Can’t grant "full access" or "send as" permissions to an object by using Remote PowerShell in Office 365 dedicated/ITAR

Symptoms
When you try to grant "full access" or "send as" permissions to an object by using Remote PowerShell in Office 365 dedicated/ITAR, the operation is unsuccessful. The "full access" and "send as" permissions do not list the correct mailbox permissions.
Cause
The Office 365 dedicated/ITAR Exchange environment is a dedicated Microsoft Exchange environment (also known as a resource forest). In this configuration, the enabled user from the customer source forest is associated with a mailbox that's attached to a disabled user in the managed forest. If the security object from the customer source forest is not granted permissions explicitly, the permissions do not work as expected.
Resolution
When you grant permissions by using Remote PowerShell in the Office 365 dedicated/ITAR managed environment, you should use the Domain\SamAccountName format to specify the enabled user to be granted the permissions. For example:

Add-MailboxPermission kirk -AccessRights fullaccess -User DomainName\UserName
This command will grant the enabled user from the customer source forest the appropriate permissions.

If the user exists in a managed environment, you can typically identify his or her Domain\SamAccountName information by looking at the LinkedMasterAccount field that's displayed when you run the Get-Mailbox cmdlet. For example:

Get-Mailbox UserName| ft LinkedMasterAccountLinkedMasterAccount : DomainName\UserName

Note Tools such as Customer Management Portal (CMP) and Exchange Admin Center (EAC) automatically grant permissions for an enabled user object that's linked to a managed object.
More information
Properties

Article ID: 2958853 - Last Review: 03/10/2016 09:16:00 - Revision: 3.0

Microsoft Business Productivity Online Dedicated, Microsoft Business Productivity Online Suite Federal

  • vkbportal226 KB2958853
Feedback