFlags parameter.
- Delegate: The user is made a calendar delegate, which includes receiving meeting invites and responses. If there are no other delegates, this value creates the meeting message rule. If there are existing delegates, the user is added to the meeting message rule without changing how delegate messages are sent.
- CanViewPrivateItems: The user can access private items on the calendar. You must use this value with the Delegate value.
You can specify multiple values separated by commas.
Parameter properties
| Type: | MailboxFolderPermissionFlags | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | False | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-User
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online
The User parameter specifies the mailbox, mail user, or mail-enabled security group (security principal) that's granted permission to the mailbox folder.
For the best results, we recommend using the following values:
- UPN: For example, user@contoso.com(users only).
- Domain\SamAccountName: For example, contoso\user.
Otherwise, you can use any value that uniquely identifies the user or group. For example:
- Name
- Alias
- Distinguished name (DN)
- Canonical DN
- Email address
- GUID
Parameter properties
| Type: | MailboxFolderUserIdParameter | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | True | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
-WhatIf 
		Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online
The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.
Parameter properties
| Type: | SwitchParameter | 
| Default value: | None | 
| Supports wildcards: | False | 
| DontShow: | False | 
| Aliases: | wi | 
Parameter sets
(All)
| Position: | Named | 
| Mandatory: | False | 
| Value from pipeline: | False | 
| Value from pipeline by property name: | False | 
| Value from remaining arguments: | False | 
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
Input types
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
Outputs
Output types
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.