Office 365 hybrid delegation requires a specific configuration in the cloud and in the on-premises Active Directory Domain Services (AD DS) environment. The following list discusses the different permissions and how they work in a hybrid deployment.
This article describes the necessary configuration, administration details, and known issues that are associated with different kinds of permissions. If you need help from Microsoft to investigate a specific issue, collect the following diagnostic data from a user who can reproduce the behavior:
- Detailed description of the issue, including the users who are affected and the error message that they receive
- Relevant screen shots or Problem Steps Recorder output
- A configuration report from Microsoft SaRa Support and Revovery Tool).
- Outlook troubleshooting logs
- Fiddler traces, if Microsoft Support requests them
- Full Access permissions provide access to all mailbox contents.
- Full Access permissions are granted by administrators only by using Exchange Admin Center or Remote PowerShell (Add-MailboxPermission).
- Full Access permissions will work cross forest together with the Outlook client for Windows.
- Autodiscover is used to find the mailbox even when it’s in another forest (by using the target address redirect).
- The following differences apply, depending on how a user tries to access an additional mailbox:
- Adding as an additional mailbox requires a mailbox in another forest to be ACLable in the user’s forest. For more information, see https://technet.microsoft.com/en-us/library/mt784505(v=exchg.150).
- Auto-mapping will not work until all mailboxes are moved to Exchange Online. For more information, see https://support.microsoft.com/en-us/help/3080561.
- In some scenarios, a user will see only free/busy information for a calendar to which they have additional permissions. For more information, see https://support.microsoft.com/en-us/help/3187044.
- The user cannot send on behalf of another user after they add a mailbox as an additional account. For more information, see https://support.microsoft.com/en-US/help/3045224.
- Resource mailboxes have special capabilities and work differently in some scenarios if they’re in another forest, as follows:
- Newly provisioned cloud mailboxes cannot access on-premises mailboxes. For more information, see https://support.microsoft.com/en-US/help/4051496.
- A new remote mailbox that's created directly in Exchange Online is not ACLable in on-premises Active Directory. For more information, see https://support.microsoft.com/en-US/help/4051497.
- Customers cannot access a hidden mailbox in Exchange Online. For more information, see https://support.microsoft.com/en-US/help/4034273.
- Send As permissions enable mail to be sent from another mailbox that enabled the mail user object’s primary email address.
- Permissions are granted by administrators by using the Exchange Admin Center or Remote PowerShell (Add-ADPermission in on-premises Active Directory and Add-RecipientPermission in Exchange Online).
- Permissions must exist in the sending user’s forest. For example, if a user’s mailbox is moved to Exchange Online, the Send As permissions must be listed on the mail user object that represents the on-premises mailbox.
- Permissions are not synchronized by Azure AD Connect.
- Permissions set in on-premises AD DS must be manually added in the Exchange Online for full functionality. For more information, see https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150)#considerations.
- Folders can be accessed cross forest in many scenarios, but they are not fully supported by Microsoft as outlined in https://docs.microsoft.com/en-us/Exchange/permissions.
- Autodiscover is used to find the mailbox even if it’s in another forest (by using the target address redirect).
- Folder access can be granted by users by using Outlook or by administrators by using the Remote PowerShell cmdlet Add-MailboxFolderPermission. The following conditions apply:
- The Calendar folder works differently in Outlook than other folders do. For more information, see https://support.microsoft.com/en-us/help/3187044.
- Private items are viewable only if the user is configured correctly as a delegate. For more information, see https://support.microsoft.com/en-US/help/4023846.
- The user cannot view the calendar of a hidden mailbox in Exchange Online. For more information, see https://support.microsoft.com/en-US/help/4034273.
Send on Behalf of
- "Send on Behalf of" permissions enable mail to be sent on behalf of another email address
- Permissions can be granted by users by using Outlook or by administrators by using Exchange Admin Center or Remote PowerShell (Set-Mailbox cmdlet).
- Permissions must exist in the sending user’s forest.
- By default, the PublicDelegates attribute (also known as the GrantSendOnBehalfTo attribute in Exchange on-premises) is synchronized to Exchange Online by Azure AD Connect.
- Additional configuration is required to synchronize the PublicDelegates attribute with on-premises AD DS. This configuration requires enabling Exchange hybrid deployment settings in Azure AD Connect. For more information, see Exchange hybrid writeback.
If Exchange hybrid deployment setting is not enabled, the "Send on Behalf of" permission has to be added manually by an administrator by using Remote PowerShell. To do this, refer to https://support.microsoft.com/en-US/help/4039613.
- Delegates can be granted combination of different rights in Outlook:
- Folder rights
- Sending on behalf of
- Meeting request forwarding rules (hidden rules)
- The ability to see private items (calendar)
- Some of these rights can be seen and managed by an administrator (such as Folder and "Send on Behalf of" rights). However, some are stored only in the Exchange mailbox (such as meeting-related messages, forwarding rules, and private item visibility).
- Basic functionality works cross-forest by using Outlook for Windows. The following conditions apply:
- Users can access other user folders (Folder rights and Full Access).
- Users can send on behalf of a user from another forest.
- Rules to forward meeting invitations will be delivered successfully.
- New delegates can be added if users exist in different forests.
- In the Scheduling Assistant, no details or limited free/busy information is listed for mailboxes in another forest. The following conditions apply:
- Some functionality does not work in Outlook Web App (OWA). For more information, see the following articles:
- Delegates cannot accept meeting invitations in OWA if the manager is in another forest during coexistence. For more information, see https://support.microsoft.com/en-us/help/4089867.
- Delegates can see free/busy information in OWA only if the manager is in another forest during coexistence. For more information, see https://support.microsoft.com/en-us/help/4089865.
- Workflows between the manager and delegate users differ, and problems may be experienced.
- We recommend that you move your manager and delegate users together as much as possible. The following conditions apply:
- When they’re moved separately, delegates may not able to see private calendar items. For more information, see https://support.microsoft.com/en-US/help/4023846.
- Misconfigured delegates may result in a non-delivery report. For more information, see https://support.microsoft.com/en-us/help/4038474/.
- The LegacyExchangeDN attribute of objects from Exchange Online and on-premises should be synching as x500 addresses between forests to avoid resolution issues that requires enabling Exchange hybrid deployment settings in AD Connect. For more information, see Exchange hybrid writeback.
- If the Exchange hybrid deployment setting is not enabled, delegates may see a non-delivery report when they update meetings. For more information, see https://support.microsoft.com/en-us/help/4039597.