Administrators can’t use Exchange Admin Center (EAC) to manage permissions for security groups in Office 365 dedicated/ITAR

Symptoms
In Microsoft Office 365 dedicated/ITAR, Full Access and Send As permissions for security groups that an administrator added by using Exchange Admin Center (EAC) to Microsoft Exchange Server 2013 mailboxes can’t give group members the correct access. Administrators will see that the managed group object is listed as having permissions. However, members can’t access the mailbox or send as the mailbox. 

Note Full Access and Send As permissions for user objects that were added by using EAC will work as expected.
Workaround
To work around this issue, administrators who are members of the SSA-Mail Recipients (MR) role group should grant permissions to groups by using Remote PowerShell.  

If Remote PowerShell can’t be used to complete the task, you may submit a support incident online to Microsoft Online Services Support. Or, you can contact Microsoft Online Services Support by telephone. Approval from an MOSSUP-recognized authorized requestor will be required.

Note You should always specify the source user or group object in the User parameter when you use Remote PowerShell in the format Domain\samAccountName. You shouldn’t specify the SMTP address or alias, because this will add the managed object to the permission list.

Full Access permissions

You can add Full Access permissions by using the Add-MailboxPermission cmdlet. For example:

Add-MailboxPermission -Identity "Mailbox" -User "Domain\samAccountName" -AccessRight FullAccess
You can remove Full Access permissions by using the Remove-MailboxPermission cmdlet. For example:
Remove-MailboxPermission -Identity "Mailbox" -User "Domain\samAccountName" -AccessRight FullAccess

Send As permissions

You can add Send As permissions by using the Add-ADPermission cmdlet. For example:
Get-Mailbox "Mailbox" | Add-ADPermission -User "Domain\samAccountName" -AccessRights Extendedright -ExtendedRights "Send As"
Note The Add-ADPermission cmdlet requires the mailbox object to be piped in to the cmdlet by using the Get-Mailbox cmdlet. You can’t specify the mailbox by using the Identity parameter.

You can remove Send As permissions by using the Remove-ADPermission cmdlet. For example:
Get-Mailbox "Mailbox" | Remove-ADPermission -User "Domain\samAccountName" -AccessRights Extendedright -ExtendedRights "Send As"

Status
This issue is under investigation by Microsoft.
Properties

Article ID: 3130084 - Last Review: 08/11/2016 12:49:00 - Revision: 3.0

Microsoft Business Productivity Online Dedicated, Microsoft Business Productivity Online Suite Federal

  • vkbportal226 KB3130084
Feedback