Cross-premises permissions Exchange Online Hybrid

As per Hybrid Deployment Considerations (detailed here:

You should consider the following before implementing an Exchange hybrid deployment:

· Delegation coexistence. Delegate permissions (such as Delegate Access, folder permissions, and “Send on behalf of”) are migrated to Exchange Online but are not available after a mailbox move unless all parties are migrated at the same time. For example, if an executive in your organization is migrated to Exchange Online then his or her administrative assistant must be migrated at the same time in order to maintain delegate access.
· Mailbox permissions. On-premises mailbox permissions such as Send As, Receive As and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online. However, inherited (non-explicit) mailbox permissions and any permissions on non-mailbox objects—such as distribution lists or a mail-enabled user—are not migrated. Therefore, you will need to plan for configuring these permissions in Exchange Online if applicable for your organization. For example, you can use the Add-RecipientPermission and Add-MailboxPermission Windows PowerShell cmdlets to set the permissions in Office 365.
· Cross-premises permissions. It is important to note that we do not support cross-premises permission scenarios. Permissions are only migrated and functional when implementing an Exchange hybrid deployment if there are corresponding directory objects in Exchange Online. Additionally, all objects with special permissions such as Send As, Receive As and Full Access must be migrated at the same time. This also means that to migrate these permissions you must ensure directory synchronization has completed before you start moving mailboxes.
· Offboarding. As part of ongoing recipient management, you may have a need to move Exchange Online mailboxes back to your on-premises environment. For more information, see the Community Help topic Exchange Hybrid Deployment – Moving Cloud-Based Mailboxes to the On-Premises Organization.
· Decommissioning on-premises Exchange. Some organizations may wish to completely remove their on-premises Exchange environment after all mailboxes are migrated. The steps to decommission on-premises Exchange should be planned carefully with the help of an Office 365 deployment specialist. Contact the Office 365 support team for more information.
· Multi-forest Active Directory environments. If your organization implements multiple forests for logon or resource segmentation, Exchange hybrid deployment is not supported.

However after internal testing the results are shown below:

Migrate Mailbox to O365 – With Permissions defined before moving (user to user) the following behavour is seen

O365 – On-Prem:
* Open Mailboxes – WORKED
* Send AS or Behalf – FAILED

On-Prem – O365:
* Open Mailboxes – WORKED
* Send As or Behalf – WORKED

Adding permissions after mailbox has been moved

O365 – On-Prem:
* Not Possible to add permissions

On-Prem – O365:
* Note Possible to add permissions

O365 – O365:

So it would appear that if the permissions are set beforehand on the users mailbox, most of the permission features work (as noted above), but once migrated these can’t be altered until the On-Prem mailboxes have been moved

2 thoughts on “Cross-premises permissions Exchange Online Hybrid

Leave a Reply

Your email address will not be published. Required fields are marked *