Demystifying Exchange Hybrid Mailbox Delegate Permissions

Mailbox Delegate Permission Overview

In Microsoft Exchange, mailbox delegate permissions refer to any set of permissions that allow a user access to another mailbox. The delegate will be granted access to the target mailbox which could be either a “user” or a “resource” type mailbox (Ex. Shared mailbox or Room). The challenge with the mailbox delegate permission model is that the default behavior changes when on organization is an Exchange Hybrid mode when the source and target mailboxes are hosted cross platform (One mailbox on Premise Exchange and one mailbox hosted to Exchange Online). This knowledge brief will summarize the available mailbox permissions and the limitations of these permissions when in Exchange Hybrid mode.

Mailbox Permissions

There are three mailbox permissions that could be applied to delegates:

· Full Access — Grants delegate full access to the target mailbox

· Send on Behalf — Allows delegate to Send on Behalf of the target mailbox where the email message header will show the delegate name

· Send As — Allows delegate to Send As the target mailbox and the email message looks like it was sent as the target mailbox

Note: These permissions are applied at the mailbox level and typically done by an administrator

Mailbox Folder Permissions

Mailbox users also have the ability to share certain source folders with delegates. (Ex. Inbox or Calendar). This allows for more granular access to a mailbox. (Ex. A user could grant a delegate “Editor” rights to the Calendar only)Note: Folder permissions are typically granted by a user leveraging the Outlook client

Outlook Delegate Access

The Microsoft Outlook client has the capability of granting “Delegate Access” which is effectively a superset of the permission described above. Outlook delegate access referring to granting a delegate these permissions:

- Send on Behalf permissions

- Mailbox Folder permissions

- Ability to send a delegate meeting invite requests and respond on their behalf

Viewing Private Items — Allows a delegate to view Calendar items marked as Private

Outlook Automapping feature

Automapping is a feature of the Microsoft Outlook client where it can detect if a user has Full Access to a target mailbox and automatically add it to the existing Outlook profile without user intervention.

Mailbox Delegate Permission Limitations

While many of the mailbox permission are documented by Microsoft as functioning in Exchange Hybrid mode, there are a number technical caveats to be aware of.

The table below will summarize the limitations when an organization in in Exchange Hybrid mode. Ex. When a source and target delegated mailbox are hosted cross platform (One mailbox on Premise Exchange and one mailbox hosted in Exchange Online)

Note: All of these limitations are removed as soon as the delegate mailboxes are hosted on the same platform.

Exchange Online Migration strategies

To help mitigate these Mailbox Delegate Permissions limitations during Exchange Online phased migrations, organizations should look to identify and migrate delegates together. The most common delegate pairings are:

- Executive / Administrative Assistants

- Shared Mailboxes / Shared Mailbox delegates

The process of identifying Exchange delegates and pairing them together is an arduous task. There are publicly available Exchange scripts that could list out delegates of mailboxes but that is only a starting point. The challenge is analyzing the relationship between delegates and drafting a migration plan around it. In larger organizations, the delegate permissions mapping becomes a large mesh where there is no clear beginning and/or end. (Ex. UserA has access to UserB mailbox / UserB has access to UserC / UserC has access to UserA). It becomes a delegate permissions loop.

Recommendations

The approach that we use to migrate organizations with complex delegate mapping is to analyze delegate permissions by business unit and/or group. That way only the one or two levels of permissions are included in scope and the remainder could be excluded reducing the complexity.

At the time of this writing, Microsoft has not published a timeline for enabling functionality for “Send As” cross premise. Once that is actually implemented, the majority the migration planning headaches will be lifted and make migrating to Exchange Online less of a planning burden.