Overview of delegation in an Office 365 hybrid surroundings

  • Article
  • 7 minutes to read
  • Applies to:
    Exchange Online

Symptoms

Microsoft Exchange Online customers have issues in the functionality of their Full Access, Send As, Send on Behalf of, and Folder permissions.

Crusade

For Office 365 hybrid delegation to work every bit expected, multiple requirements must be met.

Resolution

Office 365 hybrid delegation requires a specific configuration in the cloud and in the on-premises Active Directory Domain Services (Ad DS) surroundings. The following listing discusses the different permissions and how they piece of work in a hybrid deployment.

This article describes the necessary configuration, administration details, and known problems that are associated with different kinds of permissions. If you demand aid from Microsoft to investigate a specific issue, collect the following diagnostic data from a user who can reproduce the behavior:

  • Detailed clarification of the effect, including the users who are affected and the error message that they receive
  • Relevant screenshots or Problem Steps Recorder output
  • A configuration report from Microsoft SaRa Back up and Recovery Tool
  • Outlook troubleshooting logs

Full Access

  • Full Admission permissions provide admission to all mailbox contents.

  • Full Admission permissions are granted by administrators merely past using Exchange Admin Center or Remote PowerShell (Add together-MailboxPermission).

  • Full Admission permissions will work cross forest together with the Outlook client for Windows.

  • Autodiscover is used to find the mailbox even when it's in another forest (by using the target address redirect).

  • The post-obit differences apply, depending on how a user tries to access an boosted mailbox:

    • Adding as an additional mailbox requires a mailbox in some other forest to exist ACLable in the user's wood. For more than information, see Configure Commutation to support delegated mailbox permissions in a hybrid deployment.
    • Motorcar-mapping will not work until all related mailboxes are moved to Commutation Online. Whatever mailboxes that receive permissions from another mailbox need to exist moved at the same time as the granting mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, demand to be moved at the same time. For more than information, see Auto-mapping doesn't work as expected in an Office 365 hybrid environment and Permissions in Exchange hybrid deployments.
    • In some scenarios, a user will run across only gratis/decorated information for a calendar to which they have additional permissions. For more information, come across Tin't view cantankerous-forest calendar data in Part 365 hybrid environment.
    • The user cannot ship on behalf of another user later they add a mailbox every bit an additional account. For more information, encounter Can't send an email message when Full Access permission is granted to a shared mailbox in Exchange Server.

  • Resource mailboxes have special capabilities and work differently in some scenarios if they're in some other forest, as follows:

    • Resource mailboxes cannot be added as additional mailboxes. For more than information, come across Can't add together a Room or Resource mailbox in an Office 365 hybrid environment.
    • Customers cannot grant permissions to a resource mailbox. For more than data, encounter Can't add permissions to a room mailbox in another wood in an Office 365 hybrid environment.

  • Newly provisioned deject mailboxes cannot access on-premises mailboxes. For more information, see Can't add an on-premises mailbox every bit an additional mailbox in Exchange Online.

  • A new remote mailbox that's created directly in Commutation Online is not ACLable in on-premises Active Directory. For more information, see A remote mailbox created in on-bounds Advert DS is not ACLable in Substitution Online.

  • Customers cannot access a hidden mailbox in Substitution Online. For more information, come across Can't access a hidden mailbox in Outlook after a migration to Office 365 hybrid environment.

Send As

  • Ship as works in many scenarios, simply is not fully supported past Microsoft as outlined in Permissions in Substitution hybrid deployments.
  • Ship Equally permissions enable mail to be sent from some other mailbox that enabled the post user object'due south master email address.
  • Permissions are granted past administrators past using the Exchange Admin Centre or Remote PowerShell (Add-ADPermission in on-premises Active Directory and Add-RecipientPermission in Exchange Online).
  • Permissions must exist in the sending user'southward forest. For example, if a user'south mailbox is moved to Commutation Online, the Send Every bit permissions must be listed on the postal service user object that represents the on-premises mailbox.
  • Permissions are not synchronized by Azure Advertising Connect.
  • Permissions set in on-premises Advertizing DS must exist manually added in the Exchange Online for full functionality. For more information, see Exchange hybrid deployment considerations.

Binder admission

  • Folders can be accessed cross forest in many scenarios, but they are not fully supported by Microsoft as outlined in Permissions in Exchange hybrid deployments.

  • Autodiscover is used to find the mailbox even if it's in another forest (past using the target address redirect).

  • Folder access can be granted by users by using Outlook or past administrators by using the Remote PowerShell cmdlet Add-MailboxFolderPermission. The following conditions utilise:

    • The Calendar binder works differently in Outlook than other folders practice. For more data, come across Tin can't view cross-forest calendar data in Office 365 hybrid environment.
    • Private items are viewable just if the user is configured correctly as a delegate. For more information, see Delegates are not listed correctly in Outlook subsequently a migration to Office 365 hybrid environment.
    • The user cannot view the agenda of a subconscious mailbox in Substitution Online. For more information, encounter Can't access a hidden mailbox in Outlook after a migration to Office 365 hybrid environment.

Transport on Behalf of

  • Send on Behalf of permissions enable mail to be sent on behalf of some other e-mail address

  • Permissions can be granted by users past using Outlook or by administrators by using Exchange Admin Heart or Remote PowerShell (Set-Mailbox cmdlet).

  • Permissions must be in the sending user'due south forest.

  • Past default, the PublicDelegates attribute (besides known every bit the GrantSendOnBehalfTo attribute in Exchange on-bounds) is synchronized to Exchange Online by Azure AD Connect.

  • Additional configuration is required to synchronize the PublicDelegates attribute with on-premises Advertizement DS. This configuration requires enabling Exchange hybrid deployment settings in Azure Advertisement Connect.For more information, see Exchange hybrid writeback.

    Screenshot of the optional features in Azure AD Connect dialog box.

  • If Exchange hybrid deployment setting is not enabled, the Send on Behalf of permission has to be added manually by an administrator past using Remote PowerShell. To practice this, refer toDelegate tin can't send on behalf of after migration to Microsoft 365 hybrid environment.

Delegates

  • Delegates can be granted combination of different rights in Outlook:

    • Folder rights
    • Sending on behalf of
    • Meeting asking forwarding rules (hidden rules)
    • The ability to come across private items (calendar)

    Screenshot of the Delegates window.

  • Some of these rights can be seen and managed by an ambassador (such equally Folder and Transport on Behalf of rights). However, some are stored only in the Exchange mailbox (such as meeting-related messages, forwarding rules, and private detail visibility).

  • Basic functionality works cross-forest by using Outlook for Windows. The following conditions use:

    • Users can access other user folders (Binder rights and Total Access).
    • Users tin can ship on behalf of a user from another forest.
    • Rules to forward meeting invitations will exist delivered successfully.
    • New delegates can exist added if users exist in different forests.

  • In the Scheduling Assistant, no details or limited free/busy information is listed for mailboxes in another wood. The following conditions apply:

    • Users can't run across free/busy information afterwards a mailbox is moved to Function 365
    • Users can encounter merely bones free/busy mailbox information in a remote forest in Office 365

  • Some functionality does not piece of work in Outlook Web App (OWA). For more than information, see the following articles:

    • Delegates cannot accept meeting invitations in OWA if the manager is in another forest during coexistence. For more data, meet Consul can't accept meeting asking in OWA when manager is in another woods during coexistence.
    • Delegates can encounter costless/busy information in OWA only if the manager is in another forest during coexistence. For more than data, encounter Consul can only see free/busy data in OWA when manager is in another forest during coexistence.

  • Workflows between the managing director and delegate users differ, and problems may exist experienced.

  • We recommend that you lot move your managing director and delegate users together equally much as possible. The following conditions apply:

    • When they're moved separately, delegates may not able to see private calendar items. For more information, come across Delegates are not listed correctly in Outlook after a migration to Office 365 hybrid surroundings.

    • Misconfigured delegates may result in a non-delivery report. For more information, run across Users receive NDR 5.two.0 when they send meeting invites in Office 365 hybrid environment.

    • The LegacyExchangeDN attribute of objects from Exchange Online and on-premises should be synching as x500 addresses between forests to avoid resolution problems that require enabling Substitution hybrid deployment settings in AD Connect. For more data, see Exchange hybrid writeback.

      Screenshot of the optional features in Azure AD Connect dialog box.

    • If the Exchange hybrid deployment setting is non enabled, delegates may see a non-delivery report when they update meetings. For more than information, meet "550 v.1.11 RESOLVER.ADR.ExRecipNotFound" when delegate sends update to meeting subsequently manager moved to Office 365 hybrid environment.