Working with Exchange Mailboxes and Groups as members

2018-02-02 | Toni Pohl

When working with Office 365 and Exchange services, it can be helpful to work with groups instead of users, for example, for allowing a group to have full access to a shared mailbox. In this case, there are some things to consider. See the working result in this documentation.

The scenario

First of all, I need to clarify, I’m not an Exchange guy. So, perhaps I’m describing a scenario that’s fully clear for Exchange Admins but I think, this could be helpful for other Office 365 Admins. This sample is my summary to show the solution for that specific request: How to set full access permissions to a shared mailbox, a resource or a distribution list for a group (and therefore to all members of that group).

To test it in a demo tenant, I created two shared mailboxes in the Office 365 Admin Portal…


…and some mail-enabled security groups. Distribution groups and Office 365 groups already existed in my tenant. So, this screenshot from the Exchange Portal shows the various group types existing here:


As playground I used:

First discovery

To make it short: In the Office 365 Admin Portal:

The screenshot shows an example. I could add MailEnabledSecurityGroup1 as member SharedMailbox1.


Just as warning: Since email-enabled security groups are Exchange objects, it might take a while after creation (usually some minutes) to be visible in the portal and in the  For seeing new Exchange groups in an email client, the portal says: "It might take up to 60 minutes for the change to be effective in Outlook and OWA."

The same can be accomplished with Remote Exchange PowerShell (see here how to connect):

Add-MailboxPermission -Identity
-AccessRights fullaccess -User

Mail-enabled security groups are handled in the same way as users.

Other group types

Just to prove it: Distribution groups and Office 365 groups cannot be added.

For Distribution Group Executives:

Add-MailboxPermission -Identity
-AccessRights fullaccess -User

An error follows: User or group "" wasn't found.

For Office 365 Group HR:

Add-MailboxPermission -Identity
-AccessRights fullaccess -User

The same error follows: User or group "" wasn't found.

We see, just users and email-enabled security groups can be used as members of a Shared Mailbox.

Existing assignments

The Office 365 Portal shows the assigned MailEnabledSecurityGroup1 as member of SharedMailbox1 (remember, this can take some time).


So does the Exchange Portal:


And PowerShell:

Get-MailboxPermission -Identity


Remove permissions

To remove existing permissions, we can use the Exchange Portal or PowerShell:

Remove-MailboxPermission -Identity
-AccessRights fullaccess -User -Confirm:$false

Distribution groups and members

The same goes for distribution groups: Mail-enabled Security Groups can be a member.


Resource mailboxes and members

The same goes for resource mailboxes: Mail-enabled Security Groups can get permissions to a room or equipment mailbox.

Office 365 groups and members

As far as I see, currently only users can be member of an Office 365 group and no other group types.


So, this scenario is easy. You just need to know that you must organize your environment to use Mail-enabled Security Groups for the purpose of using groups within other groups.

Categories: Cloud, English, Microsoft, Office365, Exchange