How to grant read-only permissions to a user's mailbox

  • Last update on April 16th, 2025

Due to Microsoft limitations, it is currently not possible to grant true, read-only access to an entire Exchange Online mailbox. The “ReadPermission” access right refers only to being able to read the mailbox’s permission settings—it does not allow a user to open or view the mailbox contents.

For full mailbox access, you can assign the “Read and manage delegation” permission, which is functionally equivalent to Full Access—the delegate can read, send, delete, and otherwise act as the mailbox owner. There is no built-in “read-only” option at the full mailbox level in Exchange Online.

Granting “Full Access” permission gives delegates full control over the mailbox (including read, send, delete, etc.), not just read access. There is currently no supported method to provide only “read-only” access at the mailbox level in Exchange Online or Microsoft 365.

 

Read-only alternatives: folder-level permissions

While mailbox-level “read-only” access is not available, you can grant ‘read-only’ (Reviewer) permissions at the individual folder level (such as Inbox or Calendar). This is possible in both Exchange Online and on-premises Exchange environments.

You can apply these permissions using PowerShell or via custom actions in CoreView.

1. How to grant folder-level read-only access using PowerShell

The Add-MailboxFolderPermission cmdlet allows you to grant a user permissions such as “Reviewer” (read-only) or “Owner” for a specific folder.

Syntax:

Add-MailboxFolderPermission 
[-Identity] <MailboxFolderIdParameter>
-AccessRights <MailboxFolderAccessRight[]>
-User <MailboxFolderUserIdParameter>
[-Confirm]
[-DomainController <Fqdn>]
[-SendNotificationToUser <Boolean>]
[-SharingPermissionFlags <MailboxFolderPermissionFlags>]
[-WhatIf]
[<CommonParameters>]

Examples:

# Grant 'Owner' permission to Ed on the "Marketing" folder in Ayla's mailbox
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Marketing -User ed@contoso.com -AccessRights Owner

# Add Julia as a calendar delegate (Editor) to Ayla’s mailbox (cannot view private items)
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User julia@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate

# Add Laura as a calendar delegate (Editor) with access to private items
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User laura@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems

To grant read-only access, use -AccessRights Reviewer instead of Owner/Editor.

 

Folder-level permissions must be assigned to each folder individually. Bulk or all-folder assignments are not natively supported.

 

1. How to grant folder-level read-only access using CoreView

You can manage and automate these folder-level permission assignments with CoreView’s custom actions