question

EvenOpsal-5682 avatar image
0 Votes"
EvenOpsal-5682 asked DavidWrightMTRS-1060 commented

Users with no access wrongfully receives meeting confirmation - Shared mailbox

Hi,

Rather curious case, but I'll try to explain as detailed as possible.

User A and User B previously had full access to a shared mailbox. They are now replace by User C and User D. User A and B are fully removed from anything i can possibly think of regarding access.

So the case is, User C sets up a meeting as the shared mailbox, in the shared mailbox's calendar in Outlook. She then invites herself (User C) and User D.
When User C then accepts the meeting invite in her own mailbox, a confirmation mail is sent to User A and B stating that User C has accepted the meeting. Same happens if User D accepts the meeting.

User A and B has no access to this shared mailbox what so ever unless there is something im missing.

Things i have checked:
Mailbox delegation in Exchange Online AND our local exchange.
Checked for any rules client side and server side. For all users including on the shared mailbox
The shared mailbox local AD object, User A and B had some special permissions there, but problem still occurs after removig.
Calendar permissions on the shared mailbox.

Is there anything I'm missing here?
Hope the explenation is understanding.

office-outlook-itprooffice-exchange-online-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Any update or solution to this issue. I have users experiencing the same exact issue

0 Votes 0 ·

Any update or solution to this issue. I have users experiencing the same exact issue

0 Votes 0 ·
michev avatar image
0 Votes"
michev answered EvenOpsal-5682 commented

Did you check the calendar delegation/resourceDelegates property? Or just run a message trace, it will show you how and why the messages are being sent.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, and there is nothing there that should give access. Did a message trace and see that i forgot to mention on thing.
The mail that sent to User A and B is actually sent from the user who is accepting the meeting, and not the shared mailbox. I ran a message trace but can really see anything usefull there.
Just an ordinary delivered email.

Edit: Just to make a few things clearer. The shared mailbox is the one sending out the meeting to User C and User D. When user C then accepts a confirmation is sent to User A and B from what appears to be User C's mailbox. But when checking User C's mailbox, no such email is stored in the Sent items folder. I can see it sent from User C to User A and B when running a message trace, but there is no indication as to why.

0 Votes 0 ·
LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered DavidWrightMTRS-1060 commented

@EvenOpsal-5682

Are user A, user B and shared mailbox all on on-premises Exchange?
Are user A and B also listed as the recipient in the message?

Please check if any mail flow rules are created to Cc or Bcc message to user A and B. Check the delivery options of the shared mailbox, make sure no recipients are set to forward email to. Mailbox features > Mail Flow > Delivery Options > View details:
29285-573.png

You can try to send a meeting request to another user mailbox who is not the delegate, check if the meeting reply can be sent to user A and B as well. So that we can know whether this issue is related to delegates user C and D.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


573.png (10.8 KiB)
· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LydiaZhou-MSFT

No, all users and the shared mailbox are office 365 mailboxes. But they exist on our on-prem exchange ofcourse, but thats really just a mail realy for us.

User A and B is the only users listed as recipient's in the message. And the message is sent from User C who i presume is creating the meeting in the shared mailboxs calendar.

There are no rules or delegation that would suggest that User A and B should receive these message. They dont get any other messages from the shared mailbox, or user C and D.

I tried to create a meeting in the calendar of the shared mailbox now with another user (E). User A and B still received the accepted meeting request when i accepted the meeting. Only this time it was sent from User E who also created the meeting.

0 Votes 0 ·

@EvenOpsal-5682

The accepted message should be sent to the shared mailbox, it's wired that user A and B are listed as recipients. Please try to send an ordinary message to this shared mailbox, check if the issue can be reproduced.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

@LydiaZhou-MSFT

Yes, it is indeed weird. I dont see any connection whatsoever why user A and B would be recepients. There is in no setting that i have found these users have access to anything regarding that Shared Mailbox now. They have had access previously, but have been fully removed.

When sending an ordinary e-mail to the Shared Mailbox it acts like it should. The e-mail lands in the Shared Mailboxs inbox.
It seems to only occur arround meetings made in the Shared Mailboxs calendar. I reproduced the issue with my own user, so i dont think it is a problem with User C and D. It seems to be a problem with the Shared Mailbox.

0 Votes 0 ·
Show more comments

Any updates so far?
If you have any questions or need further help on this issue, please feel free to post back.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

Hello,

sorry about delayed update. Unfortunately, adding and removing access did not work. Users A and B still receive confirmation e-mails when someone accepts a meeting.

0 Votes 0 ·

@EvenOpsal-5682

What's the sender of the meeting request when check from the recipient side? Does it show "user C on behalf of shared mailbox"?
When did this issue occur? Were there any modification before this issue?
Before replacing user A and B with C and D, did the meeting reply go to user A and B instead of the shared mailbox at that time?

Please double-check attributes of the shared mailbox from ADUC. Click Filter and select "Show only attributes that have values":
32237-583.png


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 Vote 1 ·
583.png (29.3 KiB)
Show more comments
LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered

@EvenOpsal-5682

msExchDelegateListLink is used for auto-mapping of Full Access permission. For more details about this attribute: Auto-mapping doesn’t work as expected in an Office 365 hybrid environment.
publicDelegates is used for send on behalf permission. For more details about this permission: Delegate can't send "on behalf of" after migration to Office 365 hybrid environment.

Please check if send on behalf permission is configured for your shared mailbox. If needed, you can use the following command to remove the permission:

 Get-mailbox <shared mailbox>| ft Name,grantsendonbehalfto
 Set-mailbox <shared mailbox> -GrantSendOnbehalfto @{Remove="username1","username2"}

After that, wait for the synchronization in your hybrid environment, or force AAD Connect to sync manually. Then check if user A and B still can be added back to publicDelegates attributed.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EvenOpsal-5682 avatar image
0 Votes"
EvenOpsal-5682 answered LydiaZhou-MSFT commented

@LydiaZhou-MSFT

So, I finally got to try the above PS cmdlets. I did it using Exchange Online Powershell and both seemed to run okay.
When checking the AD object after sync i now see that the publicDelegates attribute is removed (since i filtered on only populated attributes), so thats the good news.

The bad news is that the problem is still there. After I ran the commands and waited for sync i made a test meeting in the shared mailbox's calendar, and user A and B still wrongfully received the meeting confirmations.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

When you check the message tracing of the confirmations, do you find any redirect event or other unusual events for the message tracing of the message sent to the shared mailbox?


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·