question

DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 asked DieterTontsch-0908 commented

On-Prem --> Online Calendar Permissions not always working this direction

For some O365 mailboxes calendar we have issues with being accessed by users within the same hybrid env. but still on-prem mailbox. But the issues are only with certain O365 calendars and also only with few on-prem mailbox users. Sometimes it is even like the on-prem user can see one Online users calendar, but not the other Online users one. And Default is set to Reviewer for both, we do not really have granular calendar permissions.
I figured out that maybe there is an issue with some hybrid on-prem mailbox users to be seen as external users for the EXO, and therefor the permission Default:Reviewer does not apply, because that is meant to be "My Organization"
Also I figured that myself I had, before migrated to EXO, beside default also permissions for a certain AD Group (Distribution List as well) on top. SinceI moved myself online within my Outlook, I only see permission Default in calendar permissions, but PowerShell shows me this

 PS C:\Users\xxxx> Get-MailboxFolderPermission -Identity dieter.xxx@xxx.de:\kalender
    
 FolderName           User                 AccessRights                                                                                          SharingPermissionFlags
 ----------           ----                 ------------                                                                                          ----------------------
 Kalender             Default              {Reviewer}
 Kalender             xxx-Yyy              {Reviewer}

If I explicitly add this xxx-Yyy Group via outlook, I see it twice with PowerShell query:

 PS C:\Users\xxx> Get-MailboxFolderPermission -Identity dieter.xxx@xxx.de:\kalender
    
 FolderName           User                 AccessRights                                                                                          SharingPermissionFlags
 ----------           ----                 ------------                                                                                          ----------------------
 Kalender             Default              {Reviewer}
 Kalender             xxx-Yyy              {Reviewer}
 Kalender             xxx-Yyy              {Reviewer}

Then it came to my mind, that maybe it might help to add AD-Permissions for this same xxx-Yyy AD group to a Remote Mailbox, but I'm afraid this is not possible. I did this with Send As Permissions, but that's a different thing, right?

Get-RemoteMailbox yyy@xxx.de:\calendar | Add-ADPermission -User xxx@xxx.de -AccessRights ExtendedRight -ExtendedRights "Send As"

There is no way to do a similar thing with Calendar Permissions for on-prem users to a Remote Mailbox calendar?

I feel like the xxx-Yyy group on-prem is not necessarily the exact same group as the ADSynced one, because that is what we did with this group, it is on-prem as xxx-Yyy, and it was synched via ADSync to azure AD where it is now a Mail-enabled security group. But despite this group, for calendars which cannot be accessed by certain on-prem users, not even adding these users (all users are Azure AD synched) with explicit permissions would help. The still cannot access that calendar in question.
Is there a posibility to grant Reviewer on a remote mailbox calendar via Add-ADPermissions?

kind regards,
Dieter





office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-connectivityoffice-exchange-hybrid-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered DieterTontsch-0908 commented

@DieterTontsch-0908

About permission shows twice, it is a known issue. You could have a look at this article: Delegates are not listed correctly in Outlook after a migration to Office 365 hybrid environment

From this article, we can know that folders can be accessed cross forest in many scenarios, but they are not fully supported by Microsoft.
198039-qa-kyle-09-53-30.png

I would suggest you remove the existing customized permission from calendar folder, then share permission to mailbox directly rather than AD group, I think there exist issue about inherit permissions from AD group (Permission modifying need take some time to take effect).


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, this gives me some hints, but at the end I have to say, it's bette to move fast with migrating of all mailboxes, rather then trying to debug why cross-premiess from on-prem --> online does not work reliable.
I did not see a pattern here, beside that it's always the same on-prem users who have issues. It's a bit random, none of my users has particular permissions, and assigning particular permissions to the ones who have issues does not help either.

0 Votes 0 ·