question

DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 asked ChristyZhang-MSFT edited

Send As Exchange Online Mailbox in Hybrid Exchange

We have an Exchange Hybrid model with most of the mailboxes on-premises and all accounts in local AD, synced to Azure via AADSync.
Now I do have two mailboxes online and want to grant other users (local AD and local mailbox) Send As privilege on these mailboxes.
This does work for me, but I am also some super administrator, at least i have several powerful admin roles, but it does not work for my regular users in charge.
I have granted mailbox delegation for "Read and manage" + "Send As" (not send on behalf), but every time they try to send out emails from their Outlook the get the message that they are not allowed to send on behalf of that recipient.
First of all, they shouldn't send on behalf (if I'd grant that permission that would work), but send as, and second are they missing some special role or something? Because, as I said, for me it works, for them, it doesn't.

I have also checked permission on the mailbox, it is about user Michaela, see attachment.

131899-sendas.png

This is a different screenshot, on another mailbox there is another user with same permissions, plus myself, how I am the only one which can send as.

Any idea? I have granted these permissions about 4 hours ago.



office-exchange-online-itpro
sendas.png (45.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DieterTontsch-0908

Any update about this thread now? Did you add the send as permission successfully?

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

Try this:

 Get-RemoteMailbox xxx@company.de | Add-ADPermission  -User michaela.yyyy-zzz@company.de -AccessRights ExtendedRight -ExtendedRights "Send As"
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered DieterTontsch-0908 edited

Did you grant the on-prem users SEND AS to the on-prem remote mailbox as well?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I didn't really get the point. Whom shall I grant what on-prem?

An Exchange user with an on-prem mailbox shall be able to send as an Exchange user with an O365 mailbox. I have granted this user with on-prem mailbox "send as" to the O365 mailbox of the other user. The users basically are the same, both are AD Users synched to Azure. Am I missing something? Could be, because I have way more privileges (especially on-prem) as regular users. That's why I can send as, and others not? But what do you mean, I didn't get it?

On-prem these mailboxes are as Office 365 type and I cannot assign any permissions from the on-prem EAC

0 Votes 0 ·
DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 answered

Get-RecipientPermission -Identity "h.xxx@company.de" | Format-List


RunspaceId : 802c5669-1d9c-4e29-be70-6c86f6319e33
Identity : Hannes xxx (C1)
Trustee : NT AUTHORITY\SELF
AccessControlType : Allow
AccessRights : {SendAs}
IsInherited : False
InheritanceType : None
TrusteeSidString : S-1-5-10
IsValid : True
ObjectState : New

RunspaceId : 802c5669-1d9c-4e29-be70-6c86f6319e33
Identity : Hannes xxx (C1)
Trustee : michaela.xxx-spaeth@company.de
AccessControlType : Allow
AccessRights : {SendAs}

IsInherited : False
InheritanceType : None
TrusteeSidString : S-1-5-21-3951766799-3417088378-1086044615-3937159
IsValid : True
ObjectState : New

This is what I get, but it doesn't work.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

The on-prem user however is located in a different directory than the 365 mailbox, so you need to grant the on-prem mailbox send as to the on-prem remote mailbox using powershell:

https://docs.microsoft.com/en-us/Exchange/permissions#mailbox-permissions-and-capabilities-not-supported-in-hybrid-environments

131908-image.png



image.png (55.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 answered DieterTontsch-0908 commented

OK, I think I got you now, but the problem is that if I try this, it tell's me that the o365 user (mailbox) isn't fond on my local DC, not even to show permissoins

 Get-MailboxPermission -Identity "mobilexnew\xxx" | Format-List
 The operation couldn't be performed because object 'mobilexnew\xxx' couldn't be found on 'dc2-2019.xxx.intra'.

or

 Add-ADPermission -Identity xxx@company.de -User michaela.yyyy-zzz@company.de -AccessRights ExtendedRight -ExtendedRights "Send As"
 xxx@company.de wasn't found. Please make sure you've typed it correctly.

So, it looks like I cannot get or grant Send As permission to an AD user which mailbox is remote, online. Eventually if I do manually set the respective attribute in AD, but I have no clue which one it might be.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is there a remote mailbox on-prem that represents the 365 user?

0 Votes 0 ·

Yes, there is mailbox of type Office 365 visible in the on-prem EAC

0 Votes 0 ·
DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 answered

Thanks Andy, this worked and yes, now, with the combination of adding delegate permission send as to the remote mailbox in O365 and granting AD-Permission on that Remote Mailbox to the on-prem AD Account, it works

One can check if Send-As is assigned by firing this query:

 Get-RemoteMailbox xxx@company.de | Get-ADPermission | where {$_.ExtendedRights -like "Send-As"} | fl *


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.