You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

Users cannot access their mailboxes after the migration because of missing permissions

After a user's mailbox is migrated to a dedicated Microsoft Office 365 environment, the user cannot access the mailbox by using Microsoft Office Outlook or Microsoft Outlook Web App (OWA). 

Additionally, the user receives one of the following error messages:
  • In Outlook
    Cannot open your default email folders. You do not have permission to log on.
  • In OWA
    You don’t have permission to open this mailbox.
This problem may occur for one of the following reasons:
  • The NT AUTHORITY\SELF account does not have the Full Access permission and the Read permission to the mailbox.
  • The managed MailUser object did not have the msExchMasterAccountSID attribute present before the migration, and the discretionary access control list (DACL) of the mailbox was not updated correctly during the migration.
Note Because the following resolution involves granting a user access to his or her own mailbox, these procedures are exempt from the Authorized Requestor (AR) process.

To resolve this problem, use one or more of the following methods, as appropriate for your situation.

Method 1

Manually add the permissions for NT AUTHORITY\SELF. To do this, use a cmdlet that resembles the following:
Add-MailboxPermission SMTPAddress@<the name of the domain>.com -User "NT AUTHORITY\SELF" -AccessRights FullAccess,ReadPermission
For example, use this cmdlet:
Add-MailboxPermission -User "NT AUTHORITY\SELF" -AccessRights FullAccess,ReadPermission

Method 2

If Method 1 does not resolve the problem, or if the permissions for NT AUTHORITY\SELF are already present, grant the user’s linked master account Full Access and External Account permissions.

To do this, use a cmdlet that resembles the following:
Add-MailboxPermission SMTPAddress@<the name of the domain>.com -User <the name of the domain>\Alias –AccessRights FullAccess,ExternalAccount
For example, use this cmdlet:
Add-MailboxPermission -User contoso\jsmith -AccessRights FullAccess,ExternalAccount

Article ID: 2652193 - Last Review: 04/16/2015 12:47:00 - Revision: 4.0

  • Microsoft Business Productivity Online Dedicated
  • Microsoft Business Productivity Online Suite Federal
  • vkbportal226 KB2652193
ame('head')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="">