Configuring your Exchange Hybrid to Support Mailbox Permissions

Randolph Graham | 16th September 2019 | Exchange

Recently, I have been made aware of a change Microsoft have released to allow the support of delegate permissions in Exchange Hybrid organisations.

You may be aware that the only supported permissions between the on-premises Exchange and Exchange Online, at the time of writing, are:

  • Full Access.
  • Send on Behalf.
  • Private Items.

All other permissions such as the below are not yet supported:

  • Send As.
  • Auto-Mapping.
  • Folder Permissions.

However, it’s interesting to note that additional steps should now be taken to allow the on-premises Exchange servers to support Hybrid mailbox permissions, as shown in the article dated 23rd August 2019 here.

For my example, I have a customer running Exchange 2016 Hybrid with an Exchange 2010 backend they are using a supported Outlook client. They have migrated less than 100 mailboxes to Exchange Online and have been receiving credential prompts since the mailboxes were moved. It has been found the mailboxes with Full Access permissions were generating the credential prompts.

To fix this, we will do the following:

  • Connect to the on-premises Exchange 2016 and using the Exchange Management shell, from an Exchange Administrator account, run:
    Set-OrganizationConfig -ACLableSyncedObjectEnabled $True
    This will allow set the delegate access from any mailboxes migrated from that point.
  • On the on-premises Exchange 2016 and using the Exchange Management shell, from an Exchange Administrator account, run:
    Get-RemoteMailbox -ResultSize unlimited | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}
    This will set the delegate access on the already-migrated mailboxes.
  • Either wait for the AD replication and Directory Synchronisation process for the changes to update in Exchange Online or force a manual AD replication and a manual directory synchronisation process.
    To run a manual synchronisation process:

    • Connect to the Azure AD Connect server.
    • Ensure you are in the AD Sync Admins Local Group. You may need to logoff and back on again if you have added to the group.
    • Run Windows Powershell as an Administrator, and then run:
      • Import-Module ADSync
      • Start-AdSyncSyncCycle -PolicyType Delta 

There are different fixes for the different supported versions of Exchange Server, so please be sure to visit the article above to ensure you are following the correct procedure.

About the author

Randolph Graham