PowerShell module for managing Exchange mailbox delegates

I have converted my script that displays a mailbox’s delegates into a module that adds the ability to add, modify, and remove a mailbox’s delegates. The benefit of the module is that it negates the need to create an Outlook profile for the owner/manager in order to manipulate his or her delegates. The module requires any version of the EWS Managed API and the Exchange cmdlets via remoting, as detailed below.

Upon importing the module, it will check for any version of the EWS Managed API, starting with version 2.0 and working its way back. This allows for the freedom to have any version installed instead of requiring everyone who uses it to ensure they have the specific one I used when writing it. After the API is loaded, it will check for the Exchange cmdlets. If not loaded into the shell, it will retrieve a list of Exchange servers from Active Directory and attempt to connect to one until successful. If neither the API nor remoting to Exchange is successful, the module will fail to load, telling you why. (The module doesn’t distinguish between the cmdlets being available because they were locally loaded from the snap-in or from remoting. However, since certain cmdlets will fail when not executed remotely because they bypass RBAC, you need to be sure that you have not locally loaded the snap-in.)

Access to a mailbox is done using full mailbox access. If you want to use impersonation, you will want to uncomment line 96. Granting impersonation rights is explained here. The URL used for EWS is determined by autodiscover of the owner/manager mailbox.

These are the cmdlets the module exposes:


The alias for Get-MailboxDelegate is gmd.  It is basically the same as my Get-Delegates.ps1 script, but it has gotten a makeover to support pipelining into and out of. The -Identity parameter (aliased to -Owner and -Manager) is any standard Exchange identity (display name, email address, alias, dn, etc.) and it supports pipelining by property name. If the objects you are pipelining into Get-MailboxDelegate don’t have a property name of Identity, then you will need to use a ForEach loop and use $_.PropertyName to designate which property should be used.

Without any other parameters, all delegates will be retrieved. If you want to get only a specific delegate, you can use the -Delegate parameter. The default output will be to list the properties, but since it is now a collection of objects, you can choose to output it to a table, to a grid view, or export to a file, using the appropriate cmdlets. You can also use these output cmdlets to select only the properties you want. For example, if you only care about the private items property you could use ft owner,delegate,viewprivate. Or, if you only want those who actually can view private items, you could run something like this:

Note that I encapsulated in parentheses the command that I pipeline into Get-MailboxDelegate. This is necessary to avoid the concurrent pipeline limitation in remote PowerShell. It is only necessary if the command prior to the pipeline will be running a cmdlet that leverages remoting. Another option is to store the results of the prior command in a variable and then pipeline that into Get-MailboxDelegate.

All of the module’s cmdlets have built-in help, so you can use PowerShell’s help cmdlet to learn the details of all of them, such as the parameters and their descriptions, usage examples, etc.


The alias for Add-MailboxDelegate is amd. To use this cmdlet, provide an owner and a delegate. You can optionally specify folder permission for Inbox, Calendar, Tasks, Contacts, Sent Items, and Deleted Items; if private items are viewable; if meeting requests are to be received; and the owner’s global handling of meeting requests. I didn’t include the option of setting permission for Journal or Notes because, well, who uses them? The ability to set the permission for Sent Items and Deleted Items is to accommodate those who use GPO to have Outlook store messages sent from another user in that person’s Sent Items folder, and likewise for messages deleted from another mailbox. The option to set the meeting request delivery scope applies to the owner, not the delegate being added, so it is only necessary to include it if you are adding a delegate and you want to change the current setting.


The alias for Set-MailboxDelegate is smd. Use this cmdlet to change any settings for an existing delegate (or to change the meeting request delivery scope for the owner). Provide the owner and the existing delegate to modify and, optionally, which setting you want to change. All other settings will remain as is. If you want to change just the meeting request delivery scope for the owner, specify any existing delegate, but not any other settings (except the delivery scope). Unlike the valid roles for folder permission with Add-MailboxDelegate, you can use None if you want to remove a folder permission. If you want to remove the ability to view private items or to not receive meeting requests, use -ViewPrivateItems:$false or -ReceiveMeetingRequests:$false, respectively. The colon is necessary because both parameters are switches, so their inclusion alone in the command means true, whereas to explicitly set them to false means using the syntax above. (The cmdlet checks if either switch is actually present in the command, so don’t be concerned that not including a switch implies that it should be false.)


The alias for Remove-MailboxDelegate is rmd. Provide the owner and the delegate to remove. That’s it.

All of the cmdlets perform the expected error checking: the owner is a valid mailbox; any delegate to add, modify, or remove is a valid mailbox; adding a delegate when the delegate already exists; modifying or removing a delegate that is not an existing delegate; using a valid (albeit the limited subset exposed in the API) role for a folder permission; and using a valid meeting request delivery scope.

Download the module or view/copy the code below:

  DelegateManagement.zip (9.2 KiB)

29 thoughts on “PowerShell module for managing Exchange mailbox delegates

  1. I can’t tell you how much I love this. I had to give a user the ability to view private items on nearly 30 room calendars, and the prospect of creating an Outlook profile for each room just so I could add the user as a delegate and check the ‘delegate can see my private items’ box was driving me to drink. Your handy module did the job quickly and easily!

  2. I keep getting the error “”The account does not have permission to impersonate the requested user” when trying to run any of the cmdLets.
    The account I am loggedin as is member of org.management but still getting the error.
    Any suggestions??

  3. Peter, being an organization administrator isn’t enough when impersonation is involved. There are two options. One is to add the accounts to an RBAC role that is for impersonation, as described here. The other option is to not use impersonation and rely on full mailbox access. To do this, comment out line 94 in the module. Either method works fine. Impersonation is generally used for application or programmatic access to mailboxes. If using FMA, then you have to be sure that you have access to the mailbox in question, which could be implicit depending on how you grant FMA. Anyway, the default setting in the module is to use impersonation, which isn’t a default right in Exchange.

    The post explains that impersonation is used and how to bypass it, but I will add a link to the MSDN page for granting impersonation rights.

  4. Hi,
    This Get-MailboxDelegate do not work proper when the user has folder names in different language than English. Can you fix this?

  5. Thank you good Sir! Working like a charm and part of my “Exchange Toolbox” now.

  6. Can you please update this fabulous script to work with Office 365 Exchange online?

  7. Hey Author, its great what you did!
    I still have issues adding a group as delegate with error “A Mailbox cannot be found…”.
    Everything else works great! Cheers, Thomas

  8. hi!

    this script is awesome! is there any explaination for the commands? e.g. the “view private items” ?! how can i add this??

  9. There is help included in the cmdlets. You can run Get-Help Add-MailboxDelegate -Parameter ViewPrivateItems to see details about it. But in this case, it is a switch parameter, so just include -ViewPrivateItems anywhere in the command to add that option.

  10. Can this script be modified so that it can be run directly on the Exchange server without having to install the web services api on the server?

  11. The API needs to be installed on whichever system is running the cmdlets. It can be a workstation, server, or Exchange server. Nothing has to be installed on Exchange. The API is just a wrapper for using EWS without having to use SOAP and manually constructing requests. Even if you run it on Exchange, though, the API still has to be installed since the client (which just happens to be the Exchange server) is what is leveraging the API, not the server.

    If you are uncomfortable installing the API on the server, you can just copy the DLL to any location on it and then modify the module to load the DLL directly from that location. Exchange won’t even know the API is installed.

  12. for some reason the -ReceiveMeetingRequests parameter is not working for me. I’m not getting any errors but when I check the Outlook client the checkbox for that option is not checked.
    Also, is there any way to set this exchange parameter?
    MeetingHandling = DelegatesAndMe

  13. The parameter to control who receives meeting requests is MeetingRequestDeliveryScope. What is called DelegatesAndMe in Exchange is set using DelegatesAndOwner in the module. I use the latter in the module because the perspective of the setting is from you as an admin, whereas Exchange delegates are set from the perspective of the owner. For the ReceiveMeetingRequests parameter issue, if you set it for another delegate with the same owner or another owner with the same or different delegate, does it work?

  14. I love this script but how do I change it so that it runs across all users and exports to a file. I am new to powershell/EWS scripting. Thanks for any help.

  15. You can pipeline from Get-Mailbox into Get-MailboxDelegate and then pipeline the results to any export cmdlet:

    Get-Mailbox | gmd | Export-csv c:\temp\delegateresults.csv -notypeinformation

  16. Excellent WORK! this has saved me countless hours of time dealing with a problem with a Shared Mailbox and Private Items.


  17. Yes, the module works with Exchange 2013, as well as Exchange 2016 and Exchange Online.

  18. Great script dude. As was previously said, ‘You Sir are officially the man’. Cheers

  19. Hey Skippy,

    Way to take the partially documented world of EWS and make it useful to others! I have to dig into this a bit…I discovered it a bit too late, as I had just finished my efforts to do a lot of what this module does…I blame Bing for not bringing me here sooner, causing me to invent the wheel you had already invented (it was Google that brought me here 🙂 )…Just kidding, I didn’t use Bing!

  20. What if the root folders of a mailbox are in a different language? At the moment you have “Sent Items” and “Deleted Items” hardcoded, but this always errors out if the mailbox has a different language set.

    What are these hardcoded attributes used for?

    Get-MailboxDelegate, Add-MailboxDelegate, … they all give error that the 2 folders cannot be found if any other language is used.

  21. One of the posts in the series explains why the folders are used (for when delegates are configured to move deleted or sent items to the manager’s respective folder). My next task (now that I have completed the updates for the AutoDL module), is to account for non-English folders. At first I couldn’t figure out a reliable or easy enough way to determine the folder’s display name, but a few months ago it occurred to me. So I will be adding that, as well as a configuration file for the settings, including the option to not set permission on those folders if you don’t want to.

  22. Scott, awesome news! I would like to say that your script is really awesome. It helps us admins in so many ways. Cannot believe I did not stumble upon it earlier.

    I will keep an eye on this thread.


  23. Hi,

    I have a question regarding the Remove-MailboxDelegate. Does it also delete the Meeting Delivery scope? Because the built-in cmdlet doesn’t do it (Remove-MailboxFolderPermission)

  24. Meeting request delivery scope applies to the owner/manager, not individual delegates, so when you remove a delegate nothing needs to happen to the scope setting. If you are referring to the setting for a delegate to receive meeting requests if the owner’s setting is to send to the delegates, yes, it is removed when the delegate is removed.

  25. Localization support has been added in v1.5.1. It will automatically use whatever the display name is of the folder.

  26. Whilst your script is excellent we are using an alternative which is to convert the message to normal using a transport rule:
    Convert Private eMails to Normal for selected mailboxes
    If the message…Is sent to ‘sharedmailbox@domain.co.uk’
    and ‘Sensitivity’ header contains ”private”
    Do the following…set message header ‘Sensitivity’ with the value ‘normal’
    You can add as many mailboxes to the rule as you want.
    We add a note tot he AD object to state it is in the rule.

Leave a Reply

Your email address will not be published. Required fields are marked *