skip to Main Content

Configure permissions in Exchange hybrid

It’s good to through the Exchange hybrid test plan checklist before you start to migrate any mailboxes to Exchange Online – Office 365. One of the tasks is to configure permissions cross-premises and test that shared mailbox access, send as, send on behalf, and delegate access works in Exchange hybrid configuration.

Before you start

Ensure that you have the latest Azure AD Connect and the latest Cumulative Update running in the organization. That’s because Microsoft fixed bugs with cross-premises mailbox permissions in both of the releases.

Remember that patience is essential when you push changes in an Exchange hybrid deployment. Wait or force sync Azure AD Connect before you see the changes in cross-premises.

Enable ACLable object synchronization

The ACLableSyncedObjectEnabled parameter specifies whether remote mailboxes in hybrid environments are stamped as ACLableSyncedMailboxUser. By default, it’s disabled.

Check if ACLable object synchronization is enabled in the organization. Run Exchange Management Shell as administrator on your on-premises Exchange Server. Use the Get-OrganizationConfig cmdlet.

In our example, it’s disabled because the value shows as False.

[PS] C:\>Get-OrganizationConfig | ft Name,ACL*

Name  ACLableSyncedObjectEnabled
----  --------------------------
EXOIP                      False

Enable ACLable object synchronization with the Set-OrganizationConfig cmdlet including the -ACLableSyncedObjectEnabled parameter.

[PS] C:\>Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

After you do this, any mailboxes that you move to Microsoft 365 or Office 365 will be properly configured to support delegated mailbox permissions. If mailboxes were moved to Microsoft 365 or Office 365 prior to you completing these steps, you’ll need to manually enable ACLs on those mailboxes using the steps below.

Enable ACLs on a single mailbox moved to Microsoft 365 or Office 365.

[PS] C:\>Get-AdUser "Amanda.Morgan" | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}

Enable ACLs on all mailboxes moved to Microsoft 365 or Office 365.

[PS] C:\>Get-RemoteMailbox -ResultSize Unlimited | where {$_.RecipientTypeDetails -eq "RemoteUserMailbox"} | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}

To verify that the mailboxes have been successfully updated.

[PS] C:\>Get-RemoteMailbox -ResultSize unlimited | ForEach {Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType | Format-Table DistinguishedName,msExchRecipientDisplayType -Auto}

Important: The msExchRecipientDisplayType value -1073741818 should only be set for user mailboxes, not for resource mailboxes.

Full Access permission in Exchange hybrid

Full access permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Full Access permissions for cross-premises access.

Run the command in Exchange Management Shell on-premises.

[PS] C:\>Add-MailboxPermission -Identity "sharedmailboxonprem@exoip.com" -User "test.mailbox2@exoip.com" -AccessRights "FullAccess" -InheritanceType "All"

Identity             User                 AccessRights  IsInherited Deny
--------             ----                 ------------  ----------- ----
exoip.local/Compa... EXOIP\Test.Mailbox2  {FullAccess}  False       False

Start Outlook as the user Test Mailbox2. Verify that you have full access to the sharedmailboxonprem@exoip.com.

Configure permissions in Exchange hybrid Full Access

Send As permission in Exchange hybrid

Send As permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Send As permissions for cross-premises access.

Run the command in Exchange Management Shell on-premises.

[PS] C:\>Add-ADPermission -Identity "sharedmailboxonprem" -User "test.mailbox2@exoip.com" -AccessRights "ExtendedRight" -ExtendedRights "Send As"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
exoip.local/Compa... EXOIP\Test.Mailbox2  False False

Then run the corresponding command in Exchange Online PowerShell. Press Y and Enter.

PS C:\> Add-RecipientPermission -Identity "sharedmailboxonprem" -Trustee "test.mailbox2@exoip.com" -AccessRights "SendAs"

Confirm
Are you sure you want to perform this action?
Adding recipient permission 'SendAs' for user or group 'test.mailbox2@exoip.com' on recipient Identity:'sharedmailboxonprem'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Identity            Trustee       AccessControlType AccessRights Inherited
--------            -------       ----------------- ------------ ---------
SharedMailboxOnPrem Test Mailbox2 Allow             {SendAs}     False    

Start Outlook as the user Test Mailbox2. Verify that you can send as sharedmailboxonprem@exoip.com. In our example an email is send to Alison.Bell@exoip.com.

Configure permissions in Exchange hybrid send as test

Verify that the email is delivered to Alison Bell and it’s send as SharedMailboxOnPrem.

Configure permissions in Exchange hybrid send as test verify

Send on Behalf permission in Exchange hybrid

It’s important that you enable ACLable object synchronization for Send on Behalf permission to work. Otherwise, Send on Behalf will not work on cross-premises. See the previous step.

[PS] C:\>Set-Mailbox "boris.campbell@exoip.com" -GrantSendOnBehalfTo @{add='test.mailbox2@exoip.com'}

Start Outlook as the user Test Mailbox2. Verify that you can send on behalf Boris.Campbell@exoip.com. In our example an email is send to Boris.Campbell@exoip.com.

Configure permissions in Exchange hybrid send on behalf test

Verify that the email is delivered to Boris Campbell and it’s send on behalf Boris Campbell.

Delegate Access in Exchange hybrid

Ensure that you enable ACLable object synchronization for Delegate access to work. Otherwise, delegate access will not work on cross-premises. See the previous step.

Add delegate permissions.

[PS] C:\>Add-MailboxFolderPermission -Identity "boris.campbell@exoip.com:\Calendar" -User "test.mailbox2@exoip.com" -AccessRights "Editor"

Start Outlook as the user Test Mailbox2. Verify that you have delegate access to Boris Campbell’s calendar. Right-click in Boris calendar and create a new appointment.

Configure permissions in Exchange hybrid Delegate Access verify

Did this help you to configure Exchange hybrid cross-premises permissions?

In the next article, we will look at how to update MX records to Office 365.

Conclusion

You learned how to configure permissions in Exchange hybrid. When you migrate mailboxes, all the permissions will stay in place. But, when you create new mailboxes and give permissions between mailboxes on-premises and Exchange Online, you have to go through some additional steps.

Did you enjoy this article? You may also like Mailbox still visible in Outlook after removing permission. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *