Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 1)

If you would like to read the other parts in this article series please go to:

One of the most confusing or show stopping topics discussed with customers that are planning to establish an Exchange hybrid deployment or already have one established and got surprised by limitations they were not made aware of during the assessment and remediation phases of the respective project, is without question what is possible permission-wise between mailboxes located in Exchange Online and in the Exchange on-premises organization.

I have even had conversations with customers that were misinformed about the expected behavior. Also, we should not forget that both Exchange Online and the Outlook clients are improved in this area now and then. On top of this, we should factor in that a support statement from Microsoft does not necessarily match the behavior you see in your environment. In some situations (like this one), this includes supported scenarios that just have not been documented.

When it comes to cross-premises mailbox permissions in an Exchange hybrid deployment, there are several different statements and details to be found on both official Microsoft sites and non-official blogs and the like.

As mentioned, the confusion on this topic has a direct impact on some of the Exchange Online migration planning engagements with customers as the consultant or internal Exchange administrator usually trust any given information as long as it comes from an official Microsoft source, a popular and/or well-respected non-official blog, or other kind of source (meetings, conversations and email threads).

In this article, we will first take a look at what the official Microsoft sources state, and then we will go through this in my lab environment to see if the statements match the reality.

Okay so the first source we will look at is this Microsoft KB article that was published last year around the same time that Exchange 2013 CU10 was released. This KB article quickly circulated around the Internet as it talked about a new exciting “ACLableSyncedObjectEnabled” parameter that can be set to true on the organizational level (Set-OrganizationConfig). The KB article talks about fixing “Full Access”, “Send As” and “Delegates” permission issues cross Exchange online and Exchange on-premises. For standard multi-tenant customers, this sounds too good to be true though and it is. Said in another way, this new parameter only applies to Exchange Online vNext (formerly known as Dedicated) customers not MT customers. So unless you are a vNext customer, just forget about the existence of this specific KB article for now.

Then we have a piece of information in this article on the Office 365 Support site. Under the “If I Migrate mailboxes from Exchange to Exchange Online, will mailbox permissions be migrated over?”. As is mentioned, in a cut-over or staged Exchange migration scenario, folder permissions and delegate permissions of the on-premises mailbox are migrated to the mailbox that gets provisioned in Exchange Online. However, “Send As” or “full mailbox access” permissions will not be migrated. In addition, in an Exchange hybrid deployment, on-premises mailbox permissions such as “Send As”, “Receive As” and “Full Access” that are explicitly applied on the mailbox are migrated to Exchange Online. However, the migrated permissions only work if the target and delegate mailboxes are both in the cloud, because Outlook Web App (OWA) and Microsoft Outlook can’t access folders in cross-premises mailboxes.

While this is technically correct for MT customers, it misses some important details which brings us to the next official Microsoft source which is this TechNet site that states that on-premises mailbox permissions such as “Send As”, “Receive As”, and “Full Access” that are explicitly applied on the mailbox are migrated to Exchange Online. This matches the article on the Office 365 Support site, but it provides an additional very important detail which is that inherited (non-explicit) mailbox permissions and any permissions on non-mailbox objects like distribution lists or a mail-enabled user will not migrated. So if this matches your permission scenario, you have to plan for configuring these permissions in Exchange Online.

Okay are you following along so far? Good, then let’s go through the next statements on the TechNet site, which are about permissions between Exchange Online and Exchange on-premises.

When it comes to cross-premises mailbox permissions in an Exchange hybrid deployment model, the use of the “Full Access” mailbox permission between mailboxes located in an on-premises Exchange organization and mailboxes located in Exchange Online is supported. A mailbox on an on-premises Exchange server can be granted “Full Access” permissions to an Exchange Online mailbox, and vice versa. For example, an Exchange Online mailbox can be granted the “Full Access” permission to an on-premises shared mailbox.

Yes you heard that right. Depending on the client version and the specific Exchange hybrid deployment scenario, the end users can expect to receive an additional credential prompt first time,he accesses the mailbox object in the other Exchange organization when using the Outlook desktop client.

Still following along? Excellent. We only have one more statement to look at. Also located on the TechNet site. Although it’s supported to assign “Full Access” cross the organizations, use of “Send-As”, “Receive-As”, or “Send on behalf” of mailbox permissions in hybrid deployments between on-premises Exchange and Exchange Online organizations.

As mentioned earlier, these permissions are only available when both the mailbox granting the permissions, and the mailbox receiving the permissions, are in the same organization. Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as that mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, need to be moved at the same time. In addition to these permissions, the Auto Mapping feature is also unsupported when used between mailboxes in the on-premises Exchange and Exchange Online.

Although it has been possible to access a mailbox cross-premises for quite a while, a lot of folks thought this was not possible since the TechNet article was updated with this information just recently. Most were of the impression that only free/busy and the calendar could be accessed.

I totally understand the confusion and misinterpretations that have circulated around the Internet, on mail threads and meetings (even between Microsoft folks), but hopefully this article will help clear things up.

This concludes part 1 of this article series. It’s one thing talking about what is supported and the expected behavior, another thing is seeing this work in a lab environment. So my plan with part 2 of this article series is to take you through setting and seeing these permissions in an on-premises environment and then move mailboxes back and forth between Exchange on-premises and Exchange Online to see how this affects the set permissions.

If you would like to read the other parts in this article series please go to:

About The Author

1 thought on “Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 1)”

  1. Thanks for this article. There seems to be a contradiction in the article that I cannot understand, which is causing further confusion as to whether permissions can be applied, and access to shared items is possible between 365 and On-Premise or not. This article attempts to clear it up but due to a contradiction further confuses the issue.

    This statement and paragraph “Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as that mailbox”

    Contradict this one:

    “…it has been possible to access a mailbox cross-premises for quite a while…”

    Can you simply spell out in blatant english whether a user on-premise can open outlook and access shared folders of a user who is in Office 365 and vice-versa? Also use a use case example like Bob in Office 365 needs to share his calendar with Shelly who still has her mailbox on-premise, here is how that would or wouldn’t work…

    Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top