I strongly believe that many of you already run into this scenario:

“Hey, can you help me and grant access to all my folders in my mailbox to this one person?”

When it starts like this, in most cases this user has folders, where the total number is for sure more than 2 digits.

Background

This is a common scenario, where users are very “creative” and “ambiguous” in creating a folder structure, and then realize that permissions are not inherited as expected and they need to assign on each and every single folder permissions.

Yes, there is inheritance, but this takes place ONLY when a subfolder is created AFTER permissions have been assign on the parent folder. When subfolders already exists, permissions are not applied recursively.

Recommendations

Before I come to my solution, which is rather a workaround as you need to involve an Exchange admin, let me emphasize the following:

Yes, there are limits! And for EXO you can find the limits for folders here Exchange Online limits – Service Descriptions | Microsoft Docs
The limits above are the one on services side. This doesn’t mean necessarily that your client has the same. In most cases you will run into issues long before (doesn’t matter which client is used! I have seen so many issues across ALL Microsoft clients!)
I blogged about this previously:
- Outlook: Limits and Performance (enowsoftware.com)
- Outlook Cached Mode and TCP connections | The clueless guy (wordpress.com)
A mailbox is NOT a document management system (DMS) or a file server!

Solution (workaround!)

I wrote two functions, which are doing the job for you. One to add/replace and another to remove permissions. Both work as follows:

get all folders of scope Inbox using Cmdlet Get-MailboxFolderStatistics

# retrieve folders with scope Inbox
$folderSet = Get-MailboxFolderStatistics -Identity $Identity -FolderScope Inbox

loop through all of the folders and add the permission using the attribute FolderId of each folder

if (-not [System.String]::IsNullOrEmpty($folderSet) )
{
    Write-Verbose "Found $(($folderSet | measure).Count) folders..."
    foreach ($folder in $folderSet)
    {
        Write-Verbose "Processing folder:$($folder.Name)..."

        $params = @{
            Identity = $Identity + ":" + $folder.FolderId
            User = $trustee.Identity
            AccessRights = $AccessRights
            ErrorAction = 'Stop'
        }
        try
        {
            Add-MailboxFolderPermission @params
        }

Note: I’m using FolderId for performance and stability reasons. Stability as I don’t have to bother about special characters.

in case a permission already exists, it will be replaced with the one used in the parameter -AccessRights by using the Cmdlet Set-MailboxFolderPermission

catch
{
    if ('UserAlreadyExistsInPermissionEntryException' -eq $_.CategoryInfo.Reason)
    {
        Write-Verbose "Existing permission found. Will replace..."
        Set-MailboxFolderPermission @params
    }

in case you want to maintain permission only to a subset of folders, you can use the switch -FilterFolderPath, and it will filter the result set based on this filter on the FolderPath attribute

if ($FilterFolderPath)
{
    $folderSet = $folderSet | Where-Object {$_.FolderPath -Match $FilterFolderPath}
    Write-Verbose "Found the following folders for filter $($FilterFolderPath):"
    $folderSet.FolderPath
}

You can find both function on GitHub in the file I’m using every day for work and extend my PowerShell with functions like these:

Miscellaneous/HelperFunctions.ps1 at master · IngoGege/Miscellaneous · GitHub

I named them Add-MailboxFolderPermissionRecursive and Remove-MailboxFolderPermissionRecursive.

Here some screenshots: