Due to Microsoft limitations, it is currently not possible to grant true, read-only access to an entire Exchange Online mailbox. The “ReadPermission” access right refers only to being able to read the mailbox’s permission settings—it does not allow a user to open or view the mailbox contents.
For full mailbox access, you can assign the “Read and manage delegation” permission, which is functionally equivalent to Full Access—the delegate can read, send, delete, and otherwise act as the mailbox owner. There is no built-in “read-only” option at the full mailbox level in Exchange Online.
Granting “Full Access” permission gives delegates full control over the mailbox (including read, send, delete, etc.), not just read access. There is currently no supported method to provide only “read-only” access at the mailbox level in Exchange Online or Microsoft 365.
Read-only alternatives: folder-level permissions
While mailbox-level “read-only” access is not available, you can grant ‘read-only’ (Reviewer) permissions at the individual folder level (such as Inbox or Calendar). This is possible in both Exchange Online and on-premises Exchange environments.
You can apply these permissions using PowerShell or via custom actions in CoreView.
1. How to grant folder-level read-only access using PowerShell
The Add-MailboxFolderPermission cmdlet allows you to grant a user permissions such as “Reviewer” (read-only) or “Owner” for a specific folder.
Syntax:
Add-MailboxFolderPermission
[-Identity] <MailboxFolderIdParameter>
-AccessRights <MailboxFolderAccessRight[]>
-User <MailboxFolderUserIdParameter>
[-Confirm]
[-DomainController <Fqdn>]
[-SendNotificationToUser <Boolean>]
[-SharingPermissionFlags <MailboxFolderPermissionFlags>]
[-WhatIf]
[<CommonParameters>]
Examples:
# Grant 'Owner' permission to Ed on the "Marketing" folder in Ayla's mailbox
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Marketing -User ed@contoso.com -AccessRights Owner
# Add Julia as a calendar delegate (Editor) to Ayla’s mailbox (cannot view private items)
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User julia@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate
# Add Laura as a calendar delegate (Editor) with access to private items
Add-MailboxFolderPermission -Identity ayla@contoso.com:\Calendar -User laura@contoso.com -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems
To grant read-only access, use -AccessRights Reviewer instead of Owner/Editor.
Folder-level permissions must be assigned to each folder individually. Bulk or all-folder assignments are not natively supported.
2. How to grant folder-level read-only access using CoreView
You can use CoreView to assign read-only permissions to a specific mailbox folder with a custom action. The example below shows how to use a custom action to grant “Reviewer” permissions to a folder in one mailbox for another user.
Inputs
Provide the following information to run the custom action:
- Mailbox: the mailbox where you want to set permissions.
- Folder: the specific folder you want to grant access to.
- Delegate: the user who will receive read-only access.
Custom action JSON example
{
"id": "0006e023-1df3-43c7-9598-9c09a116f393",
"title": "Grant read-only permissions to a user's mailbox",
"lastModified": "2025-09-09T12:40:32.6410000Z",
"target": "Mailbox",
"tags": [],
"vars": [
{
"name": "Folder",
"type": "string",
"isRequired": true
},
{
"name": "Delegate",
"type": "string",
"isRequired": true
}
],
"params": [
{
"name": "UserPrincipalName",
"type": "string",
"isDefault": false
}
],
"columns": {
"UserPrincipalName": ""
},
"version": 4,
"statement": "param ([string]$Folder, [string]$Delegate, [string]$UserPrincipalName)\r\n\r\nAdd-MailboxFolderPermission -Identity \"${UserPrincipalName}:\\${Folder}\" -User $Delegate -AccessRights Reviewer"
}