locked
Mailbox Permissions Syntax RRS feed

  • Question

  • Hi experts, i am using exchange hybrid environment.

    i have want to give cloud user full access to exchange onprem mailbox which of the below two syntaxes should i use.

    Add-MailboxPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights FullAccess -AutoMapping:$false
     or
    Add-MailboxPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights FullAccess -InheritanceType All 

    Remove access
    Remove-MailboxPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights FullAccess
    ==========================================================
    Please correct me 

    Full Access
    Add-MailboxPermission -Identity "onpremuser1@mydomain.com" -User "onpremuser2@mydomain.com" -AccessRights FullAccess -InheritanceType All 
    Add-MailboxPermission -Identity "clouduser1@mydomain.com" -User  "clouduser2@mydomain.com" -AccessRights FullAccess -InheritanceType All 

    Remove access
    Remove-MailboxPermission -Identity "onpremuser1@mydomain.com" -User "onpremuser2@mydomain.com" -AccessRights FullAccess
    Remove-MailboxPermission -Identity "clouduser1@mydomain.com" -User "clouduser2@mydomain.com" -AccessRights FullAccess
    ========================================================
    Help me with the below syntaxes
    Send As ,Send On Behalf
    I want give Send As and Send On Balf permission to onpremuser2@mydomain.com on onpremuser1@mydomain.com
    Remove send as and send on Behalf syntax

      
    • Edited by Risingflight Saturday, December 29, 2018 2:00 PM g
    Saturday, December 29, 2018 1:58 PM

Answers

  • Hi,

    first off, you should NEVER grant SendAs and SendOnBehalf to the same user at the same time.

    Second, in Exchange we have AD permissions and Exchange permissions. Full Access and Send As are AD permissions so you grant them using

    Add-ADPermission -Identity "On-Prem User" -User "Cloud User" -AccessRights GenericAll
    Add-ADPermission -Identity "On-Prem User" -User "Cloud User" -AccessRights ExtendedRight -ExtendedRights "Send As"

    Send on Behalf is an Exchange permission which you grant by

    Set-Mailbox -Identity "On-Prem User" -GrantSendOnBehalfTo "Cloud User"

    To remove Send on Behalf for one user from a Mailbox where Send on Behalf has been granted to multiple users, use

    Set-Mailbox -Identity "On-Prem User" -GrantSendOnBehalfTo @{remove="Cloud User 1"}
    EDIT: And if any of the objects involved are true Cloud users (i.e. have not been synchronised to or from your on-prem AD) you'll have to use Add-RecipientPermission and Remove-RecipientPermission 


    Evgenij Smirnov

    I work @ msg services ag, Berlin -> http://www.msg-services.de
    I blog (in German) @ http://it-pro-berlin.de
    my stuff in PSGallery --> https://www.powershellgallery.com/profiles/it-pro-berlin.de/
    Exchange User Group, Berlin -> https://exusg.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com


    In theory, there is no difference between theory and practice. In practice, there is.


    Sunday, December 30, 2018 1:50 PM
  • Hi,

    The commands used for full access permission you provided in the first post are all correct. InheritanceType parameter specifies how permissions are inherited by folders in the mailbox. Automapping parameter specifies whether to enable or disable the auto-mapping feature in Microsoft Outlook. You can use the two parameters depending on your situation.

    As for adding SendAs and SendOnBehalf permission, you can use the commands Evgenij Smirnov proposed above. To remove SendAs and SendOnBehalf permission, you can use following commands.

    Remove-ADPermission -Identity onpremuser1@mydomain.com -User onpremuser2@mydomain.com -ExtendedRights "Send As"
    Set-Mailbox onpremuser1@mydomain.com -GrantSendOnBehalfTo @{remove="onpremuser1@mydomain.com"}

    Hope this helps.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Dawn Zhou Wednesday, January 2, 2019 6:51 AM
    • Marked as answer by Risingflight Thursday, January 17, 2019 5:43 PM
    Monday, December 31, 2018 7:54 AM
  • Hi,

    If you want to grant SendAs permission for cloud users, you should use Add-RecipientPermission and Remove-RecipientPermission cmdlets.

    Add-RecipientPermission "<mailbox address>" -AccessRights SendAs -Trustee "<username>"
    Remove-RecipientPermission "<mailbox address>" -AccessRights SendAs -Trustee "<username>"

    The rest of commands are correct.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Risingflight Thursday, January 17, 2019 5:43 PM
    Wednesday, January 2, 2019 6:51 AM

All replies

  • Hi,

    first off, you should NEVER grant SendAs and SendOnBehalf to the same user at the same time.

    Second, in Exchange we have AD permissions and Exchange permissions. Full Access and Send As are AD permissions so you grant them using

    Add-ADPermission -Identity "On-Prem User" -User "Cloud User" -AccessRights GenericAll
    Add-ADPermission -Identity "On-Prem User" -User "Cloud User" -AccessRights ExtendedRight -ExtendedRights "Send As"

    Send on Behalf is an Exchange permission which you grant by

    Set-Mailbox -Identity "On-Prem User" -GrantSendOnBehalfTo "Cloud User"

    To remove Send on Behalf for one user from a Mailbox where Send on Behalf has been granted to multiple users, use

    Set-Mailbox -Identity "On-Prem User" -GrantSendOnBehalfTo @{remove="Cloud User 1"}
    EDIT: And if any of the objects involved are true Cloud users (i.e. have not been synchronised to or from your on-prem AD) you'll have to use Add-RecipientPermission and Remove-RecipientPermission 


    Evgenij Smirnov

    I work @ msg services ag, Berlin -> http://www.msg-services.de
    I blog (in German) @ http://it-pro-berlin.de
    my stuff in PSGallery --> https://www.powershellgallery.com/profiles/it-pro-berlin.de/
    Exchange User Group, Berlin -> https://exusg.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com


    In theory, there is no difference between theory and practice. In practice, there is.


    Sunday, December 30, 2018 1:50 PM
  • Hi,

    The commands used for full access permission you provided in the first post are all correct. InheritanceType parameter specifies how permissions are inherited by folders in the mailbox. Automapping parameter specifies whether to enable or disable the auto-mapping feature in Microsoft Outlook. You can use the two parameters depending on your situation.

    As for adding SendAs and SendOnBehalf permission, you can use the commands Evgenij Smirnov proposed above. To remove SendAs and SendOnBehalf permission, you can use following commands.

    Remove-ADPermission -Identity onpremuser1@mydomain.com -User onpremuser2@mydomain.com -ExtendedRights "Send As"
    Set-Mailbox onpremuser1@mydomain.com -GrantSendOnBehalfTo @{remove="onpremuser1@mydomain.com"}

    Hope this helps.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Dawn Zhou Wednesday, January 2, 2019 6:51 AM
    • Marked as answer by Risingflight Thursday, January 17, 2019 5:43 PM
    Monday, December 31, 2018 7:54 AM
  • Below syntaxes should work for exchange onprem and online, plz correct if i am wrong

    Add-MailboxPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights FullAccess -InheritanceType All 
    Add-MailboxPermission -Identity "clouduser@mydomain.com" -User "onpremuser@mydomain.com" -AccessRights FullAccess -InheritanceType All 

    Remove-MailboxPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights FullAccess
    Remove-MailboxPermission -Identity "clouduser@mydomain.com" -User "onpremuser@mydomain.com" -AccessRights FullAccess
    =========================================================
    Add-ADPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -AccessRights ExtendedRight -ExtendedRights "Send As"
    Add-ADPermission -Identity "clouduser@mydomain.com" -User "onpremuser@mydomain.com" -AccessRights ExtendedRight -ExtendedRights "Send As"

    Remove-ADPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -ExtendedRights "Send As"
    Remove-ADPermission -Identity "onpremuser@mydomain.com" -User "clouduser@mydomain.com" -ExtendedRights "Send As"
    ====================================================
    Set-Mailbox -Identity "onpremuser@mydomain.com" -GrantSendOnBehalfTo "onpremuser@mydomain.com"
    Set-Mailbox -Identity "clouduser@mydomain.com" -GrantSendOnBehalfTo "onpremuser@mydomain.com"

    Set-Mailbox -Identity "onpremuser@mydomain.com" -GrantSendOnBehalfTo @{remove="clouduser@mydomain.com"}
    Set-Mailbox -Identity "clouduser@mydomain.com" -GrantSendOnBehalfTo @{remove="onpremuser@mydomain.com"}



    • Edited by Risingflight Wednesday, January 2, 2019 5:27 AM f
    Tuesday, January 1, 2019 4:08 AM
  • Hi,

    If you want to grant SendAs permission for cloud users, you should use Add-RecipientPermission and Remove-RecipientPermission cmdlets.

    Add-RecipientPermission "<mailbox address>" -AccessRights SendAs -Trustee "<username>"
    Remove-RecipientPermission "<mailbox address>" -AccessRights SendAs -Trustee "<username>"

    The rest of commands are correct.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Risingflight Thursday, January 17, 2019 5:43 PM
    Wednesday, January 2, 2019 6:51 AM