Administrators can’t use Exchange Admin Center (EAC) to manage permissions for security groups in Office 365 dedicated/ITAR


In Microsoft Office 365 dedicated/ITAR, Full Access and Send As permissions for security groups that an administrator added by using Exchange Admin Center (EAC) to Microsoft Exchange Server 2013 mailboxes can’t give group members the correct access. Administrators will see that the managed group object is listed as having permissions. However, members can’t access the mailbox or send as the mailbox. 

Note Full Access and Send As permissions for user objects that were added by using EAC will work as expected.


To work around this issue, administrators who are members of the SSA-Mail Recipients (MR) role group should grant permissions to groups by using Remote PowerShell.  

If Remote PowerShell can’t be used to complete the task, you may submit a support incident online  to Microsoft Online Services Support. Or, you can contact Microsoft Online Services Support by telephone . Approval from an MOSSUP-recognized authorized requestor will be required.

Note You should always specify the source user or group object in the User parameter when you use Remote PowerShell in the format Domain\samAccountName. You shouldn’t specify the SMTP address or alias, because this will add the managed object to the permission list.

Full Access permissions

You can add Full Access permissions by using the Add-MailboxPermission cmdlet. For example:

Add-MailboxPermission -Identity "Mailbox" -User "Domain\samAccountName" -AccessRight FullAccess 
You can remove Full Access permissions by using the Remove-MailboxPermission cmdlet. For example:
Remove-MailboxPermission -Identity "Mailbox" -User "Domain\samAccountName" -AccessRight FullAccess 

Send As permissions

You can add Send As permissions by using the Add-ADPermission cmdlet. For example:
Get-Mailbox "Mailbox" | Add-ADPermission -User "Domain\samAccountName" -AccessRights Extendedright -ExtendedRights "Send As" 
Note The Add-ADPermission cmdlet requires the mailbox object to be piped in to the cmdlet by using the Get-Mailbox cmdlet. You can’t specify the mailbox by using the Identity parameter.

You can remove Send As permissions by using the Remove-ADPermission cmdlet. For example:
Get-Mailbox "Mailbox" | Remove-ADPermission -User "Domain\samAccountName" -AccessRights Extendedright -ExtendedRights "Send As" 


This issue is under investigation by Microsoft.
Thuộc tính

ID Bài viết: 3130084 - Xem lại Lần cuối: 11-08-2016 - Bản sửa đổi: 1

Phản hồi