Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 2)

by [Published on 17 March 2016 / Last Updated on 17 March 2016]

In this part 2, we will set the different mailbox permissions on mailboxes located in an on-premises Exchange 2013 environment with an Exchange hybrid established with an Exchange Online tenant. We will verify the permissions get migrated accordingly and verify things work as expected in the Outlook 2016 desktop client.

If you would like to read the other parts in this article series please go to:

Introduction

In part 1 of this article series revolving around cross-organization mailbox permissions in an Exchange hybrid deployment, I explained the current support stance, and hopefully cleared up some of the confusion that exists in everything from the Enterprise organizations, at Microsoft Partners, in the Exchange and Office 365 communities, and even among consultants and engineers from Microsoft.

Exchange cross-organization permissions are only supported in Exchange hybrid deployment scenarios based on Exchange Server 2013 or Exchange Server 2016. Since Exchange 2010 based hybrid deployments are still fully supported by Microsoft, you may wonder why the cross-organization permissions are not supported in this scenario? Well, the reason is that this scenario was not tested by Microsoft. I know there are quite a few Exchange 2010 organizations planning to or are already moving to Exchange Online using the hybrid deployment approach. Personally, most of my customers moving to Exchange Online comes from an Exchange 2010 based on-premises organizations and I’m sure this is the case for you as well. For this reason, it would be wise if Microsoft put some efforts into supporting cross-organization mailbox permissions for Exchange 2010 based hybrid deployments just like they support this version in the new Exchange hybrid configuration wizard and so on.

When it comes to the client side of things, it is expected you use Outlook on the Web (OotW), Outlook 2013 or Outlook 2016 with the latest updates applied.

Let’s get going.

Testing Full Access Mailbox Permissions Applied Prior to Migration

So the first scenario, we will test is whether “Full Access” “Send As” and “Send on behalf” permissions granted to two mailboxes prior to migrating them to Exchange Online is kept intact after the migration. Joe Howard who has a mailbox in the on-premises Exchange organization is granted “Full Access” and “Send As” permissions to Samantha Smiths mailbox and “Full Access” and “Send on behalf” permissions to Sandra Martinez mailbox, both located on-premises.

Note:
We will not test the “Receive As” permission as this is usually not an end user related requirement.

In Figure 1 and Figure 2, you can see the granted permissions on the two mailboxes in the Exchange Admin Center (EAC).

Image
Figure 1: Joe Howard has been granted “Full Access” and “Send As” permissions to Samantha Smiths mailbox

Image
Figure 2: Joe Howard has been granted “Full Access” and “Send on behalf” permissions to Sandra Martinez mailbox

In the Outlook on the Web (OotW) client, we have added the two mailboxes to Joe Howards mailbox manually and in the Outlook 2016 client, they have been added via the auto-mapping feature. Also, the “Send As” and “Send on behalf” permissions have been verified works accordingly.

Note:
Outlook on the Web (OotW) does not support the auto-mapping feature, only the Outlook desktop client does.

Image
Figure 3: Mailboxes added to Outlook on the Web (OotW) manually

Image
Figure 4: Mailboxes added to the Outlook 2016 Desktop Client using the Auto-Mapping feature

Okay, let’s move the two mailboxes that Joe Howard has been granted access to, to Exchange Online. For the purpose of this article series, we will do so using the Exchange Admin Center (EAC). Since I have already moved other mailboxes to Exchange Online, the MRS migration endpoint has been configured, so I only need to create the new migration batch and select the respective mailboxes as shown in Figure 5.

Image
Figure 5: New migration batch containing the respective mailboxes

Since we are dealing with two very small test mailboxes, the sync process should be completed in a few minutes.

Image
Figure 6: Mailbox synchronization in process

Once the mailbox migration batch has been completed, let us first verify the permissions granted to Joe Howard have been migrated to the new mailboxes in Exchange Online. We will do so via the property page of the mailbox users in the Exchange Admin Center (EAC), just like we did earlier on in this article. Just remember you need to verify it from the property page of the mailbox in the Exchange Online Admin Center (EAC) and not in the on-premises Exchange Admin Center (EAC) as you will not be able to access the “mailbox delegation” option from the on-premises EAC once the mailboxes have been migrated to Exchange Online.

As can be seen in Figure 7 and Figure 8, the “Full Access” and “Send As” and “Send on behalf” permissions have been migrated as expected

Image
Figure 7: Verifying “Full Access” and “Send As” mailbox permissions have been migrated to Exchange Online

Image
Figure 8: Verifying “Full Access” and “Send on behalf” mailbox permissions have been migrated to Exchange Online

Remember that even though all permissions have been migrated together with the mailbox, only “Full Access” permissions between mailboxes in the Exchange on-premises environment and Exchange Online are officially supported by Microsoft. The “Send As” and “Send on behalf” permissions are only supported between mailboxes in the same Exchange organization whether that is Exchange on-premises or Exchange Online.

Okay, let us switch to Joe Howards client running the Outlook 2016 desktop client. As you can see the Outlook 2016 desktop client prompts for credentials and informs Joe Howard, he needs to restart his Outlook client, since the Exchange administrator has made a change. Although we didn’t migrated Joe Howards mailbox to Exchange Online, this is expected behavior as the two mailboxes that were migrated has been added to his Outlook profile via the auto-mapping feature.

Image
Figure 9: Joe Howard is told to restart Outlook since changes has been made

When Outlook has been restarted, Joe Howard will be asked for his credentials again as he needs to authenticate against Exchange Online in order to get access to the two migrated mailboxes.

Important:
If modern authentication is enabled in the Exchange Online tenant, the login experience will be slightly different as the end user will be presented with the ADAL login page and not the basic authentication credentials prompt that he may be used to.

Once authenticated, Joe Howard can see and access the migrated mailboxes as required. Although auto-mapping is not supported between mailboxes in Exchange Online and on-premises Exchange, you will not need to re-add the additional mailboxes in an Outlook 2016 desktop profile. You only need to add them manually if an on-premises mailbox user is granted full access to the mailboxes in Exchange Online after the migration.

Image
Figure 10: Joe Howard still have full access to the two migrated mailboxes

This concludes part 2 of this article series. In part 3, which will continue testing and verifying the client-side functionality as required.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Henrik Walther

Henrik Walther avatar

Henrik Walther is a respected writer with special focus on Microsoft Exchange and Office 365 solutions. He works as a Principal Architect/Consultant on engagements of all sizes and complexity and have close to two decades of experience in the IT business.

Advertisement

Featured Links