ad user me@domain1.com has an on-prem exchange 2016 mailbox for me@domain1.com.
there's a one-way outgoing trust with domain2, i have an account me2@domain2.com, and my workstation running outlook 365 is in domain2.com. domain2.com's mail is exchange online. (domain2.com ad is azure-connected but also on prem).
i created the domain local ad group domain1\group1 in domain1, and added me2@domain2.com to it. then i used exchange shell in domain1.com to grant domain1\group1 full maibox permissions to the me@domain1.com mailbox.
on my domain2.com laptop logged in as me2@domain2.com, i can open outlook and see the me@domain1.com mailbox , but when i try to send something from that address, domain1.com's exchange servers bounce it back and say i don't have "send on behalf" permissions.
why do i need "send on behalf" permissions if i have "full control" permissions? i don't want to send on behalf anyway, because i don't want the mail to show up as "sent on behalf of". i just want to be logged in to the mailbox and "send as." what am i missing?


