Big News!
Microsoft is updating Azure Active Directory Connect (AAD Connect) to support cross-premises mailbox delegation.
What does this mean?
Typically, IT Administrators would have to batch their users together based on their delegate permissions. For example, an executive assistant who requires “Send on Behalf” permissions of their director will need to be migrated at the same time.
Organisations can now migrate a mailbox to Office 365 without the worry of batching them together and breaking delegate permissions such as Full Access, Send on Behalf and folder rights.
The required Exchange versions are listed below and whether you are required to make additional configurations.
- Exchange 2016: Enabled by default, no additional configuration required
- Exchange 2013 CU10 or later: Not enabled by default, additional configuration required
- Exchange 2010 Service Pack 3 RU: Manual configuration required
Configuration
EXCHANGE 2013:
First you will need to enable ACLable object synchronisation at the organisation level, to do so:
- Have Active Directory Connect (AAD Connect) version 1.1.553.0 or later. You can download the latest version from here.
- Run the following command.
Set-OrganizationConfig -ACLableSyncedObjectEnabled $True
Once this has been completed any mailboxes moved to Office 365 will retain its support for delegate permissions.
If you’ve already moved mailboxes to Office 365 before making this change, you’ll need to manually enable ACLs on those mailboxes using the steps in the Exchange 2010 section.
EXCHANGE 2010:
You will need to follow the steps below on any mailbox that you’ve previously moved to Office 365, and any mailbox being moved from Exchange 2010.
To enable ACLs on a single mailbox, run the following command.
Get-AdUser <Identity> | Set-AdObject -Replace @{msExchRecipientDisplayType=-1073741818}
To enable ACLs on all mailboxes moved to Office 365, run the following command.
Get-RemoteMailbox | ForEach {Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}
To verify that the mailboxes have been successfully update, run the following command.
Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid -Properties msExchRecipientDisplayType | Format-Table -AutoSize DistinguishedName, msExchRecipientDisplayType}
For more information around delegate permissions in a hybrid environment, please read the “Overview of delegation in an Office 365 hybrid environment”
