This chapter covers Exchange Online calendar permissions and resource mailboxes, a critical topic for the MS-102 exam. You will learn how to configure and manage calendar folder permissions for user mailboxes, create and manage room and equipment mailboxes, and understand the intricacies of delegate access and booking policies. This topic area typically accounts for 5-8% of exam questions, often appearing in scenario-based questions that test your ability to troubleshoot calendar sharing and resource booking issues in a hybrid or cloud-only environment.
Jump to a section
Imagine a large corporate building with multiple floors, each floor having different security zones. Each employee has an access badge that can be programmed to open certain doors. The building's security system (Exchange) manages a master list of who can access which doors. When an employee (user) is granted 'Editor' permission to a specific floor's conference room (mailbox), their badge is programmed to open that room's door. The room itself is a shared resource that can be booked by anyone with the appropriate badge level. There are also 'Delegate' badges that allow an assistant to open the executive's office door on behalf of the executive, but only during certain hours (automatic booking). The security system logs every door access and can generate reports. If the executive's badge is revoked, the assistant's delegate access also stops. The building manager can configure the system to allow 'Book in Policy' where any employee can book the room without needing a specific badge, but only during business hours. This is similar to how Exchange handles resource mailboxes with direct permissions, delegate access, and booking policies.
What are Calendar Permissions?
Exchange Online calendar permissions control the level of access other users have to a user's calendar folder. These permissions are distinct from mailbox permissions (Full Access, Send As) and are set at the folder level. The default permission for the calendar folder in a user's mailbox is 'AvailabilityOnly' for all authenticated users in the organization, meaning they can see free/busy information but not details. This is configurable via the Exchange admin center (EAC) or PowerShell.
Permission Levels
Exchange Online supports several permission levels for calendar folders:
None: No access. The user cannot see any information.
AvailabilityOnly: The user can see only free/busy status, no subject or location.
LimitedDetails: The user can see free/busy status along with the subject and location of the appointment.
Reviewer: The user can read all calendar items but cannot create or modify them.
Contributor: The user can create items but cannot read existing ones (rarely used for calendars).
NonEditingAuthor: The user can create and read items but cannot modify existing ones.
Author: The user can create, read, and modify items, but cannot delete them.
Editor: The user can create, read, modify, and delete items.
PublishingEditor: The user can create, read, modify, delete, and publish items (used for internet calendar publishing).
PublishingAuthor: Similar to PublishingEditor but cannot modify existing items.
Owner: Full control, including permission management.
How Permissions Work Internally
When a user accesses another user's calendar, Exchange checks the access control list (ACL) on the calendar folder. The ACL contains entries for each user or group with a specific permission level. The permission levels are mapped to a set of rights on the folder. For example, 'Editor' includes rights to read, create, modify, and delete items. The 'AvailabilityOnly' permission is a special built-in permission that only allows reading the free/busy data from the calendar's associated availability address space.
Default Permissions and Organization Relationships
By default, all users in the organization can see free/busy information for all other users' calendars. This is controlled by the Default permission level on the calendar folder, which is set to AvailabilityOnly. This can be changed at the organization level using the Set-OrganizationConfig cmdlet with the -DefaultCalendarSharing parameter. Additionally, you can configure sharing policies for external users and federated organizations.
Resource Mailboxes Overview
Resource mailboxes are special mailboxes used for scheduling resources like conference rooms (Room mailboxes) and equipment (Equipment mailboxes). They have their own calendar and can be booked by users. Resource mailboxes do not require a license (except for a minimal Exchange Online license for the mailbox), but they must be enabled for scheduling. They are created in the Exchange admin center or via PowerShell.
Creating Resource Mailboxes
To create a room mailbox in PowerShell:
New-Mailbox -Name "Conference Room A" -Room -ResourceCapacity 20For equipment:
New-Mailbox -Name "Projector" -EquipmentThese cmdlets create a mailbox with the appropriate recipient type details. The -Room switch sets the RecipientTypeDetails to 'RoomMailbox', and -Equipment sets it to 'EquipmentMailbox'.
Booking Policies
Resource mailboxes have booking policies that control how they can be scheduled. Key properties include:
AutomateProcessing: Determines how meeting requests are processed. Options are AutoAccept (automatically accept if available), AutoDecline (automatically decline if conflicting), and Manual (requires a delegate to approve).
AllowConflicts: If set to $true, the resource can be double-booked. Default is $false.
BookingWindowInDays: The maximum number of days in advance a resource can be booked. Default is 180.
MaximumDurationInMinutes: The maximum duration for a single booking. Default is 1440 (24 hours).
ConflictPercentageAllowed: If AllowConflicts is $false, this sets the percentage of conflicting items allowed before the resource declines. Default is 0.
MaximumConflictInstances: The maximum number of conflicting instances allowed. Default is 0.
EnforceSchedulingHorizon: If $true, the resource will not accept bookings outside the booking window.
ScheduleOnlyDuringWorkHours: If $true, bookings are only accepted during the resource's working hours (set by Set-Mailbox -WorkingHours).
AllowRecurringMeetings: Controls whether recurring meetings can be booked.
TentativePendingApproval: If $true, meetings are marked tentative until approved by a delegate.
DeleteComments: Controls whether the body of the meeting request is deleted from the response.
DeleteSubject: Controls whether the subject is deleted from the response.
AddOrganizerToSubject: Adds the organizer's name to the subject of the meeting in the resource's calendar.
RemovePrivateProperty: Controls whether private meeting items are marked private in the resource's calendar.
Delegate Access to Resource Mailboxes
Resource mailboxes can have delegates who manage the calendar on behalf of the resource. Delegates are added using the Set-CalendarProcessing cmdlet:
Set-CalendarProcessing -Identity "Conference Room A" -ResourceDelegates "User1","User2"Delegates can accept or decline meeting requests manually if AutomateProcessing is set to Manual. They can also modify the resource's calendar directly if they have Editor or Owner permissions.
How Resource Mailboxes Process Meeting Requests
When a user sends a meeting request to a resource mailbox, the following occurs:
The resource mailbox's calendar processing engine evaluates the request against the booking policy.
If AutomateProcessing is AutoAccept, the engine checks for conflicts. If no conflicts, it accepts the request and adds the meeting to the calendar. If conflicts exist, it declines.
If AutomateProcessing is AutoDecline, the engine accepts only if no conflicts; otherwise declines.
If AutomateProcessing is Manual, the request is placed in the resource's Inbox for a delegate to process.
The response is sent back to the organizer.
Calendar Permissions vs. Mailbox Permissions
It is crucial to distinguish between calendar folder permissions and mailbox-level permissions. Mailbox permissions (Full Access, Send As, Send on Behalf) apply to the entire mailbox, including all folders. Calendar permissions are specific to the calendar folder. A user with Full Access to a mailbox can open the calendar folder and view items, but they do not automatically have permission to create or modify calendar items unless the calendar folder permissions allow it. In practice, Full Access grants 'Owner' permission on all folders, including the calendar, so they do have full control. However, this is a nuance: Full Access gives 'Owner' on all folders, but the calendar folder's ACL may have explicit deny entries that override (though denies are rare).
Troubleshooting Calendar Permissions
Common issues:
A user cannot see details of another user's calendar. Check the Default permission level on the calendar folder. Use PowerShell:
Get-MailboxFolderPermission -Identity "User1:\Calendar"A delegate cannot create or modify items. Verify the delegate has at least 'Editor' permission.
Resource mailbox not accepting bookings. Check AutomateProcessing and AllowConflicts settings.
Interaction with Hybrid Deployments
In a hybrid environment, calendar permissions and resource mailboxes can be synchronized between on-premises Exchange and Exchange Online. The Azure AD Connect syncs mailbox attributes, but calendar folder permissions are not synced. They must be configured separately in each environment. However, free/busy information can be shared via the Organization Relationship or a federation trust.
PowerShell Commands for Management
Key cmdlets:
Get-MailboxFolderPermission - View permissions on a folder.
Set-MailboxFolderPermission - Set permissions on a folder.
Remove-MailboxFolderPermission - Remove a permission.
Add-MailboxFolderPermission - Add a permission (older cmdlet, use Set instead).
New-Mailbox - Create a resource mailbox.
Set-Mailbox - Modify mailbox properties.
Set-CalendarProcessing - Configure booking policies for resource mailboxes.
Get-CalendarProcessing - View booking policies.
Example: Grant 'Editor' permission to a user on another user's calendar:
Set-MailboxFolderPermission -Identity "User1:\Calendar" -User "User2" -AccessRights EditorDefault Values and Limits
Default booking window: 180 days.
Default maximum duration: 1440 minutes.
Default conflict percentage: 0.
Maximum number of delegates for a resource mailbox: 10.
Maximum number of resource mailboxes per organization: 1000 (soft limit, can be increased).
Calendar permission levels: 11 distinct levels.
Exam-Relevant Details
The MS-102 exam tests your ability to configure calendar permissions for users and resource mailboxes using both EAC and PowerShell.
You must know the difference between 'AvailabilityOnly' and 'LimitedDetails'.
Understand that resource mailboxes do not require an Exchange Online license (but do require a mailbox, which is included in some plans).
Know that Set-CalendarProcessing is the primary cmdlet for booking policies.
Be aware that calendar processing settings are stored on the mailbox and are not affected by mailbox moves.
Create a Room Mailbox
To create a room mailbox, open the Exchange admin center (EAC) and navigate to Recipients > Resources. Click Add a room mailbox. Fill in the display name, alias, and capacity. Alternatively, use PowerShell: `New-Mailbox -Name 'Conference Room B' -Room -ResourceCapacity 10`. This creates a mailbox with RecipientTypeDetails 'RoomMailbox'. The mailbox is automatically provisioned with a calendar folder. The resource mailbox does not require a user account or license (except a minimal Exchange Online license for the mailbox itself). The mailbox is hidden from the global address list by default, but you can change this with `Set-Mailbox -HiddenFromAddressListsEnabled $false`.
Configure Booking Policies
After creating the room mailbox, configure its booking policies using `Set-CalendarProcessing`. For example: `Set-CalendarProcessing -Identity 'Conference Room B' -AutomateProcessing AutoAccept -AllowConflicts $false -BookingWindowInDays 90 -MaximumDurationInMinutes 120 -ScheduleOnlyDuringWorkHours $true`. The AutomateProcessing parameter controls how meeting requests are handled. AutoAccept automatically accepts if the resource is available; AutoDecline automatically declines if there is a conflict; Manual requires delegate approval. The AllowConflicts parameter, if set to $true, allows double-booking. The BookingWindowInDays sets how far in advance the resource can be booked (default 180). MaximumDurationInMinutes sets the maximum meeting length (default 1440). ScheduleOnlyDuringWorkHours restricts bookings to the resource's working hours, which are set separately via `Set-Mailbox -WorkingHours`.
Add Delegates to Resource Mailbox
To allow specific users to manage the resource's calendar manually, add delegates: `Set-CalendarProcessing -Identity 'Conference Room B' -ResourceDelegates 'Admin1','Admin2'`. Delegates receive meeting requests in their own mailbox if AutomateProcessing is set to Manual. They can accept or decline on behalf of the resource. Delegates can also be granted 'Editor' or 'Owner' permission on the resource's calendar folder via `Set-MailboxFolderPermission -Identity 'Conference Room B:\Calendar' -User 'Admin1' -AccessRights Editor`. This allows them to directly modify the calendar. Note: If AutomateProcessing is AutoAccept or AutoDecline, delegates are not involved in the processing but can still manage the calendar directly if they have folder permissions.
Grant Calendar Permissions to User
To grant another user access to a user's calendar, use `Set-MailboxFolderPermission`. For example: `Set-MailboxFolderPermission -Identity 'User1:\Calendar' -User 'User2' -AccessRights LimitedDetails`. This sets User2's permission to see free/busy and subject/location. The permission levels are None, AvailabilityOnly, LimitedDetails, Reviewer, Contributor, NonEditingAuthor, Author, Editor, PublishingEditor, PublishingAuthor, and Owner. The `-AccessRights` parameter accepts these values. You can also use the EAC: navigate to Recipients > Mailboxes, select the user, click Mailbox delegation, and manage calendar permissions. Note that the 'Default' permission for all users on a calendar is set to AvailabilityOnly by default, which can be changed with `Set-MailboxFolderPermission -Identity 'User1:\Calendar' -User Default -AccessRights LimitedDetails`.
Test Resource Booking
To test the resource mailbox, send a meeting request from a test user to the resource mailbox. For example, create a new meeting in Outlook and add the resource as an attendee. The resource will respond automatically based on its AutomateProcessing setting. Check the resource's calendar via PowerShell: `Get-CalendarProcessing -Identity 'Conference Room B' | fl` to verify settings. Use `Get-MailboxFolderStatistics -Identity 'Conference Room B'` to see the number of calendar items. If the booking fails, check the resource's Inbox for declined messages or review the calendar processing logs (Event Viewer on the Exchange server, but in Exchange Online, use the message trace feature). Common issues include conflicts, booking window exceeded, or duration too long.
In a large enterprise with over 10,000 users and 500 conference rooms, calendar permissions and resource mailboxes are critical for efficient meeting scheduling. For example, a company might configure all room mailboxes with AutoAccept, a 30-day booking window, and a maximum duration of 2 hours to prevent abuse. They would also create a custom booking policy for executive boardrooms that requires delegate approval (Manual) to ensure high-priority meetings are accommodated. Delegates would be executive assistants who have 'Editor' permission on the resource's calendar to manually add or modify bookings. Another scenario involves equipment mailboxes, such as projectors or laptops, which are booked similarly but often have a shorter booking window (e.g., 7 days) and are set to allow conflicts (AllowConflicts $true) because multiple meetings might need the same projector at different times. In production, performance considerations include the number of resource mailboxes; Exchange Online can handle thousands, but each booking request generates a mail flow. Misconfigurations often occur when delegates are not granted sufficient permissions. For example, if a delegate has 'Reviewer' permission on the resource calendar, they cannot create or modify items, leading to confusion. Another common issue is setting AllowConflicts to $true without realizing it allows double-booking, causing scheduling chaos. Also, forgetting to set ScheduleOnlyDuringWorkHours can result in bookings at 3 AM. In a hybrid deployment, calendar permissions must be managed separately on-premises and in the cloud, which often leads to discrepancies. For instance, a user might have 'Editor' permission on an on-premises mailbox but only 'AvailabilityOnly' on the cloud mailbox after migration, requiring reconfiguration. Best practices include using groups to manage permissions, regularly auditing permissions with Get-MailboxFolderPermission, and documenting booking policies for each resource.
The MS-102 exam (Objective 1.4: Manage Exchange Online settings) tests calendar permissions and resource mailboxes in several ways. First, you must know the exact PowerShell cmdlets: Set-MailboxFolderPermission for calendar permissions and Set-CalendarProcessing for resource mailbox booking policies. The exam often presents a scenario where a user cannot see calendar details, and you must identify that the 'Default' permission is set to 'AvailabilityOnly' and needs to be changed to 'LimitedDetails'. A common wrong answer is to use Set-Mailbox -GrantSendOnBehalfTo or Add-MailboxPermission for Full Access, which are mailbox-level permissions, not calendar-specific. Another trap: candidates confuse 'AutomateProcessing' with 'AllowConflicts'. For example, if a resource is double-booked, the correct fix is to set AllowConflicts to $false, not to change AutomateProcessing to AutoDecline. The exam also loves to test default values: booking window default is 180 days, maximum duration is 1440 minutes, and conflict percentage is 0. You must know that resource mailboxes do not require an Exchange Online license (but do require a mailbox, which is included in Exchange Online Kiosk or other plans). Edge cases: what happens if a resource mailbox is deleted? The meeting requests will bounce. What if a user has both Full Access mailbox permission and a calendar permission? Full Access overrides because it grants Owner on all folders. The exam may also test the difference between Room and Equipment mailboxes: both are resource mailboxes, but Equipment mailboxes have no capacity property. To eliminate wrong answers, focus on the specific cmdlet and parameter names. For instance, if the answer includes Set-Mailbox -CalendarProcessing, it's wrong because the correct cmdlet is Set-CalendarProcessing. Also, remember that calendar permissions are set on the folder, not the mailbox. So Set-MailboxFolderPermission is correct, not Set-MailboxPermission.
Calendar permissions are set at the folder level using Set-MailboxFolderPermission with AccessRights parameter.
Default calendar permission for all users is AvailabilityOnly, controlled by the 'Default' user entry.
Resource mailboxes (Room and Equipment) are created with New-Mailbox -Room or -Equipment.
Booking policies are configured with Set-CalendarProcessing; key parameters: AutomateProcessing, AllowConflicts, BookingWindowInDays, MaximumDurationInMinutes.
Resource mailboxes do not require a user license but do require a mailbox (included in Exchange Online plans).
Delegates for resource mailboxes are set with ResourceDelegates parameter; they receive manual meeting requests if AutomateProcessing is Manual.
Full Access mailbox permission grants Owner permission on all folders including Calendar.
The maximum number of delegates for a resource mailbox is 10.
Booking window default is 180 days; maximum duration default is 1440 minutes.
In hybrid deployments, calendar permissions are not synced; must be configured separately.
Use Get-MailboxFolderPermission to view current permissions; Get-CalendarProcessing to view booking policies.
Equipment mailboxes do not have a ResourceCapacity property.
These come up on the exam all the time. Here's how to tell them apart.
Calendar Folder Permissions
Set on individual folders (e.g., Calendar).
Controlled by Set-MailboxFolderPermission.
Levels: None, AvailabilityOnly, LimitedDetails, Reviewer, etc.
Affects only the specific folder.
Commonly used for sharing calendars with other users.
Mailbox Permissions (Full Access)
Set on the entire mailbox.
Controlled by Add-MailboxPermission -AccessRights FullAccess.
Grants Owner permission on all folders.
Allows opening the mailbox and accessing all folders.
Commonly used for administrative access or delegate access to the entire mailbox.
Room Mailbox
Used for scheduling physical rooms.
Has a ResourceCapacity property.
Typically has a location attribute.
Can be configured with booking policies like AutoAccept.
Often hidden from the GAL by default.
Equipment Mailbox
Used for scheduling equipment (e.g., projectors).
No ResourceCapacity property.
May have a location attribute but not required.
Same booking policy settings as room mailboxes.
Also hidden from GAL by default.
Mistake
Resource mailboxes require a full Exchange Online license.
Correct
Resource mailboxes do not require a user license. They require a mailbox that is included in Exchange Online (Plan 1 or Plan 2) or an Exchange Online Kiosk license, but no user subscription is needed. However, they do consume a mailbox quota.
Mistake
Full Access mailbox permission automatically grants Editor permission on the calendar.
Correct
Mistake
Setting AutomateProcessing to AutoAccept allows double-booking.
Correct
AutoAccept does not automatically allow conflicts. The AllowConflicts parameter controls double-booking. If AllowConflicts is $false (default), AutoAccept will decline if there is a conflict. To allow double-booking, set AllowConflicts to $true.
Mistake
Calendar permissions are synced to Exchange Online via Azure AD Connect.
Correct
Azure AD Connect does not sync calendar folder permissions. It syncs mailbox-level attributes like display name and email address. Calendar permissions must be configured separately in each environment (on-premises and cloud).
Mistake
Delegates for a resource mailbox automatically have full access to the calendar.
Correct
Delegates only receive meeting requests if AutomateProcessing is Manual. They do not automatically have permissions to view or modify the calendar. You must explicitly grant them 'Editor' or 'Owner' permission on the calendar folder if they need direct access.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the Set-MailboxFolderPermission cmdlet: `Set-MailboxFolderPermission -Identity "User1:\Calendar" -User "User2" -AccessRights Editor`. This grants User2 the ability to read, create, modify, and delete items in User1's calendar. You can also do this via the Exchange admin center by navigating to Recipients > Mailboxes, selecting User1, clicking Mailbox delegation, and adding User2 with the Editor role under Calendar.
AutoAccept automatically accepts meeting requests if the resource is available (no conflicts) and declines if there is a conflict. AutoDecline automatically declines if there is a conflict but still accepts if available. Both are automatic; the difference is in the response when a conflict exists: AutoAccept declines, AutoDecline also declines – actually, AutoDecline declines any request that causes a conflict, but it also declines requests that are outside the booking window or duration limits. In practice, AutoAccept is more permissive. The Manual setting requires a delegate to process each request.
Yes, if the AllowConflicts parameter is set to $true. By default, AllowConflicts is $false, which prevents double-booking. When AllowConflicts is $true, the resource will accept overlapping meetings. This is useful for equipment like projectors that can be used by multiple meetings simultaneously. However, for room mailboxes, double-booking is usually not desired.
Use the New-Mailbox cmdlet with the -Room switch: `New-Mailbox -Name "Conference Room A" -Room -ResourceCapacity 20 -Alias confroomA`. This creates a room mailbox with a capacity of 20 people. The mailbox is automatically provisioned and hidden from the GAL by default. You can unhide it with `Set-Mailbox -HiddenFromAddressListsEnabled $false`.
The default permission level for all users on a calendar is AvailabilityOnly, which shows only free/busy status without subject or location. To show subject and location, change the default permission to LimitedDetails using: `Set-MailboxFolderPermission -Identity "User1:\Calendar" -User Default -AccessRights LimitedDetails`. Alternatively, you can set this at the organization level with Set-OrganizationConfig -DefaultCalendarSharing LimitedDetails.
If a resource mailbox is deleted, any meeting requests sent to that resource will bounce with a non-delivery report (NDR). Existing meetings in users' calendars that include the resource will become orphaned (the resource will no longer appear in the meeting). It is recommended to disable the resource mailbox instead of deleting it, or to remove it from all existing meetings before deletion.
Use the Set-CalendarProcessing cmdlet with the -ResourceDelegates parameter: `Set-CalendarProcessing -Identity "Room1" -ResourceDelegates "admin@contoso.com"`. This adds the specified user as a delegate. Delegates receive meeting requests if AutomateProcessing is set to Manual. To allow the delegate to directly modify the calendar, also grant them Editor permission on the calendar folder: `Set-MailboxFolderPermission -Identity "Room1:\Calendar" -User "admin@contoso.com" -AccessRights Editor`.
You've just covered Exchange Calendar Permissions and Resource Mailboxes — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?