On Day 16 of Cybersecurity Awareness month, let’s learn to change default calendar permissions in Microsoft 365 for improved security. Stay tuned for upcoming blogs in Microsoft 365 cybersecurity blog series.

In today’s remote work environment, sharing calendars has become more than just a productivity boost—it’s also a critical part of organizational security. While Microsoft 365 calendar sharing can streamline workflows and improve collaboration, if not managed carefully, it may expose sensitive information to unauthorized users.

The Microsoft Secure Score recommendation advises disabling external sharing of calendars, but it’s equally important to manage internal users’ permissions effectively. This blog will guide you through the steps to change default calendar permissions in Microsoft Outlook, with a special focus on securing your organization’s data.

Why Calendar Permissions Matter for Security?

Calendars are more revealing than they seem—by default, everyone in the organization can see each other’s availability, potentially exposing project details, work hours and location. If calendar permissions aren’t carefully managed, sensitive information can easily be accessed by the wrong people. Whether it’s your internal team or external collaborators, you should limit calendar access to only what’s necessary.

Tightening default calendar permissions ensures that only authorized individuals can access your schedule, reducing information leaks.

Default Calendar Permissions in Microsoft Outlook

Outlook’s default calendar permission is set to “AvailabilityOnly,” meaning users can see whether someone is free or busy but won’t have access to the details of appointments or meetings. You may want to assign different levels of permissions based on who needs access and what information they should be able to see.

Steps to Change Default Calendar Permissions in Outlook

Follow the steps below to modify the default calendar permissions in Outlook:

  1. Open Outlook and navigate to the Calendar view.
  1. Go to More options and click on Share.
  1. In Sharing and permissions, calendar owners can adjust the calendar access by selecting the appropriate permission level for individuals.
Calendar Permissions in Microsoft Outlook

Note: Calendar owners and whoever has full access to another mailbox can update the calendar info.

While these steps are helpful for individual users, there’s no centralized way to manage permissions across an entire organization via the Outlook interface. This limitation leaves a gap in security for administrators.

Manage Calendar Permissions for Microsoft 365 Users Using PowerShell

To overcome Outlook’s limitations, administrators can use PowerShell to manage calendar permissions across the organization. PowerShell provides a more efficient and secure way to control who has access to user’s calendars, without relying on each employee to make the right configuration.

Important PowerShell Cmdlets to Manage Calendar Permissions

  • Add-MailboxFolderPermission: Add or grant permissions to a calendar.
  • Set-MailboxFolderPermission: Modify existing calendar permissions.
  • Remove-MailboxFolderPermission: Remove calendar permissions.
  • Get-MailboxFolderPermission: View existing calendar permissions.

To get started, you’ll need to connect to Exchange Online PowerShell, as these cmdlets are only available when connected to the Exchange Online module.

View Current Calendar Permissions in Microsoft 365

Before adjusting any calendar permissions, it’s wise to first check the existing settings to avoid errors. You can view the current permissions on a calendar by running the following PowerShell command.

Just replace harvey@contoso.com with the email address of the user whose calendar you want to inspect.

Types of Calendar Permissions in Microsoft 365

Here are the different permission levels available for Office 365 calendars:

  • Owner: Full control, including permission management.
  • PublishingEditor: Create, read, edit, and delete items and subfolders.
  • Editor: Create, read, edit, and delete items.
  • PublishingAuthor: Create and read all items and subfolders; modify and delete your own items.
  • Author: Create and read items; modify and delete your own items.
  • NonEditingAuthor: Create items and read access; delete only your own items.
  • Reviewer: Read-only access.
  • Contributor: Create items but no read access.
  • AvailabilityOnly: Only view free/busy information.
  • LimitedDetails: View subject and location only.
  • None: No access to the calendar.

These roles can be assigned or modified using the appropriate PowerShell commands in Microsoft 365.

Add Calendar Permissions in Microsoft 365

When assigning permissions to a user who currently doesn’t have access, you’ll use Add-MailboxFolderPermission. For instance, if Rachel is new and needs “Reviewer” access to Harvey’s calendar, you can use the following command to add it.

Tip: Avoid granting critical access rights such as Owner or Editor to external users, as this could expose confidential data to unintended parties.

Modify Microsoft 365 Calendar Permissions

In some cases, you may need to revoke all calendar access for specific users due to security concerns or to maintain privacy. Assigning the permission level “None” effectively blocks a user from accessing the calendar entirely. A user is granted no access when they are completely barred from viewing or interacting with a calendar.

This approach can be useful in scenarios where sensitive calendar information (such as meetings, appointments, or availability) must be protected from unauthorized viewing.

For instance, let’s say you want to ensure that Rachel no longer has any access to Harvey’s calendar for security reasons (perhaps the user has moved to a different department). To modify permissions that have already been set, you need to use the Set-MailboxFolderPermission command. You can set this by assigning the “None” permission level as follows:

Note: “No access” means the user can’t see the calendar at all, while “removing calendar permission” can imply that the user might still have some access.

Remove Calendar Permissions in Outlook

To remove calendar access for a user, the Remove-MailboxFolderPermission command does the job. For example, to revoke Rachel’s permission from Harvey’s calendar, use:

By removing unnecessary calendar permissions, you help protect sensitive information and maintain a secure, streamlined access environment within Microsoft 365.

Since Microsoft Outlook allows everyone to see each other’s availability by default, managing calendar permissions is essential for safeguarding privacy. By refining these permissions and utilizing PowerShell for centralized access management, administrators can enhance security and ensure that only authorized individuals have calendar access.