We did configure an Exchange Hybrid configuration and now want to let the organization use…
Configure permissions in Exchange Hybrid
It’s good to go through the Exchange Hybrid test plan checklist before you start to migrate any mailboxes to Exchange Online – Office 365. One of the tasks is to configure permissions cross-premises and test that shared mailbox access, send as, send on behalf, and delegate access works in Exchange Hybrid configuration.
Table of contents
Before you start
Ensure that you have the latest Azure AD Connect and the latest Cumulative Update running in the organization. That’s because Microsoft fixed bugs with cross-premises mailbox permissions in both releases.
Note: Patience is essential when you push changes in an Exchange Hybrid deployment. Wait or force sync Azure AD Connect after every change and wait before you see the changes in cross-premises.
In our example, we have two accounts that we will test cross-premises permissions on:
- Testexo (Exchange Online user mailbox)
- SharedMailboxOnPrem (Exchange on-premises shared mailbox)
Enable ACLable object synchronization
The ACLableSyncedObjectEnabled parameter specifies whether remote mailboxes in hybrid environments are stamped as ACLableSyncedMailboxUser. By default, it’s disabled.
Check if ACLable object synchronization is enabled in the organization. Run Exchange Management Shell as administrator on your on-premises Exchange Server. Use the Get-OrganizationConfig cmdlet.
In our example, it’s disabled because the value shows as False.
[PS] C:\>Get-OrganizationConfig | ft Name,ACL*
Name ACLableSyncedObjectEnabled
---- --------------------------
EXOIP FalseEnable ACLable object synchronization with the Set-OrganizationConfig cmdlet including the -ACLableSyncedObjectEnabled parameter.
[PS] C:\>Set-OrganizationConfig -ACLableSyncedObjectEnabled $TrueAfter you do this, any mailboxes that you move to Microsoft 365 or Office 365 will be properly configured to support delegated mailbox permissions. If mailboxes were moved to or created in Microsoft 365 or Office 365 prior to you completing these steps, you’ll need to manually enable ACLs on those mailboxes using the steps below.
Enable ACLs on a single mailbox moved to or created in Microsoft 365 or Office 365.
[PS] C:\>Get-AdUser "testexo" | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}Enable ACLs on all mailboxes moved to or created in Microsoft 365 or Office 365.
[PS] C:\>Get-RemoteMailbox -ResultSize Unlimited | where {$_.RecipientTypeDetails -eq "RemoteUserMailbox"} | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}Verify that the mailboxes have been successfully updated.
[PS] C:\>Get-RemoteMailbox -ResultSize unlimited | ForEach {Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType | Format-Table DistinguishedName,msExchRecipientDisplayType -Auto}Important: The msExchRecipientDisplayType value -1073741818 should only be set for user mailboxes, not for resource mailboxes.
Full Access permission in Exchange Hybrid
Full access permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Full Access permissions for cross-premises.
Run the command in Exchange Management Shell on-premises.
[PS] C:\>Add-MailboxPermission -Identity "sharedmailboxonprem@exoip.com" -User "testexo@exoip.com" -AccessRights "FullAccess" -InheritanceType "All"
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
exoip.local/Compa... EXOIP\testexo {FullAccess} False FalseStart Outlook and sign in with the user testexo@exoip.com. Next, add the shared mailbox SharedMailboxOnPrem as additional mailbox.
Verify that you have full access to the shared mailbox SharedMailboxOnPrem (sharedmailboxonprem@exoip.com).
Send As permission in Exchange Hybrid
Send As permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Send As permissions for cross-premises.
Run the command in Exchange Management Shell on-premises.
[PS] C:\>Add-ADPermission -Identity "sharedmailboxonprem" -User "testexo@exoip.com" -AccessRights "ExtendedRight" -ExtendedRights "Send As"
Identity User Deny Inherited
-------- ---- ---- ---------
exoip.local/Compa... EXOIP\testexo False FalseThen run the corresponding command in Exchange Online PowerShell. Press Y and Enter.
PS C:\> Add-RecipientPermission -Identity "sharedmailboxonprem" -Trustee "testexo@exoip.com" -AccessRights "SendAs"
Confirm
Are you sure you want to perform this action?
Adding recipient permission 'SendAs' for user or group 'testexo@exoip.com' on recipient Identity:'sharedmailboxonprem'.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
Identity Trustee AccessControlType AccessRights Inherited
-------- ------- ----------------- ------------ ---------
SharedMailboxOnPrem testexo Allow {SendAs} False
Start Outlook and sign in with the user testexo@exoip.com. Verify that you can send as sharedmailboxonprem@exoip.com.
In our example an email is send to Alison.Bell@exoip.com.
Verify that the email is delivered to Alison Bell and it’s send as SharedMailboxOnPrem.
Send on Behalf permission in Exchange Hybrid
It’s important that you enable ACLable object synchronization for Send on Behalf permission to work. Otherwise, Send on Behalf will not work on cross-premises. See the previous step to enable that. Next, give Send on behalf permissions for cross-premises.
Run the below command in Exchange Management Shell on-premises.
[PS] C:\>Set-Mailbox "boris.campbell@exoip.com" -GrantSendOnBehalfTo @{add='testexo@exoip.com'}Start Outlook and sign in with the user testexo@exoip.com. Verify that you can send on behalf Boris.Campbell@exoip.com.
In our example, an email is send to Boris.Campbell@exoip.com.
Verify that the email is delivered to Boris Campbell and it’s send on behalf Boris Campbell.
Delegate Access in Exchange Hybrid
Ensure that you enable ACLable object synchronization for Delegate access to work. Otherwise, delegate access will not work on cross-premises. See the previous step to enable that. Next, give Delegate Access permissions for cross-premises.
Run the command in Exchange Management Shell on-premises.
[PS] C:\>Add-MailboxFolderPermission -Identity "boris.campbell@exoip.com:\Calendar" -User "testexo@exoip.com" -AccessRights "Editor"Start Outlook as the user testexo@exoip.com. Verify that you have delegate access to Boris Campbell’s calendar. Right-click in Boris calendar and create a new appointment.
Did this help you to configure Exchange Hybrid cross-premises permissions?
In the next article, we will look at how to update MX records to Office 365.
Conclusion
You learned how to configure permissions in Exchange Hybrid. When you migrate mailboxes, all the permissions will stay in place. But, when you create new mailboxes and give permissions between mailboxes on-premises and Exchange Online, you must go through some additional steps.
Did you enjoy this article? You may also like Mailbox still visible in Outlook after removing permission. Don’t forget to follow us and share this article.
What Others Are Reading
Hi again,
All the documentation shows this setting related to Exchange 2010/2016 but not for 2019. Is it not needed for Exchange 2019?
If I enable for all users, will their existing permissions be modified, or will they be retained? Currently, I am able to add delegate permissions using the PS commands in this article with no issues and we do not have the ACLableSyncedObject enabled in our environment.
ACLable object synchronization is disabled by default on Exchange Server 2019, and you need to enable it. The users permissions will retain.
Adding permissions with PowerShell works if you don’t have the ACLable object synchronization enabled. But did you test if it works for the users?
Thanks Ali,
We don’t want end users to be able to assign themselves delegate permissions, right? We have these restricted in our domain/tenant.
However, will this setting allow users to modify the on-prem DLs they own? This is an issue we have been dealing with which we would like to have resolved if possible.
Thanks!
Hello!
Are there any repercussions to enabling the ACLable object synchronization? Will this be visible to the end user in any way?
There is no impact when you enable ACLable object synchronization.
Does Enabling ACLable object synchronization affects something in situation when I have 2 exchange on-premise farms (both in separate AD domains) synced to one O365?
Good content.
Do you have any guide on Onprem User, trying to access Shared EXO mailbox. ?
I have been battling with permission issues.
AADConnect is synced, HCW was run ok.
Migrated Shared Mailbox was unable to access by onprem user.
trying to check permission on RemoteMailbox in OnPrem exchange, it says identity not found in AD.
“Mailbox Delegation” not showing on EWC for that remotemailbox which looks like normal for migrated shared mailbox.
Great article.
You mentioned to sync Azure AD. Offcourse, keep in mind that Domain OU/filtering could be enabled in Azure AD Connect. If you do not sync the shared mailbox accounts or OU, the shared mailbox is not visible, that is still living on de Exchange Onprem server. That was my problem.
Hi,
question about Access from Exo to on prem. During the Migration we need access from O365 User to Mailbox on prem. Need to “send as” which is not possible. I grant them Full Access to the local Mailbox, but the Error is, that they have not the permission to “send as” the local Mailbox.
Have you got an Idea what the problem is, why the Mailboxuser in the cloud are not able to “send as” with local mailbox?
Info: ACLableSyncedObjectEnabled : True
best from germany
sueleyman
Hi,
have the same issue here. I need to set Send As permission to distribution list synced from on-prem for online user mailbox. Have you found any solution except recreating all DLs in online and deleting them in on-prem?
Thank you in advance,
coryman