Exchange 2016: Mapping Secondary Mailboxes in OWA (Classic UI)

⚠️ Exchange 2016 reached End of Support on October 14, 2024. This guide covers legacy on-prem scenarios. For modern environments, review Exchange Online mailbox delegation and OWA365 unified inbox features.

Admins frequently run into the same user complaint: “Outlook desktop shows my primary and shared mailboxes in one tree. OWA forces me to open a new tab every time I switch.”

The first instinct is often to check -AutoMapping $true. That check is irrelevant for OWA. AutoMapping is an Active Directory/Autodiscover mechanism consumed by the Outlook desktop client. OWA does not parse AD delegation attributes; it relies on explicit mailbox delegation and user-initiated UI mapping.

This guide documents the supported, production-safe method to integrate a secondary mailbox into the OWA folder tree. It targets Classic OWA (Exchange 2016 CU17+ shipped Modern OWA by default; delegation UI differs significantly between versions).

Table of Contents

Prerequisites

Before proceeding, verify the following on the OWA server and client environment:

OWA Version: Classic UI enabled (Get-OWAVirtualDirectory | fl Name,ClassicUIEnabled)
OWA Mailbox Policy: AllowAddSharedFolder must be $true
Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -AllowAddSharedFolder $true
Permissions: Primary user requires FullAccess (folder-level) and SendAs or SendOnBehalf to the target mailbox.
Browser State: OWA stores delegation mappings in browser local storage/cookies. Incognito/private sessions and cookie clears will drop the mapping.

1. Grant Delegated Permissions (PowerShell)

OWA cannot auto-detect delegation. You must grant permissions server-side before the user maps the mailbox.

Full Access (Read/Write Folders)

Add-MailboxPermission -Identity "shared@yourdomain.com" `
                      -User "primary-user@yourdomain.com" `
                      -AccessRights FullAccess `
                      -InheritanceType All `
                      -Confirm:$false

Note: FullAccess alone allows viewing and managing folders. It does not permit sending mail.

Send As / Send On Behalf

# SendAs (appears as sent from the shared mailbox)
Add-RecipientPermission -Identity "shared@yourdomain.com" `
                        -Trustee "primary-user@yourdomain.com" `
                        -AccessRights SendAs `
                        -Confirm:$false

# OR SendOnBehalf (appears as "Sent on behalf of")
Set-Mailbox -Identity "shared@yourdomain.com" -GrantSendOnBehalfTo "primary-user@yourdomain.com"

Propogation typically takes 15–30 minutes. Verify with Get-MailboxPermission and Get-RecipientPermission before proceeding.

2. Map the Mailbox in Classic OWA

This is a one-time user action. The mapping persists across browser restarts as long as local storage is retained.

Navigate to https://<owa-server>/owa/ and log in with the primary account.
In the left navigation pane, locate the root mailbox name (the topmost folder, not Inbox or Deleted Items).
Right-click the root mailbox name.
Select Add shared folder… from the context menu.
In the dialog, type the shared mailbox name or alias. OWA queries the GAL asynchronously.
Select the correct entry from the dropdown to ensure proper DN resolution.
Click Add.

The secondary mailbox will appear directly under the primary root in the folder tree. No new browser tab or session is spawned.

Add shared folder option trigger to add addition mail

3. Verification & Removal

Verification

Expand the secondary mailbox in the folder tree.
Inbox, Sent Items, and custom subfolders should populate without auth prompts.
Sent items configured via SendAs/SendOnBehalf will route through the correct identity.

Removal

If the mapping is no longer needed or is causing errors:

Right-click the secondary mailbox in the OWA folder tree.
Select Remove shared folder.
The entry disappears immediately. No server-side cleanup required.

4. Troubleshooting

Symptom	Likely Cause	Resolution
`"You don't have permission to view this folder"`	`FullAccess` not propagated, `InheritanceType` missing, or OWA policy blocks delegation.	Run `Get-MailboxPermission -Identity <shared> -User <primary>`. Verify `-InheritanceType All`. Confirm `AllowAddSharedFolder $true` in OWA policy.
GAL doesn’t resolve the mailbox name	OWA GAL sync lag, recent AD replication delay, or mailbox creation not yet indexed.	Wait 1–2 hours for GAL update. Clear OWA cache (`Ctrl+F5` or clear site data). Verify with `Get-AddressList` replication status.
Mailbox appears but folders are blank / timeout	MRS proxy degraded, heavy load, or >3 mapped mailboxes causing metadata fetch timeout.	Check `MSExchange Mailbox Replication` service. Reduce mapped mailboxes. OWA fetches folder metadata per mapped mailbox on login.
`SendAs` fails with `"You do not have permission to send mail as..."`	`SendAs` granted but not cached in OWA session, or hybrid/MFA blocks legacy auth flow.	Re-authenticate OWA session. Verify `Get-RecipientPermission`. In hybrid setups, check `Set-OWAVirtualDirectory -InternalAuthenticationMethods`.
Mapping disappears after browser restart	OWA stores delegation in browser local storage/cookies. Incognito or cleanup wipes it.	Document limitation for users. Recommend Outlook desktop for persistent multi-mailbox workflows.

5. Operational Caveats

Classic vs Modern OWA: Exchange 2016 CU17+ defaults to Modern OWA. Delegation UI differs. Verify ClassicUIEnabled $true on the OWA virtual directory if following these steps.
Browser-Bound Persistence: OWA does not replicate delegation to server-side profiles. Cookie/local storage removal resets the view.
Performance Threshold: OWA fetches folder metadata for every mapped mailbox during login. >3–4 mapped mailboxes frequently cause timeout, blank folders, or degraded UI responsiveness.
Cross-Forest / External: OWA delegation is restricted to mailboxes within the same AD forest or federated Exchange orgs. External guests or Azure AD-only accounts cannot be mapped this way.
Hybrid & MFA Environments: Modern auth flows may restrict legacy delegation or require conditional access policy adjustments. Verify OWAVirtualDirectory auth methods and ADFS/Entra ID settings if users receive intermittent auth loops.
Mobile OWA / OWA365: This UI flow does not apply to mobile OWA or Exchange Online OWA365. Use Exchange Online mailbox delegation or Outlook unified inbox for modern deployments.

Dmytro Poliakov

Infrastructure Engineer with hands-on experience in Windows Server, Active Directory, SCCM, Exchange, and Linux environments. Concentrated on resolving production issues and keeping systems stable and reliable.