Adding or removing mailbox permission in EAC doesn't address the msExchDelegateListLink attribute in Exchange Server 2019 and 2016

Applies to: Exchange Server 2019Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard Edition

Symptoms


Different administrators or designated help groups may use the Exchange Management Shell to grant or remove Full Access permissions, and other administrators may use the Exchange Admin Center (EAC) to remove or add these permissions. In this scenario (and vice versa), the AD information isn't correctly removed which will result in the clients still being auto mapped a shared mailbox that they don’t have access to. In addition, if the clients previously checked “Download Shared Folders” in Outlook, even without permission, the users would still all previously sync mail items for the shared mailbox while they had permission. However, they are now no longer able to do anything out of this shared mailbox. This issue results in confusion for administrators and users.

Cause


This issue is specific to resource forest scenario. While adding or removing mailbox permission from command line interface, the msExchDelegateListLink attribute isn’t populated or removed if an account forest user is provided to the add or remove permission. When the EAC is used with linked objects, the source AD object is referenced instead of the linked AD object. It causes the add-mailboxpermission cmdlet not to complete its internal process of modifying appropriate linked object AD attributes.

Resolution


To fix this issue, install one of the following updates:
For Exchange Server 2019, install the Cumulative Update 3 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019.
For Exchange Server 2016, install the Cumulative Update 14 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

References


Learn about the terminology that Microsoft uses to describe software updates.