Public Folders Visibility and Access – Exchange 2013 and Office 365

Public Folders are still around in Exchange 2013 and they have been incorporated into Office 365 (it is Exchange Online after all!). During a recent migration, a client of mine was consolidating multiple organizations. While doing so, mailbox and Public Folder data will be consolidated to a single DAG cluster. While the entities were to share the mail system (Exchange 2013), they wanted certain parts to be isolated (read Public Folders).
In order to do this we would re-arrange their folders to have one ‘Root’ folder per organization:


With this separation of Public Folders there would be two main goals. (1) Reorganize the folders into separate companies and then (2) Hide the other folders from other companies viewing or even seeing the root folders of other companies like this:

Public Folders have several permission groups assigned to the root folders:

Note ‘Default’ has ‘Author’ rights assigned to it. This will grant far more permissions than we would like for users in other companies. How do we fix this? If you read the permission levels and what is granted , it would appear the ‘FolderVisible’ right is always available even if the ‘Default’ account is set to ‘None’. However, if we set default to No, then the folder is no longer visible in an Outlook email client. To set the permissions to none, use this PowerShell one liner:

get-publicfolder -Identity \company1 | remove-PublicFolderClientPermission -User default -AccessRights author

Then the permissions on the root look like this:

That’s great, however, no one can see the folder now….. Completely invisible. Now to add users or Company 1 to access this root, we need to create a Distribution Group (Dynamic or static). Once the group is created, we can assign permissions to the folder to allow the users in Company 1 to see their Public Folder tree:

get-publicfolder -Identity \company1 | add-PublicFolderClientPermission -User <Company 1 Distribution Group> -AccessRights author

With this addition the permissions look like this on the ‘Company1’ Public Folder:

When adding permissions to Public Folders in Exchange 2007 the permissions take some time to apply. If the permissions do not appear right away, wait an hour or so and the permissions will eventually apply.
Notes
The above changes were performed in Exchange 2007 because the organization wanted to have this structure in place prior to migrating to Exchange 2013. The same configuration could have taken place after the move to 2013 or to Office 365.
Office 365
How would this look in Office 365? Could we indeed perform the same tasks in a hosted Exchange environment, isolate the folders and then grant group specific permissions. The answer is simply yes. The process is the exact same.
Public Folder commands in Office 365