Hybrid: Cross-Premises Delegation

Big News!

Microsoft is updating Azure Active Directory Connect (AAD Connect) to support cross-premises mailbox delegation.

What does this mean?

Typically, IT Administrators would have to batch their users together based on their delegate permissions. For example, an executive assistant who requires “Send on Behalf” permissions of their director will need to be migrated at the same time.

Organisations can now migrate a mailbox to Office 365 without the worry of batching them together and breaking delegate permissions such as Full Access, Send on Behalf and folder rights.

The required Exchange versions are listed below and whether you are required to make additional configurations.

  • Exchange 2016: Enabled by default, no additional configuration required
  • Exchange 2013 CU10 or later: Not enabled by default, additional configuration required
  • Exchange 2010 Service Pack 3 RU: Manual configuration required



First you will need to enable ACLable object synchronisation at the organization level, to do so:

  1. Have Active Directory Connect (AAD Connect) version 1.1.553.0 or later. You can download the latest version from here.
  2. Run the following command.

Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

Once this has been completed any mailboxes moved to Office 365 will retain its support for delegate permissions.

If you’ve already moved mailboxes to Office 365 before making this change, you’ll need to manually enable ACLs on those mailboxes using the steps in the Exchange 2010 section.


You will need to follow the steps below on any mailbox that you’ve previously moved to Office 365, and any mailbox being moved from Exchange 2010.

To enable ACLs on a single mailbox, run the following command.

Get-AdUser <Identity> | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}

To enable ACLs on all mailboxes moved to Office 365, run the following command.


Get-RemoteMailbox | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}

To verify that the mailboxes have been successfully update, run the following command.

Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType | Format-Table -AutoSize DistinguishedName, msExchRecipientDisplayType}

For more information around delegate permissions in a hybrid environment, please read the “Overview of delegation in an Office 365 hybrid environment

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Modern Workplace]

Identity and Authentication - The Boss of All Bosses

By [Hambik Matvosian]

Hi folks! Pure Awesomeness back again! Yes, I know it’s been a stupid amount of time since my last blog post but I’m back…back again to pump as much knowledge and wisdom into your cerebrums as one individual with the title of Pure Awesomeness can!

[Modern Workplace]

Torsion – Who has access to what and should they? – Get control & be ready for anything

By [Lee Foster]

It only takes one file containing sensitive information to get into the hands of the wrong person. A serious security breach, or regulatory non-compliance can be catastrophic.

[Modern Workplace]

Project Management and Change Management – How Insentra ensures projects run smoothly

By [Marni Noble]

I am going to say something that will really blow your mind… are you ready? It seems in business today that change is the only constant in this crazy fast-paced world of variables.