Configure Exchange Hybrid mailbox permissions during migration to Exchange Online

Exchange logo

This is a simplified guide with everything that you need to do in order to get hybrid permissions working when migrating to Exchange Online.

In order to configure your Exchange organisation to support these permissions, you need to follow the steps which are outlined here: https://docs.microsoft.com/en-us/exchange/hybrid-deployment/set-up-delegated-mailbox-permissions. The first thing you need to do is update to the latest CU, whichever version of Exchange on-premises you are running.

Preparation

The remaining steps required can then be summarised as follows:

Exchange version
Preparation
Mailbox Configuration
2013/2016
Install the latest CU
Set ACLableSyncedObjectEnabled
Set msExchRecipientDisplayType for any mailboxes migrated before ACLableSyncedObjectEnabled was set.
2010Install the latest CUSet msExchRecipientDisplayType for every mailbox before and after migration

1. Update your on-premises Exchange servers to the latest CU (2010/2013/2016).

This is a requirement for Exchange hybrid anyway, and will make the next steps easier.

2. Enable object synchronization at organization level (Exchange 2013/2016 only)

Unless you are on Exchange 2010, run the following using Exchange PowerShell on-premises:

get-OrganizationConfig | Select-Object ACLableSyncedObjectEnabled

If this is not set to true, enable it:

Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

3. Enable ACLs on remote mailboxes.

Make sure you have enabled ACLable object synchronization at the organization level as above.

Enabling ACLs will depend on which version of Exchange you are running. If you are running the latest CU of 2013 or 2016, you just need to do this once for any mailboxes moved before you enabled ACLableSyncedObjectEnabled in your Organization.

If you are running Exchange 2010, you will need to do this every time you migrate a mailbox to Exchange Online, so incorporate this into your migration scripts.

So, run this to get any mailboxes already moved:

Get-RemoteMailbox | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}

Or for individual mailboxes as they move (make sure they have been migrated):

Get-AdUser <Identity> | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}

Note: There are 2 possible values listed to make a mailbox ACLable:
ACLableSyncedMailboxUser: -1073741818
ACLableSyncedRemoteMailUser: -1073740282

I suspect that -1073740282 will also work but have not tested this. -1073741818 is the value that is set automatically once you have enabled ACLableSyncedObjectEnabled for the organization, therefore this is the one you should use.

Note that you can check the setting for all migrated mailboxes like this:

$arrUser = @()
$arrUser += Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType }
$arrUser | Format-Table -AutoSize Name,msExchRecipientDisplayType #All users
$arrUser | where-object {$_.msExchRecipientDisplayType -ne "-1073741818"} | Format-Table -AutoSize Name,msExchRecipientDisplayType #Just the users with the wrong value

Free/Busy

This should work between migrated and non-migrated users, as long as the autodiscover record points to the on-premises hybrid URL. It is configured during hybrid setup.

Configure permissions

Permissions can be configured for all scenarios, and will work in both directions.

There are however some limitations:

  • Full Access: A mailbox on an on-premises Exchange server can be granted the Full Access permission to an Office 365 mailbox, and vice versa. Automapping does not work.
  • Send on Behalf of: A mailbox on an on-premises Exchange server can be granted the Send on Behalf of permission to an Office 365 mailbox, and vice versa (note from Exchange Online to on-premises requires Exchange attributes written back).
  • Send-As: Not supported, but if you add the send-as permission manually in both environments, Send-As will work in most of the scenarios.
  • Individual folder permissions are not supported.

For migration purposes, the only permission that is not carried through migration is when a migrated user has SendAs rights on an on-premises mailbox. This can actually be set before either mailbox is even migrated since it is an AD permission, so this can be done before users are migrated. See line four in the spreadsheet, this can be set in Exchange Online using e.g. Add-RecipientPermission -Identity “O365 Onprem-23” -Trustee cloud-23 -AccessRights SendAs.

All other permissions e.g. Delegate, Full Access, Send On Behalf of, will work without any further configuration.

The Exchange Online Hybrid permissions cheatsheet

The following spreadhseet shows how to set permissions if required. Almost all permissions are carried across during migration, so these are mostly only required if new permissions are required during migration.

I recommend performing these tests yourself using completely separate accounts for each test, in order to avoid confusion over which permissions are required. Use the following spreadsheet as a guide. There is a hybrid sheet, as well as an online one for when all users are online.

Exchange Hybrid Permissions Cheatsheet

Posted in Exchange Online, Office 365

Related Posts

10 Comments

  1. Bruno Martins

    This is definitely the best blog post on this matter. I am just writing to note that, in my case, auto-mapping is working just fine.

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.