Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 4)

by [Published on 21 April 2016 / Last Updated on 21 April 2016]

In this article we will look at mailbox permissions granted via a group and mailbox folder permissions and how these are affected by moving the delegates or delegator to Exchange Online.

If you would like to be notified of when Henrik Walther releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Introduction

In part 3 of this article series revolving around cross-organization mailbox permissions in an Exchange hybrid deployment, we tested the “Full Access” permissions that were migrated with the mailbox in fact works using an Outlook 2016 desktop client. We will also tested “Send As” and “Send on Behalf” behavior client-side.

In this part 4, we will continue where we left off in part 3.

Let’s get going.

Mailbox Permissions Granted via a Distribution/Security Group

In the next scenario we are going to look at how permissions granted to an on-premises mailbox using a security group are affected when we move the respective mailbox to Exchange Online.

So I have a security group named “Cross-org Mailbox Permissions Test” with two members Kevin Kennedy and Kim Akers.

Image
Figure 1: Security Group used for our testing purposes

This group has been granted “Full Access” and “Send As” permissions to Chris Preston’s on-premises mailbox.

Image
Figure 2: Security groups granted Send As permissions to Chris Preston’s mailbox

Image
Figure 3: Security groups granted Full Access permissions to Chris Preston’s mailbox

In addition, the security group has been granted “Full Access” and “Send on behalf” permissions to Clair Hector’s on-premises mailbox.

Image
Figure 4: Security groups granted Full Access and Send on behalf permissions to Clair Hector’s mailbox

Everything is working as expected as in both delegates and access the mailbox and send as and send on behalf of this mailbox users as required.

Testing Send As & Send on Behalf Permissions Granted to an On-Premises Mailbox via a Security Group

Let’s see if we can break this by moving Chris Preston and Clair Hector’s mailboxes to Exchange Online. As you may recall, the official Microsoft support statement calls out that inherited (non-explicit) mailbox permissions granted via a distribution list will not be migrated:

“Mailbox permissions migration On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online. Inherited (non-explicit) mailbox permissions and any permissions on non-mailbox objects—such as distribution lists or a mail-enabled user—are not migrated. Therefore, you have to plan for configuring these permissions in Office 365 if applicable for your organization.”

Image
Figure 5: Migrating Chris Preston and Clair Hector’s mailbox to Exchange Online

We will first send an e-mail message as Chris Preston. As you can see in Figure 6, it arrives in the mailbox of the recipient. A reply to the message of course also landed in the correct inbox.

Image
Figure 6: Sending an E-Mail Message as Chris Preston via Security Group based permissions

Now let’s send an e-mail message on behalf of Clair Hector. Again, this worked absolutely fine and we can hereby conclude that “Full Access”, “Send As” and “Send on behalf” permissions granted via a security group are migrated to Exchange Online together with the mailbox data, and just as important continue to work despite the delegate mailboxes are still located on-premises. Good stuff!

Image
Figure 7: Sending an E-Mail Message on behalf Chris Preston via Security Group based permissions

Testing Send As & Send on Behalf Permissions Granted to an EXO Mailbox via a Security Group

Now let’s test whether permissions are migrated and whether anything breaks if we migrate the delegates to Exchange Online and not the mailbox that they were granted access to.

Kevin Kennedy who as you may recall is a member of the security group has been move to Exchange Online and now tries to send an e-mail as Anthony Chor. Like is the case with “Send As” permissions delegated to individual mailbox users, we get a non-deliver report (NDR):

Your message did not reach some or all of the intended recipients.

Subject: Testing Send As Permissions via group after moving mailbox to EXO

Sent: 4/11/2016 1:43 PM

The following recipient(s) cannot be reached:

'henwal@contoso.com' on 4/11/2016 1:43 PM

This message could not be sent. Try sending the message again later, or contact your network administrator. You do not have the permission to send the message on behalf of the specified user. Error is [0x80070005-0x0004dc-0x000524].

Image
Figure 8:
Sending an E-Mail Message as Anthony Chor via Security Group based permissions

Like when we grant mailbox permissions to individual mailbox users, this behavior matches perfectly with Microsoft´s support statement.

Now, let´s try “Send on behalf”. Kevin Kennedy fires up one more new message and sends it on behalf of Arlene Huff. It leaves the outbox and… Voila! It arrives in the inbox of the recipient and likewise a reply to the e-mail message ended up in the inbox of Kevin Kennedy. Success!

Image
Figure 9: Sending an E-Mail Message on behalf of Arlene Huff via Security Group based permissions

Testing Mailbox Non-Default Folder Permissions

So what about mailbox folder permissions that were granted to one or more folders in a mailbox that is migrated to Exchange Online. Will they be migrated and if yes, will an on-premises mailbox be able to access these folders, when the mailbox has been migrated to Exchange Online? Again, based on the Microsoft support statement, they will not, but let’s find out.

I have granted Joe Howard “Publishing Editor” permissions and Jenny Lysaker “Reviewer” permissions to a folder named Finance and a sub-folder of this folder named Budget 2016 in Mark Harrington’s mailbox. All three mailboxes are stored on-premises.

Image
Figure 10: Mailbox Folder Permissions

Image
Figure 11: Sub-folders viewed via the Outlook Desktop Client

We will now move Mark Harringston’s mailbox to Exchange Online. After the move has been completed, we see the Exchange Administrator has made changes and you must restart Outlook dialog box appear in Joe Howard’s Outlook client, which is a good sign as this means his Outlook client was able to pick up the new location of the mailbox.

Image
Figure 12: Exchange Administrator has made changes dialog box

Let’s try to open Mark Harrington’s Outlook client and see whether the mailbox folder permissions have been migrated together with the mailbox data.

As can be seen in Figure 12, we got one more surprise. Joe Howard and Jenny Lysaker are still listed with their respective “Publishing Editor” and “Reviewer” permissions.

Image
Figure 13: Mailbox Folder Permissions migrated with the mailbox

One thing is migrated permissions, but is the Outlook desktop client capable of listing and allowing access to the mailbox sub-folders? Again a success. They are listed and are accessible.

Image
Figure 14: Mailbox Sub-folders listed and accessible after the mailbox move

Now let’s go through the same mailbox folder permission scenario but where we move the mailboxes that have been granted access to sub-folders.

Again, we have three mailboxes all currently on-premises. Karen Berge’s mailbox, which is the one with the shared folders. And then we have Josh Barnhill and Judy, who have “Publishing Editor” and “Reviewer” permissions to a folder named Helpdesk and a sub-folder to this folder named cases.

As can be seen in Figure 14 and 15 permissions are set properly and access to the folders currently works fine from an Outlook desktop client.

Image
Figure 15: Permissions set on Mailbox Folders

Image
Figure 16: Shared folders listed in Outlook desktop client of a delegate

Now let’s move Josh Barnhill and Judy Lew’s mailbox to Exchange Online.

With the mailboxes moved, let’s switch to the Outlook desktop client of Josh Barnhill. As you can see in Figure 16, Josh Barnhill still can access the shared folders in Karen Berge’s mailbox that still resides on-premises. Another good result.

Image
Figure 17: Mailbox moved to EXO still have access to shared folders for an on-premises mailbox

As you have seen throughout this articles series, we did some very interesting findings that contradicts with the Microsoft support statement, but it is important to bear in mind that even though I have it working in my specific lab environment, this does not change Microsoft´s support statement and does not mean it necessarily works in your environment. However, it means that you could do the proper testing prior to communicating with your end users and based on the result inform them what to expect.

Remember my lab environment is a pure Exchange 2013 organization with an Exchange hybrid with centralized mail flow configured. If you deal with an Exchange organization with a mix of Exchange versions, there are no guarantees you will see the same results as mine.

This concludes part 4, which also was the last part in this article series. You should now have a good understanding of cross-organization mailbox permissions in an Exchange hybrid deployment scenario. As you can see, once again the official support statement from Microsoft doesn’t necessarily match, what you see working and not working in your environment.

If you would like to be notified of when Henrik Walther releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Henrik Walther

Henrik Walther avatar

Henrik Walther is a respected writer with special focus on Microsoft Exchange and Office 365 solutions. He works as a Principal Architect/Consultant on engagements of all sizes and complexity and have close to two decades of experience in the IT business.

Advertisement

Featured Links