Configure permissions in Exchange hybrid

Microsoft Exchange is a free, cloud-based email service that is used by millions of people worldwide. It’s also an excellent platform for running your business. But what are the best ways to configure permissions in an Exchange hybrid deployment?

The exchange hybrid permissions are used to configure the permissions in Exchange hybrid. These permissions can be configured on an individual mailbox basis or across an entire organization.

Before you begin migrating any mailboxes to Exchange Online – Office 365, go through the Exchange hybrid test plan checklist. One of the objectives is to establish permissions cross-premises and verify that shared mailbox access, send as, send on behalf, and delegate access in an Exchange hybrid configuration function properly.

Before you begin,

Make sure your organization has the most recent Azure AD Connect and Cumulative Update installed. Because both versions addressed issues with cross-premises mailbox permissions, this is the case.

When pushing changes in an Exchange hybrid deployment, remember to be patient. Before you notice changes in cross-premises, wait or forcibly sync Azure AD Connect.

Activate object synchronization for ACLable objects.

The ACLableSyncedObjectEnabled option determines whether ACLableSyncedMailboxUser is stamped on remote mailboxes in hybrid setups. It’s turned off by default.

Check to see whether the organization has ACLable object synchronization enabled. On your on-premises Exchange Server, run Exchange Management Shell as an administrator. Use the cmdlet Get-OrganizationConfig.

It’s disabled in our case since the value is False.

C:>Get-OrganizationConfig | ft Name,ACL* Name ACLableSyncedObjectEnabled | ft Name,ACL* Name ACLableSyncedObjectEnabled —————————————————————————————————————————————— False EXOIP

Using the Set-OrganizationConfig cmdlet and the -ACLableSyncedObjectEnabled option, enable ACLable object synchronization.

C:>Set-OrganizationConfig -ACLableSyncedObjectEnabled $True Set-OrganizationConfig -ACLableSyncedObjectEnabled $True Set-OrganizationConfig -ACLableSyncedObjectEn

Any mailboxes you migrate to Microsoft 365 or Office 365 will be appropriately setup to enable delegated mailbox permissions once you do this. If you completed these steps before moving mailboxes to Microsoft 365 or Office 365, you’ll need to manually activate ACLs on those mailboxes using the instructions below.

ACLs may be enabled on a single mailbox that has been migrated to Microsoft 365 or Office 365.

[PS] C:>Get-AdUser “Amanda.Morgan” | Set-AdObject -Replace @msExchRecipientDisplayType=-1073741818 | Set-AdObject -Replace @msExchRecipientDisplayType=-1073741818

All mailboxes that have been migrated to Microsoft 365 or Office 365 should have ACLs enabled.

C:>Get-RemoteMailbox -ResultSize Unlimited | where $_.RecipientTypeDetails -eq “RemoteUserMailbox” | ForEach Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @msExchRecipientDisplayType=-1073741818 | Set-ADObject -Replace @msExchRecipientDisplayType=-107374

To ensure that the mailboxes have been changed correctly.

[PS] C:>Get-RemoteMailbox -ResultSize unlimited | ForEach Get-AdUser -Identity $_.Guid -Properties Get-AdUser -Identity $_.Guid -Properties Get-AdUser -Identity $_.Guid -Properties Get-AdUser -Identity $ Format-Table DistinguishedName,msExchRecipientDisplayType -Auto,msExchRecipientDisplayType

Important: Only set the msExchRecipientDisplayType value -1073741818 for user mailboxes, not resource mailboxes.

In Exchange hybrid, Full Access permission is required.

When transferring mailboxes, all access rights will be preserved. For cross-premises access, you must provide Full Access rights when establishing new mailboxes in Exchange Online or Exchange on-premises.

On-premises, run the command in Exchange Management Shell.

C:>Add-MailboxPermission -Identity “[email protected]” -User “[email protected]” [PS] C:>Add-MailboxPermission -Identity “[email protected]” -User “[email protected]” Identity User AccessRights IsInherited -AccessRights “FullAccess” -InheritanceType “All” Deny ———————————————————————————————————————————————————————————————— EXOIPTest.Mailbox2 FullAccess exoip.local/Compa… False False False False False False Fal

Start Outlook in the user’s name. Mailbox2 is being tested. Check that you have complete control over the [email protected] mailbox.

In Exchange hybrid, the Send As permission is required.

When transferring mailboxes, Send As permissions will be preserved. For cross-premises access, you must provide Send As rights when establishing new mailboxes in Exchange Online or Exchange on-premises.

On-premises, run the command in Exchange Management Shell.

C:>Add-ADPermission -Identity “sharedmailboxonprem” -User “[email protected]” [PS] C:>Add-ADPermission -Identity “sharedmailboxonprem” -User “[email protected]” -ExtendedRights “ExtendedRight” -AccessRights “ExtendedRight” Identity User Deny Inherited “Send As” ———————————————————————————————————————————————— EXOIPTest.Mailbox2 False False exoip.local/Compa…

Then, in Exchange Online PowerShell, execute the appropriate command. Enter by pressing Y.

PS C:> Add-RecipientPermission -Identity “sharedmailboxonprem” -Trustee “exoip.com” -AccessRights “SendAs” Are you sure this is what you want to do? On recipient Identity:’sharedmailboxonprem’, adding recipient permission ‘SendAs’ for user or group ‘[email protected]’. [Y] [A] Yes Yes to Everything [N] [L] is not an option. [?] No to All (The default value is “Y”): Y’s Personality Trustee AccessRights is an AccessControlType. Inherited ———————————————————————————————————————————————————————————————————————————— Mailbox2 AllowSendAs False SharedMailboxOnPrem

Start Outlook in the user’s name. Mailbox2 is being tested. Check that [email protected] may be used to send emails. An email is sent to [email protected] in our example.

Check that the email was sent to Alison Bell and that it was sent as SharedMailboxOnPrem.

In Exchange hybrid, the Send on Behalf permission

For Send on Behalf permission to operate, you must enable ACLable object synchronization. Send on Behalf will not function on cross-premises otherwise. See the previous step for more information.

C:>Set-Mailbox “[email protected]” -GrantSendOnBehalfTo @add=’[email protected]’ @add=’exoip.com’ @add=’exoip.com’ @add=’exoip.com’ @add=’exoip.com’ @add=’exoip.com’ @add=’exoip.com

Assume the user Test Mailbox2 in Outlook. Confirm that you have permission to send on behalf of [email protected]. An email is sent to [email protected] in our example.

Check that the email was delivered to Boris Campbell and that it was sent on his behalf.

In Exchange hybrid, you may delegate access.

For Delegate access to work, make sure you enable ACLable object synchronization. Delegate access will not function on cross-premises otherwise. See the previous step for more information.

Delegate permissions should be added.

C:>Add-MailboxFolderPermission -Identity -Identity -Identity -Identity -Identity -Identity -Identity -Identity “[email protected]: [email protected]: “exoip.com” -User “[email protected]” -User “exoip.com” -User “ex” “Editor” -AccessRights

Start Outlook in the user’s name. Mailbox2 is being tested. Check that you have access to Boris Campbell’s calendar as a delegate. Create a new appointment by right-clicking on Boris’ calendar.

Did this information assist you in setting up Exchange hybrid cross-premises permissions?

Conclusion

In Exchange hybrid, you learnt how to set permissions. All permissions will be preserved when you transfer mailboxes. However, there are some extra procedures to take when creating new mailboxes and granting rights across on-premises and Exchange Online mailboxes.

Did you find this article to be interesting? You may also be interested in using PowerShell to save sent items in a shared mailbox. Don’t forget to subscribe to our newsletter and share this post.

The exchange hybrid calendar sharing is a feature that allows users to share calendars with other people. This can be configured in the Exchange hybrid configuration.

Related Tags

enable aclable object synchronization at the organization level.
permissions required to run hybrid configuration wizard
office 365 user cannot access on premise mailbox
exchange online delegate permissions
exchange hybrid send as

About The Author

Renee Straphorn

See author's posts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Renee Straphorn

Related Stories

Worldcoin: Unique Features that Make this Crypto Project Stand Out

BNB’s Journey From A Bold Ico To The Fifth-Largest Crypto In A Sea Of 17,000+

Has Your Email Been Hacked? Here’s How to Check and What to Do

The Betting Ladder: Climbing from Low Stakes Fun to High Roller Territory

Ukrainian Brides: Myths & Facts

What Are the Advantages of Playing in Mobile Online Casinos?

What are the key features of Ometria?

Moss is a spend management app that helps businesses keep track of their spending

Bibit is a robo-advisor app for Indonesian investors

What are the key features of Ometria?

Why the Alexa Turing Test is Important