Exchange 混合部署中的权限Permissions in Exchange hybrid deployments

Exchange Online 中的 Office 365 组织基于 Exchange 服务器,并像在本地组织,它还使用角色基于访问控制 (RBAC) 控制权限。管理员授予使用管理角色组的权限以及最终用户都会被授予使用管理角色分配策略的权限。The Exchange Online in Office 365 organization is based on Exchange Server and, like on-premises organizations, it also uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies.

了解有关 Exchange Online 和在内部部署 Exchange 中的权限:权限Learn more about permissions in Exchange Online and on-premises Exchange at: Permissions

管理员权限Administrator permissions

默认情况下,用来创建 Office 365 租户的用户是在 Exchange Online 组织中进行 Organization Management 角色组的成员。此用户可以管理整个 Exchange Online 组织,包括组织级设置的配置和管理 Exchange Online 的收件人。By default, the user that was used to create the Office 365 tenant is made a member of the Organization Management role group in the Exchange Online organization. This user can manage the entire Exchange Online organization, including configuration of organization-level settings and management of Exchange Online recipients.

在 Exchange Online 组织中,根据需要进行管理,您可以添加其他的管理员。例如,您可以添加其他组织管理员和收件人管理员、 使专家用户能够执行合规性任务,如发现、 配置自定义权限。必须在所有 Exchange Online 的权限管理 Office 365 管理员都执行使用 Exchange 管理中心 (EAC) 或远程 PowerShell Exchange Online 组织中。You can add additional administrators in the Exchange Online organization, depending on the management that needs to take place. For example, you can add additional organization administrators and recipient administrators, enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All Exchange Online permissions management for Office 365 administrators must be performed in the Exchange Online organization using either the Exchange Administration Center (EAC) or remote PowerShell.

重要

在内部部署组织与 Office 365 组织之间不会进行任何权限传输。在内部部署组织中定义的权限都必须在 Office 365 组织中重新创建。There is no transfer of permissions between the on-premises organization and the Office 365 organization. Permissions that you've defined in the on-premises organization must be re-created in the Office 365 organization.

有关详细信息,请参阅Manage Role GroupsManage Role Group MembersFor more information, see Manage Role Groups and Manage Role Group Members.

委派邮箱权限Delegate mailbox permissions

在内部部署 Exchange 部署中,用户可以被授予对其他用户的邮箱的权限的各种。这称为委派的邮箱权限并有用当行政助理需要管理其他用户邮箱; 的某些部分例如,管理主管的日历。Exchange 混合部署支持使用位于内部部署 Exchange 组织的邮箱和邮箱位于 Office 365 之间的一些,而不是全部邮箱权限。以下各节详细介绍的权限,并不支持;支持混合邮箱权限; 所需的其他配置和邮箱权限的内部部署组织和 Office 365 之间的同步方式。In on-premises Exchange deployments, users can be granted a variety of permissions to other users' mailboxes. This is called delegated mailbox permissions and it's useful when an administrative assistant needs to manage some part of another users's mailbox; for example, managing an executive's calendar. Exchange hybrid deployments support the use of some, but not all, mailbox permissions between mailboxes located in an on-premises Exchange organization and mailboxes located in Office 365. The following sections detail which permission are, and aren't, supported; additional configuration required to support hybrid mailbox permissions; and how mailbox permissions are synchronized between your on-premises organization and Office 365.

在混合环境中支持的邮箱权限Mailbox permissions supported in hybrid environments

以下权限**** 支持:The following permissions are supported:

  • 完全访问权限可授予在本地 Exchange 服务器上的邮箱的完全访问权限为 Office 365 邮箱,反之亦然。例如,Office 365 邮箱可以授予对本地共享邮箱的完全访问权限。用户需要使用 Outlook 桌面客户端,则打开邮箱在 web 上的 Outlook 中不支持跨界邮箱权限。Full Access A mailbox on an on-premises Exchange server can be granted the Full Access permission to an Office 365 mailbox, and vice versa. For example, an Office 365 mailbox can be granted the Full Access permission to an on-premises shared mailbox. Users need to open the mailbox using the Outlook desktop client; cross-premises mailbox permissions aren't supported in Outlook on the web.

    备注

    用户可能在首次访问的其他组织中邮箱时接收其他凭据提示,并将其添加到其 Outlook 配置文件。Users might receive additional credential prompts when they first access a mailbox that's in the other organization and add it to their Outlook profile.

  • 代表发送内部部署 Exchange 服务器上的邮箱可以被授予代表发送权限为 Office 365 邮箱,反之亦然。例如,Office 365 邮箱可以授予对本地共享邮箱的代表发送权限。用户需要使用 Outlook 桌面客户端,则打开邮箱在 web 上的 Outlook 中不支持跨界邮箱权限。Send on Behalf of A mailbox on an on-premises Exchange server can be granted the Send on Behalf of permission to an Office 365 mailbox, and vice versa. For example, an Office 365 mailbox can be granted the Send on Behalf of permission to an on-premises shared mailbox. Users need to open the mailbox using the Outlook desktop client; cross-premises mailbox permissions aren't supported in Outlook on the web.

    在 Azure Active Directory 连接代表权限以同步您的本地 Exchange 服务器和 Exchange Online 之间发送的服务器上需要一些更改。有关详细信息,请参阅本主题后面的启用支持的混合邮箱权限在 Azure Active Directory 连接Some changes are needed on your Azure Active Directory Connect server for Send on Behalf of permissions to sync between your on-premises Exchange servers and Exchange Online. For details, see Enabling support for hybrid mailbox permissions in Azure Active Directory Connect later in this topic.

  • 专用的项目添加代理人时可以配置选项以允许拥有文件夹权限以查看个人日历项目的用户。Private items When adding a delegate the option can be configured to allow a user with folder permissions to see private calendar items.

以下权限或功能**** 支持:The following permissions or capabilities aren't supported:

  • 发送-作为允许用户,就好像它显示来自另一个用户的邮箱发送邮件。Send-As Lets a user send mail as though it appears to be coming from another user's mailbox.

  • 自动映射启动,则自动打开已向用户授予了完全访问权限的任何邮箱时启用 Outlook。Auto-mapping Enables Outlook, when it starts, to automatically open any mailboxes that a user has been granted Full Access to.

  • 文件夹权限授予对特定文件夹的内容的访问权限。Folder permissions Grants access to the contents of a particular folder.

从另一个邮箱接收这些权限的任何邮箱需要作为授予邮箱同时移动。如果邮箱接收从多个邮箱的权限,该邮箱,并向其授予权限的邮箱的所有需要同时移动。Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as the granting mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, need to be moved at the same time.

配置您的本地 Exchange 服务器,以支持混合邮箱权限Configuring your on-premises Exchange servers to support hybrid mailbox permissions

若要启用的完全访问权限和代表发送权限在混合部署中,其他配置更改可能需要根据的已安装的 Exchange 版本。下表显示哪些版本的 Exchange 混合部署与 Office 365 中支持委派的邮箱权限,并且需要哪些其他配置。有关如何配置 Exchange 2013 和 2010年服务器和邮箱以支持 Acl 的步骤,请参阅配置 Exchange 以支持混合部署中的委派的邮箱权限To enable Full Access and Send on Behalf of permissions in a hybrid deployment, additional configuration changes might be necessary depending on the version of Exchange you have installed. The following table shows which versions of Exchange support delegated mailbox permissions in a hybrid deployment with Office 365 and what additional configuration is needed. For steps on how to configure Exchange 2013 and 2010 servers and mailboxes to support ACLs, see Configure Exchange to support delegated mailbox permissions in a hybrid deployment.

Exchange 版本Exchange version 先决条件Prerequisites
Exchange 2016Exchange 2016
不需要其他配置。No additional configuration required.
Exchange 2013Exchange 2013
Exchange 2013 服务器需要以下各项:Exchange 2013 servers need the following:
最新累积更新 (CU) 或上一版累积更新,安装。运行旧累积的 Exchange 2013 服务器不支持,并可能不适用于混合部署中的委派的邮箱权限。The latest cumulative update (CU), or the immediately previous CU, installed. Exchange 2013 servers running older CUs aren't supported and may not work with delegated mailbox permissions in a hybrid deployment.
Exchange 组织配置为允许访问控制列表 (Acl) 来标记邮件对象和与 Office 365 同步。The Exchange organization is configured to allow access control lists (ACLs) to be stamped on mail objects and synchronized with Office 365.
内部部署远程邮箱移动到 Exchange 2013 CU10 之前的 Office 365 与关联的邮箱需要手动配置为支持 Acl。远程邮箱上运行 Exchange 2013 CU10 服务器创建或更高版本,以及 Exchange 组织设置为允许的 Acl 之后, 自动配置。On-premises remote mailboxes associated with mailboxes moved to Office 365 prior to Exchange 2013 CU10 need to be manually configured to support ACLs. Remote mailboxes, created on servers running Exchange 2013 CU10 or later, and after the Exchange organization is set to allow ACLs, are configured automatically.
Exchange 2010Exchange 2010
Exchange 2010 SP3 服务器需要以下各项:Exchange 2010 SP3 servers need the following:
最新累积更新 (RU) 或上一 RU,安装。Exchange 2010 SP3 服务器运行旧 RU 不受支持,并可能不适用于混合部署中的委派的邮箱权限。The latest update rollup (RU), or the immediately previous RU, installed. Exchange 2010 SP3 servers running older RU aren't supported and may not work with delegated mailbox permissions in a hybrid deployment.
内部部署与 Office 365 邮箱关联的远程邮箱需要将配置为支持 Acl。这需要完成的与 Office 365 邮箱关联的每个内部部署远程邮箱。On-premises remote mailboxes associated with Office 365 mailboxes need to be configured to support ACLs. This needs to be done for each on-premises remote mailbox that's associate with an Office 365 mailbox.
Exchange 2007 或更早版本Exchange 2007 or earlier
不支持。Not supported.

启用支持的混合邮箱权限在 Azure Active Directory 连接Enabling support for hybrid mailbox permissions in Azure Active Directory Connect

除了配置您的本地 Exchange 服务器,还需要确保 Azure Active Directory 连接 (AAD 连接) 服务器设置以同步混合邮箱权限。下面是您需要执行操作以确保您 AAD 连接的服务器已准备好支持这些权限:In addition to configuring your on-premises Exchange servers, you also need to make sure Azure Active Directory Connect (AAD Connect) server is set up to synchronize hybrid mailbox permissions. Here's what you need to do to make sure your AAD Connect server is ready to support these permissions:

  • 升级 AAD 连接AAD 连接需要至少升级到版本 1.1.553.0。您可以从Microsoft Azure Active Directory 连接下载 AAD 连接的最新版本。Upgrade AAD Connect AAD Connect needs to be upgraded to at least version 1.1.553.0. You can download the latest version of AAD Connect from Microsoft Azure Active Directory Connect.

  • 启用 Exchange 混合部署中 AAD 连接若要同步启用混合邮箱权限 (特别是代表发送权限) 的属性,您需要确保Exchange 混合部署配置选项已启用在 AAD 连接。有关如何 AAD 连接安装再次运行向导以更新其配置的信息,请查看Azure AD 连接同步: 运行安装向导的第二次Enable Exchange Hybrid in AAD Connect To synchronize the attributes that enable hybrid mailbox permissions (specifically the Send on Behalf of permission), you need to make sure that the Exchange Hybrid deployment configuration option is enabled in AAD Connect. For information about how to run the AAD Connect installation wizard again to update its configuration, check out Azure AD Connect sync: Running the installation wizard a second time

最终用户权限End user permissions

具有管理员权限,如 Exchange Online 中的最终用户可以授予权限。默认情况下,最终用户都会被授予通过默认的角色分配策略的权限。此策略应用于 Exchange Online 组织中的每个邮箱。默认情况下授予的权限不足时,您无需更改任何内容。As with administrator permissions, end users in Exchange Online can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the Exchange Online organization. If the permissions granted by default are sufficient, you don't need to change anything.

如果要自定义最终用户权限,也可以修改现有的默认角色分配策略,也可以创建新分配策略。如果创建多个工作分配策略时,您可以分配不同的策略向不同的邮箱,允许您控制权限授予根据其要求每个组。使用 EAC 或远程 PowerShell Exchange Online 组织,必须执行的 Exchange Online 最终用户的所有权限管理。If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for Exchange Online end users must be performed in the Exchange Online organization using either the EAC or remote PowerShell.

管理员权限,如最终用户权限不在本地组织和 Exchange Online 组织之间传输。Exchange Online 组织中必须重新创建内部部署组织中已定义的任何权限。Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the Exchange Online organization. Any permissions that you've defined in the on-premises organization must be re-created in the Exchange Online organization.

有关详细信息,请参阅Manage Role Assignment PoliciesChange the Assignment Policy on a MailboxFor more information, see Manage Role Assignment Policies and Change the Assignment Policy on a Mailbox.

下表列出了 Exchange Online 组织中的默认角色分配策略授予的权限。The following table lists the permissions granted by the default role assignment policies in the Exchange Online organization.

默认角色分配策略权限Default role assignment policy permissions

管理角色Management role 说明Description
MyTeamMailboxesMyTeamMailboxes
MyTeamMailboxes管理角色使各个用户能够创建站点邮箱并将它们连接到 Microsoft SharePoint 站点。The MyTeamMailboxes management role enables individual users to create site mailboxes and connect them to Microsoft SharePoint sites.
我的市场应用程序My Marketplace Apps
My Marketplace Apps管理角色使各个用户能够查看和修改其 Microsoft Office 市场应用程序。The My Marketplace Apps management role enables individual users to view and modify their Microsoft Office marketplace apps.
MyBaseOptionsMyBaseOptions
MyBaseOptions管理角色使各个用户能够查看和修改其自己的邮箱和关联的设置的基本配置。The MyBaseOptions management role enables individual users to view and modify the basic configuration of their own mailbox and associated settings.
MyContactInformationMyContactInformation
MyContactInformation管理角色使各个用户能够修改他们的联系信息,包括地址和电话号码。The MyContactInformation management role enables individual users to modify their contact information, including address and phone numbers.
MyDistributionGroupMembershipMyDistributionGroupMembership
MyDistributionGroupMembership管理角色使各个用户能够查看和修改其在组织的通讯组中的成员身份,前提是这些通讯组允许的组成员身份的操作。The MyDistributionGroupMembership management role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.
MyDistributionGroupsMyDistributionGroups
MyDistributionGroups管理角色使各个用户可以创建、 修改和查看通讯组,并能够修改、 查看、 删除和添加到他们所拥有的通讯组的成员。The MyDistributionGroups management role enables individual users to create, modify, and view distribution groups, and to modify, view, remove, and add members to distribution groups they own.
MyMailSubscriptionMyMailSubscription
MyMailSubscription角色使各个用户能够查看和修改其电子邮件订阅设置,如邮件格式和协议默认设置。The MyMailSubscription role enables individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.
MyProfileInformationMyProfileInformation
MyProfileInformation管理角色使各个用户能够修改其名称。The MyProfileInformation management role enables individual users to modify their name.
MyRetentionPoliciesMyRetentionPolicies
MyRetentionPolicies管理角色使各个用户可以查看其保留标记,以及查看和修改其保留标记设置和默认值。The MyRetentionPolicies management role enables individual users to view their retention tags, and to view and modify their retention tag settings and defaults.
MyTextMessagingMyTextMessaging
MyTextMessaging管理角色使各个用户能够创建、 查看和修改其短信服务设置。The MyTextMessaging management role enables individual users to create, view, and modify their text messaging settings.
MyVoiceMailMyVoiceMail
MyVoiceMail管理角色使各个用户能够查看和修改其语音邮件设置。The MyVoiceMail management role enables individual users to view and modify their voice mail settings.
我的 ReadWriteMailbox 应用程序My ReadWriteMailbox Apps
My ReadWriteMailbox Apps管理角色,用于安装带有 ReadWriteMailbox 权限的应用程序的用户。The My ReadWriteMailbox Apps management role enables users to install apps with ReadWriteMailbox permissions.
我的自定义应用程序My Custom Apps
My Custom Apps管理角色使用户能够查看和修改其自定义应用程序。The My Custom Apps management role enables users to view and modify their custom apps.