Day: March 13, 2020

Allow all users to see everyone’s calendar in an Office 365 environment

On By Manoj V KarunarathneIn Exchange Online, Microsoft365, Modern Workplace, Office 3651 Comment

Yes you are right!. Setting this access right organization-wide is surely raises a major privacy concern specially when it comes to personal details (such as HR and Operation related events) in employee’s calendars.

Information-sharing

However, there can be exceptional scenarios where business decides what they need, such as the pandemic situation the whole world face right now (COVID-19) as every organization prepares to work from home and allow people to interact online in more efficient and effective ways. In my case, one of our top level client badly needed to enable everyone’s calendar visible to everyone in the company to allow people to efficiently get in touch.

This is possible and exchange online has the capability to do it, but, make sure you do it for an absolute purpose. In Exchange online, you can set the default internal sharing policy for Office 365 user’s calendars using PowerShell. You may decide to set the default for all current users to Limited Details, then add exceptions for users whose calendar is to be kept to Availability (Free/Busy) only. There are various roles to define as per your need.

The AccessRights parameter in the PS command below specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.

You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

I am emphasizing again, DO NOT DO THIS Unless there is an absolute necessity.

For None-MFA environment (even though MFA is a fundamental and very common security requirement, there can be exceptional cases) – Amend the AccessRights parameter accordingly

$credentials = Get-Credential -Credential elliot@gcits.com.au

Write-Output “Getting the Exchange Online cmdlets”

$Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `

-ConfigurationName Microsoft.Exchange -Credential $credentials `

-Authentication Basic -AllowRedirection

Import-PSSession $Session

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

For MFA environments

Preparation:

Run this to get the current state of all user mailboxes as exported to a CSV file. This will help on the verification later in case if you need to reverse this (Pre)

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Applying Access Rights:

Now let’s change the access right for all user mailboxes. Amend the AccessRights parameter according to your requirement (applied to all user mailboxes)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

If you wish to avoid an selected user mailbox (May be CEO’s ?), you can use the following (with the “userprincipalname” “–ne” parameters to add an exception)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox | where userprincipalname -ne “mark@mantoso.onmicrosoft.com”) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Verification:

To verify the result against a single user mailbox, you can run this line

Get-MailboxFolderPermission neil@mantoso.onmicrosoft.com:\calendar

Or run the following to get the result of all user mailboxes exported as a CSV file so it can be compared with the CSV you got before applying the change (Post)

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

clip_image001Testing:

Now let’s see how this works after changing the permissions. Details wise, this is how it shown now (looking at Chnau’s Calendar from Manoj’s Mailbox)

Private Events in Chanu’s Calendar (Only the date/time and Subject)

clip_image002

None Private Events in the Chanu’s Calendar (Shown Items in detail)

  1. Subject
  2. Location
  3. Organizer
  4. Attachments
  5. Attendees and response status
  6. Date/Time 
clip_image004

Item opened in full window

clip_image006

Here’s the full list of roles available to set. You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

Individual permissions:

  • CreateItems: The user can create items in the specified folder.
  • CreateSubfolders: The user can create subfolders in the specified folder.
  • DeleteAllItems: The user can delete all items in the specified folder.
  • DeleteOwnedItems: The user can only delete items that they created from the specified folder.
  • EditAllItems: The user can edit all items in the specified folder.
  • EditOwnedItems: The user can only edit items that they created in the specified folder.
  • FolderContact: The user is the contact for the specified public folder.
  • FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can’t read items, edit items, delete items, or create items.
  • FolderVisible: The user can view the specified folder, but can’t read or edit items within the specified public folder.
  • ReadItems: The user can read items within the specified folder.

The roles that are available, along with the permissions that they assign, are described in the following list:

  • Author:CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Contributor:CreateItems, FolderVisible
  • Editor:CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • None:FolderVisible
  • NonEditingAuthor:CreateItems, FolderVisible, ReadItems
  • Owner:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
  • PublishingEditor:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • PublishingAuthor:CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Reviewer:FolderVisible, ReadItems

The following roles apply specifically to calendar folders:

  • AvailabilityOnly: View only availability data
  • LimitedDetails: View availability data with subject and location

Reference – Set Mailbox Folder Permissions (Microsoft Docs)

Advertisement