skip to Main Content

Configure permissions in Exchange Hybrid

It’s good to go through the Exchange Hybrid test plan checklist before you start to migrate any mailboxes to Exchange Online – Office 365. One of the tasks is to configure permissions cross-premises and test that shared mailbox access, send as, send on behalf, and delegate access works in Exchange Hybrid configuration.

Before you start

Ensure that you have the latest Azure AD Connect and the latest Cumulative Update running in the organization. That’s because Microsoft fixed bugs with cross-premises mailbox permissions in both releases.

Note: Patience is essential when you push changes in an Exchange Hybrid deployment. Wait or force sync Azure AD Connect after every change and wait before you see the changes in cross-premises.

In our example, we have two accounts that we will test cross-premises permissions on:

  • Testexo (Exchange Online user mailbox)
  • SharedMailboxOnPrem (Exchange on-premises shared mailbox)

Enable ACLable object synchronization

The ACLableSyncedObjectEnabled parameter specifies whether remote mailboxes in hybrid environments are stamped as ACLableSyncedMailboxUser. By default, it’s disabled.

Check if ACLable object synchronization is enabled in the organization. Run Exchange Management Shell as administrator on your on-premises Exchange Server. Use the Get-OrganizationConfig cmdlet.

In our example, it’s disabled because the value shows as False.

[PS] C:\>Get-OrganizationConfig | ft Name,ACL*

Name  ACLableSyncedObjectEnabled
----  --------------------------
EXOIP                      False

Enable ACLable object synchronization with the Set-OrganizationConfig cmdlet including the -ACLableSyncedObjectEnabled parameter.

[PS] C:\>Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

After you do this, any mailboxes that you move to Microsoft 365 or Office 365 will be properly configured to support delegated mailbox permissions. If mailboxes were moved to or created in Microsoft 365 or Office 365 prior to you completing these steps, you’ll need to manually enable ACLs on those mailboxes using the steps below.

Enable ACLs on a single mailbox moved to or created in Microsoft 365 or Office 365.

[PS] C:\>Get-AdUser "testexo" | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}

Enable ACLs on all mailboxes moved to or created in Microsoft 365 or Office 365.

[PS] C:\>Get-RemoteMailbox -ResultSize Unlimited | where {$_.RecipientTypeDetails -eq "RemoteUserMailbox"} | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}

Verify that the mailboxes have been successfully updated.

[PS] C:\>Get-RemoteMailbox -ResultSize unlimited | ForEach {Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType | Format-Table DistinguishedName,msExchRecipientDisplayType -Auto}

Important: The msExchRecipientDisplayType value -1073741818 should only be set for user mailboxes, not for resource mailboxes.

Full Access permission in Exchange Hybrid

Full access permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Full Access permissions for cross-premises.

Run the command in Exchange Management Shell on-premises.

[PS] C:\>Add-MailboxPermission -Identity "sharedmailboxonprem@exoip.com" -User "testexo@exoip.com" -AccessRights "FullAccess" -InheritanceType "All"

Identity             User           AccessRights  IsInherited Deny
--------             ----           ------------  ----------- ----
exoip.local/Compa... EXOIP\testexo  {FullAccess}  False       False

Start Outlook and sign in with the user testexo@exoip.com. Next, add the shared mailbox SharedMailboxOnPrem as additional mailbox.

Configure permissions in Exchange hybrid add additional mailbox

Verify that you have full access to the shared mailbox SharedMailboxOnPrem (sharedmailboxonprem@exoip.com).

Configure permissions in Exchange hybrid Full Access

Send As permission in Exchange Hybrid

Send As permissions will stay in place when migrating mailboxes. When creating new mailboxes in Exchange Online or Exchange on-premises, you need to give Send As permissions for cross-premises.

Run the command in Exchange Management Shell on-premises.

[PS] C:\>Add-ADPermission -Identity "sharedmailboxonprem" -User "testexo@exoip.com" -AccessRights "ExtendedRight" -ExtendedRights "Send As"

Identity             User           Deny  Inherited
--------             ----           ----  ---------
exoip.local/Compa... EXOIP\testexo  False False

Then run the corresponding command in Exchange Online PowerShell. Press Y and Enter.

PS C:\> Add-RecipientPermission -Identity "sharedmailboxonprem" -Trustee "testexo@exoip.com" -AccessRights "SendAs"

Confirm
Are you sure you want to perform this action?
Adding recipient permission 'SendAs' for user or group 'testexo@exoip.com' on recipient Identity:'sharedmailboxonprem'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Identity            Trustee AccessControlType AccessRights Inherited
--------            ------- ----------------- ------------ ---------
SharedMailboxOnPrem testexo Allow             {SendAs}     False    

Start Outlook and sign in with the user testexo@exoip.com. Verify that you can send as sharedmailboxonprem@exoip.com.

In our example an email is send to Alison.Bell@exoip.com.

Configure permissions in Exchange hybrid send as test

Verify that the email is delivered to Alison Bell and it’s send as SharedMailboxOnPrem.

Configure permissions in Exchange hybrid send as test verify

Send on Behalf permission in Exchange Hybrid

It’s important that you enable ACLable object synchronization for Send on Behalf permission to work. Otherwise, Send on Behalf will not work on cross-premises. See the previous step to enable that. Next, give Send on behalf permissions for cross-premises.

Run the below command in Exchange Management Shell on-premises.

[PS] C:\>Set-Mailbox "boris.campbell@exoip.com" -GrantSendOnBehalfTo @{add='testexo@exoip.com'}

Start Outlook and sign in with the user testexo@exoip.com. Verify that you can send on behalf Boris.Campbell@exoip.com.

In our example, an email is send to Boris.Campbell@exoip.com.

Configure permissions in Exchange hybrid send on behalf test

Verify that the email is delivered to Boris Campbell and it’s send on behalf Boris Campbell.

Delegate Access in Exchange Hybrid

Ensure that you enable ACLable object synchronization for Delegate access to work. Otherwise, delegate access will not work on cross-premises. See the previous step to enable that. Next, give Delegate Access permissions for cross-premises.

Run the command in Exchange Management Shell on-premises.

[PS] C:\>Add-MailboxFolderPermission -Identity "boris.campbell@exoip.com:\Calendar" -User "testexo@exoip.com" -AccessRights "Editor"

Start Outlook as the user testexo@exoip.com. Verify that you have delegate access to Boris Campbell’s calendar. Right-click in Boris calendar and create a new appointment.

Configure permissions in Exchange hybrid Delegate Access verify

Did this help you to configure Exchange Hybrid cross-premises permissions?

In the next article, we will look at how to update MX records to Office 365.

Conclusion

You learned how to configure permissions in Exchange Hybrid. When you migrate mailboxes, all the permissions will stay in place. But, when you create new mailboxes and give permissions between mailboxes on-premises and Exchange Online, you must go through some additional steps.

Did you enjoy this article? You may also like Mailbox still visible in Outlook after removing permission. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

  1. Hi,

    question about Access from Exo to on prem. During the Migration we need access from O365 User to Mailbox on prem. Need to “send as” which is not possible. I grant them Full Access to the local Mailbox, but the Error is, that they have not the permission to “send as” the local Mailbox.

    Have you got an Idea what the problem is, why the Mailboxuser in the cloud are not able to “send as” with local mailbox?

    Info: ACLableSyncedObjectEnabled : True

    best from germany
    sueleyman

Leave a Reply

Your email address will not be published.