Skip to content

Testing cross site permissions in Exchange Hybrid based environment| Part 2#5

As mentioned in the previous article, the subject of Exchange permissions relationship in Exchange Hybrid environment can be realized in two major scenarios:

  • Scenario 1 – Cross site permission
    • The Exchange permissions that Exchange on-Premises mailbox can have on cloud mailbox and vice versa.
  • Scenario 2 – Mailbox migration
    • A scenario in which we migrate Exchange on-Premises mailbox to the cloud and vice versa.

The current article dedicated to the scenario 1, we will review and verify the specific Exchange permissions that considered as “cross site permissions.”

The formal information about “cross site permissions” in the Exchange Hybrid environment

In the following quotation, we can see the information about the “cross site permissions” in Exchange Hybrid that is published by Microsoft:

Support for cross-premises mailbox permissions
Exchange hybrid deployments support the use of the Full Access mailbox permission between mailboxes located in an on-premises Exchange organization and mailboxes located in Office 365.
A mailbox on an on-premises Exchange server can granted the Full Access permission to an Office 365 mailbox, and vice versa.
For example, an Office 365 mailbox can be given the Full Access permission to an on-premises shared mailbox.
We don’t, however, support the use of the Send-As, Receive-As, or Send on behalf of mailbox permissions in hybrid deployments between on-premises Exchange and Office 365 organizations.

[Source of information – Exchange Server Hybrid Deployments]

The information in the article tells us that:

1. We can define the Full access permission between mailboxes that located on Exchange on-Premises environment and Exchange Online environment.

2. Cross site permissions in Exchange Hybrid environment don’t support Send As and Send on behalf Exchange permissions.

The information in the article doesn’t relate to the following scenarios:

1. Cross site permissions and calendar sharing

There is no clear statement regarding the subject of – “cross site permissions” and calendar sharing (calendar sharing is implemented by using Exchange Folder permission).

2. Assigning permissions to a security group

There is no clear statement regarding the subject on – the ability to assign permission such
as Full Access permission to a security group.

3. Delegated permissions

Delegated permissions can be considered as a combination of
Folder permission and Send on behalf permission. The article says that Send on behalf permission is not supported, but it is not clear if there is an option to use delegation between Exchange on-Premises mailbox and cloud mailbox (and vice versa).

The available permissions in Exchange Hybrid based environment -01

Our scenario description

To be able to get clearer answers for the “missing parts” of information regarding the supported cross site permitting, we will use the following scenario:

  • An organization named o365info.com that uses Exchange Hybrid based environment.
  • Alice is the personal assistant of Bob.
  • Bob’s mailbox is located in the cloud (Exchange Online) and Alice’s mailbox is hosted by the Exchange on-Premises server.
The relationship between Exchange on-Premises recipient and cloud recipient

We would like to assign Alice various types of Exchange permissions, so she will be able to access Bob’s mailbox.

In the following section, we will test a different type of possible Exchange permissions in which Bob will “allow” Alice to have specific permission to his mailbox.

Testing the available cross site permission in Exchange Hybrid environment

Trying to assign delegation permissions in Exchange Hybrid environment

In the next section, we will try to check if the cross site permissions in Exchange Hybrid environment support Delegation permissions.

Bob tries to define Alice as his delegate.

The delegation is implemented by using the File menu ==> Account Settings… ==> Delegate Access ==> Add…

Exchange Hybrid Cross site permissions – delegate permissions -01

In the following screenshot, we can see the list of the Exchange recipients.

Technically speaking, when we use the GAL (recipient list) when we send new mail, the recipient list doesn’t enable us to differentiate between Exchange on-Premises recipient and “cloud recipients.” In other words, Bob doesn’t know if Alice’s mailbox located at the Exchange on-Premises Server or Exchange Online.

In the current scenario, Bob uses the recipient list for finding and selecting Alice’s name.

Notice an interesting thing, when we look over the recipient list, we can see that on the left side of some of the recipient’s name, there is a red circle icon.

The meaning of this icon is that we cannot assign the required permissions to the recipient who have this red circle icon.

Exchange Hybrid Cross site permissions – delegate permissions -02

In case that Bob tries to add Alice’s name as a delegate, the following error appears:

The user Alice Caamano cannot be added. Non-local users cannot be given rights on this server

Exchange Hybrid Cross site permissions – delegate permissions -03

The conclusion

Cloud recipient cannot define Exchange on-Premises recipient as his delegate.

Trying to share calendar (Folder permissions) in the Exchange Hybrid environment

In the following section, we will try to check if we can assign Folder permission in Exchange Hybrid environment.

In our scenario, Bob tries to share his calendar (Folder permission) with Alice.

To share the calendar, we will choose the calendar permissions icon and click on the Add button.

Exchange Hybrid Cross site permissions – calendar sharing folder permissions -01

Very similar to the previous scenario, we can that on the left side of some of the recipient’s name; there is a red circle icon.

Exchange Hybrid Cross site permissions – calendar sharing folder permissions -02

In case that Bob tries to add Alice’s name as a delegate, the following error appears:

“The user Alice Caamano cannot be added. Non-local users cannot be given rights on this server”

Exchange Hybrid Cross site permissions – calendar sharing folder permissions -03

The conclusion

Cloud recipient cannot share his calendar with Exchange on-Premises recipient.

Trying to assign Send As permissions in Exchange Hybrid environment

In the following section, we will try to check if we can assign Send As permission in Exchange Hybrid environment.

In our scenario, we will assign to Alice (Exchange on-Premises recipient) the Send As permission on Bob’s mailbox that is hosted at Exchange Online.

In an Exchange environment, the recipient cannot assign the Send As permission by himself. The Send As permission can be assigned by an Exchange administrator.
We will log into the Exchange Online management and assign the Send As permission.

In the following screenshot, we can see that we assign the Send As permission to Alice on Bob’s mailbox.

Exchange Hybrid Cross site permissions – Send As permissions -01

In the next phase, Alice will try to send E-mail using Bob E-mail address. We can see the Alice has added the “From” option to the E-mail, and she uses Bob E-mail address.

Exchange Hybrid Cross site permissions – Send As permissions -02

When Alice tries to send the E-mail message, the following error message appears: “You do not have the permissions to send the message on behalf of the specific user”

Exchange Hybrid Cross site permissions – Send As permissions -03

The conclusion

Exchange on-Premises recipient cannot have Send As permission on a cloud mailbox.

Trying to assign Full access permissions in Exchange Hybrid environment

In the following section, we will try to check if we can assign Full Access permission in Exchange Hybrid environment.

In our scenario, we will assign to Alice (Exchange on-Premises recipient) the Full Access permission on Bob’s mailbox that is hosted at Exchange Online.

In the following screenshot, we can see that we assign the Full Access permission to Alice on Bob’s mailbox.

Exchange Hybrid Cross site permissions – Full Access permissions -01

By default, when we assign Full Access permission, the option of Auto Mapping is activated automatically.

The purpose of the Auto Mapping feature is, to add the mailbox which the recipient has Full Access permission on, to his Outlook mail profile automatically.

When using the has Full Access permission in a scenario of cross site permissions the option of Auto Mapping is not available.

In other words, the user will need to add the mailbox which he has Full Access permission on, to his Outlook mail profile manually.

In the following screenshot, we can see that Alice will need to add Bob’s mailbox manually to her Outlook mail profile.

Exchange Hybrid Cross site permissions – Full Access permissions -02

A credential’s windows appear; Alice will need to provide her credentials.

In our particular scenario, Alice provides her On-Premise Active Directory credentials.

Note – in a “standard Full Access permission’s scenario” the recipient who has the Full Access permission, doesn’t have to provide his credentials. The need of providing credential is implemented only in a cross site permissions scenario.

Exchange Hybrid Cross site permissions – Full Access permissions -03

In the following screenshot, we can see that Bob’s mailbox appears in Alice Outlook profile.

Exchange Hybrid Cross site permissions – Full Access permissions -04

The conclusion

Exchange on-Premises recipient can have Full Access permission on a cloud mailbox.

Trying to assign Full access permissions to a security group in an Exchange Hybrid environment

In the following section, we will try to check if we can assign Full Access permission in Exchange Hybrid environment to a security group. If we want to be more accurate to a mail-enabled a security group.

The security group will include Exchange on-Premises recipients.

The purpose is – to verify if we can use the option of – Inherited (non-explicit) mailbox permissions. The meaning is, assign permissions to a group instead to a particular recipient and verify if the Exchange on-Premises recipient that includes in this group can use the permissions that they “inherit” from the security group.

To be able to check this scenario, we will make the following preparations:

  • We will create an On-Premise Active Directory mail-enabled security group named –
    On-Prem security
    .
  • We will add Exchange on-Premises recipient (Alice) as a member of this group
  • We will assign the On-Prem security Full Access permission to Exchange Online mailbox (Anthony)
  • We will check if the Exchange on-Premises recipient (Alice) can add the Exchange Online mailbox to her Outlook mail profile.

Step 1 – we use Exchange on-Premises management for creating a mail-enabled security group

Exchange Hybrid Cross site permissions – Full Access permissions – security group -01

Step 2 – we add Alice (Exchange on-Premises recipient) to the mail-enabled security group as a member.

Exchange Hybrid Cross site permissions – Full Access permissions – security group -02

Step 3 – we use the Exchange Online management interface for assigning the mail-enabled security group (On-Prem security) Full Access permission to Anthony’s mailbox.

Exchange Hybrid Cross site permissions – Full Access permissions – security group -03

Step 4 – we manually try to add “Anthony mailbox” to Alice Outlook mail profile. As mentioned, in Exchange Hybrid environment the Exchange feature AutoMap is not supported and for this reason, we will need to add the mailbox manually.

Exchange Hybrid Cross site permissions – Full Access permissions – security group -04

In the following screenshot, we can see that the mailbox successfully added to the Alice Outlook mail profile.

Exchange Hybrid Cross site permissions – Full Access permissions – security group -05

The conclusion

We can assign Full Access permission to the mail-enabled security group that includes Exchange on-Premises recipient on a cloud mailbox.

Recap and conclusion

In the following table, we can see the summary of the results of the tests that was implemented.

  • We can see that Full Access permission is supported and operate properly when we assign the permissions to a specific recipient or to the mail-enabled security group.
  • As It was written in the article, Send As permission and Send on behalf permission are not supported as part of the cross site permissions.

The additional parts that were not mentioned in the formal Microsoft articles are

  • Delegated permission – this type of permission is not supported as part of the cross site permissions.
  • Folder permission (calendar sharing) – this permission is not supported as part of the cross site permissions.
The available permissions in Exchange Hybrid based environment -02

The next article in the current series

Migrated permissions of migrated mailboxes in Exchange Hybrid based environment – Introduction | Part 3#5

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *