Users cannot access their mailboxes after the migration because of missing permissions

Article translations Article translations
Article ID: 2652193 - View products that this article applies to.
Expand all | Collapse all

Symptoms

After a user's mailbox is migrated to a dedicated Microsoft Office 365 environment, the user cannot access the mailbox by using Microsoft Office Outlook or Microsoft Outlook Web App (OWA). 

Additionally, the user receives one of the following error messages:
  • In Outlook
    Cannot open your default email folders. You do not have permission to log on.
  • In OWA
    You don’t have permission to open this mailbox.

Cause

This problem may occur for one of the following reasons:
  • The NT AUTHORITY\SELF account does not have the Full Access permission and the Read permission to the mailbox.
  • The managed MailUser object did not have the msExchMasterAccountSID attribute present before the migration, and the discretionary access control list (DACL) of the mailbox was not updated correctly during the migration.

Resolution

Note Because the following resolution involves granting a user access to his or her own mailbox, these procedures are exempt from the Authorized Requestor (AR) process.

To resolve this problem, use one or more of the following methods, as appropriate for your situation.

Method 1

Manually add the permissions for NT AUTHORITY\SELF. To do this, use a cmdlet that resembles the following:
Add-MailboxPermission SMTPAddress@<the name of the domain>.com -User "NT AUTHORITY\SELF" -AccessRights FullAccess,ReadPermission
For example, use this cmdlet:
Add-MailboxPermission Jeff.Smith@contoso.com -User "NT AUTHORITY\SELF" -AccessRights FullAccess,ReadPermission

Method 2

If Method 1 does not resolve the problem, or if the permissions for NT AUTHORITY\SELF are already present, grant the user’s linked master account Full Access and External Account permissions.

To do this, use a cmdlet that resembles the following:
Add-MailboxPermission SMTPAddress@<the name of the domain>.com -User <the name of the domain>\Alias –AccessRights FullAccess,ExternalAccount
For example, use this cmdlet:
Add-MailboxPermission Jeff.Smith@contoso.com -User contoso\jsmith -AccessRights FullAccess,ExternalAccount

Properties

Article ID: 2652193 - Last Review: August 13, 2012 - Revision: 2.0
Applies to
  • Microsoft Business Productivity Online Dedicated
  • Microsoft Business Productivity Online Suite Federal
Keywords: 
vkbportal226 KB2652193

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com