Overview of delegation in an Office 365 hybrid environment

Symptoms

Microsoft Exchange Online customers have problems in the functionality of their Full Access, Send As, Send on Behalf of, and Folder permissions.

Cause

For Office 365 hybrid delegation to work as expected, multiple requirements must be met.

Resolution

Office 365 hybrid delegation requires a specific configuration in the cloud and in the on-premises Active Directory Domain Services (AD DS) environment. The following list discusses the different permissions and how they work in a hybrid deployment.

This article describes the necessary configuration, administration details, and known issues that are associated with different kinds of permissions. If you need help from Microsoft to investigate a specific issue, collect the following diagnostic data from a user who can reproduce the behavior:

Full Access

Send As

  • Send as works in many scenarios, but is not fully supported by Microsoft as outlined in Permissions in Exchange hybrid deployments
  • Send As permissions enable mail to be sent from another mailbox that enabled the mail user object’s primary email address.
  • Permissions are granted by administrators by using the Exchange Admin Center or Remote PowerShell (Add-ADPermission in on-premises Active Directory andAdd-RecipientPermission in Exchange Online).
  • Permissions must exist in the sending user’s forest. For example, if a user’s mailbox is moved to Exchange Online, the Send As permissions must be listed on the mail user object that represents the on-premises mailbox.
  • Permissions are not synchronized by Azure AD Connect.
  • Permissions set in on-premises AD DS must be manually added in the Exchange Online for full functionality. For more information, see Exchange hybrid deployment considerations.

Folder access

Send on Behalf of

  • "Send on Behalf of" permissions enable mail to be sent on behalf of another email address

  • Permissions can be grantedby users by using Outlook or by administrators by using Exchange Admin Center or Remote PowerShell (Set-Mailbox cmdlet).

  • Permissions must exist in the sending user’s forest.

  • By default, the PublicDelegates attribute (also known as the GrantSendOnBehalfTo attribute in Exchange on-premises) is synchronized to Exchange Online by Azure AD Connect.

  • Additional configuration is required to synchronize the PublicDelegates attributewith on-premises AD DS. This configuration requires enabling Exchange hybrid deployment settings in Azure AD Connect.For more information, see Exchange hybrid writeback

    optional features

  • If Exchange hybrid deployment setting is not enabled, the "Send on Behalf of" permission has to be added manually by an administrator by using Remote PowerShell. To do this, refer toDelegate can't send "on behalf of" after migration to Office 365 hybrid environment.

Delegates

Note Be aware that delegation also affects external calendar sharing. For more information, see Unable to accept an external sharing invitation by using Outlook in a hybrid environment.