Adding Send-As / Delegated Permissions to Office 365 mailboxes

Question

From my understanding I need to use a script to add send as and delegated mailbox permissions for 365 mailboxes.

Does anyone have a sample script I could use for reference?

Please and thank you!

Comments

Hello John,

From my understanding I need to use a script to add send as and delegated mailbox permissions for 365 mailboxes.

This can be done using the Modify Exchange properties action. For details, have a look at Example 10 of the following tutorial: https://www.adaxes.com/tutorials_Automa ... collapse12.

Does anyone have a sample script I could use for reference?

If using the Modify Exchange properties action does not meet your needs, have a look at the following script from our repository: https://www.adaxes.com/script-repositor ... r-s502.htm. Should you have issues modifying the script, provide us with all the possible details and we will help you.

---

I can't use the modify exchange properties section becasue I do not have an on-prem exchange server. When I try to assign the permissions for Send AS it doesnt show the mailboxes in 365 just local AD objects.

I will take a look at the script. Thank you.

---

The script you mentioned appears to be for an on-premise exchange server.

Do you have something like that for Office 365 / Exchange online?

---

Hello John,

Do you need to always grant both Send As and Full Access permissions or you need to grant them separately?

---

I DON'T have an on premise Exchange server either, but use the Exchange Properties tab within Adaxes without an issue.

We have an On Prem A.D. that we sync to O365, and have extended A.D. schema with Exchange attributes.

---

I dont think you understand my situation. We have some mailboxes that are NOT connected/synced from our local AD to 365/Exchange Online. Some users still need delegate and send as permissions to those mailboxes.

If I edit exchange properties it doesnt give me the option to modify "in cloud" only mailboxes in 365/exchange online...

---

Oh, okay, got it, I did miss that.

---

There are times I need to do both but often I just need to do one or the other.

Answer 1

Hello John,

Thank you for clarifying. Use the below scripts to grant the permissions. In the scripts, the $mailboxIdentity specifies the name of the mailbox for which a user will be granted the permissions. To run the scripts you need to create Custom Commands configured for User object type. To grant a user the required permissions you will need to execute the corresponding command for them. To have a possibility to grant both permissions at the same time, you can create another Custom Command that will execute both commands for a user.

Script granting Send As permissions

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Get the object ID in Office 365
    $objectId = ([Guid]$Context.TargetObject.Get("adm-O365ObjectId")).ToString()
}
catch
{
    return # The user doesn't have an Office 365 account
}

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-RecipientPermission"

    # Grant permissions
    try
    {
        Add-RecipientPermission -Trustee $objectId -AccessRight "SendAs" -Confirm:$False -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}

Script granting Full Access permissions

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Get the object ID in Office 365
    $objectId = ([Guid]$Context.TargetObject.Get("adm-O365ObjectId")).ToString()
}
catch
{
    return # The user doesn't have an Office 365 account
}

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-MailboxPermission"

    # Grant permissions
    try
    {
        Add-MailboxPermission -Deny:$False -User $objectId -AccessRights "FullAccess" -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}

Comments

can I also use these scripts to grand send-as permissions for a distribution group?

---

Hello John,

To grant Send As permissions to a group, use the below script in a Custom Command configured for Group Object type.

$mailboxIdentity = "OnlineMailbox" # TODO: modify me

try
{
    # Connect to Exchange Online
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Authentication Basic -AllowRedirection -Credential $Context.GetOffice365Credential()
    Import-PSSession $session -CommandName "Get-Mailbox", "Add-RecipientPermission"

    # Grant permissions
    try
    {
        Add-RecipientPermission -Trustee "%name%" -AccessRight "SendAs" -Confirm:$False -ErrorAction Stop -Identity $mailboxIdentity
    }
    catch
    {
        $Context.LogMessage("An error occurred when adding permissions to mailbox $mailboxIdentity. Error: " + $_.Exception.Message, "Warning")
        return
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}

---

I added the script as a custom command to my business rule but it didnt apply the send as permissions because the newly created user wasnt detected in office 365 yet....

I think its because the 365 mailbox isnt 100% created yet that quickly... is there a way to delay the send as permissions script to wait like 10 minutes until the mailbox is completely set up?

---

Hello John,

There is no such possibility as long as it can take up to several hours to create a mailbox. To work around the issue, you need to use the Custom Command in a Scheduled Task. The task will execute the command only if the user has a mailbox. To make sure that the task is executed for new users only once, you can use an Adaxes custom Boolean (e.g. CustomAttributeBoolean1) attribute to mark the accounts. In your Business Rule triggering After Creating a User, the attribute will be set to True and in the Scheduled Task it will be cleared.

i. Updating the Business Rule

1. Launch Adaxes Administration Console.

2. In the Console Tree, expand your service node.

3. Navigate to Configuration\Business Rules and select the rule you need.

4. Double-click the Run PowerShell script action.

5. Select Update the User and click Add.

6. In the Property to modify drop-down, select CustomAttributeBoolean1.

7. In the New value field, select True.

8. Click OK twice and save the changes.

ii. Creating the Scheduled Task

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service.

3. In the context menu, navigate to New and click Scheduled Task.

4. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.

5. Click Add an action.

6. Select Run a program or PowerShell script.

7. Paste the script into the Script field.

8. Enter a short description and click OK.

9. Right-click the action you created and click Add New Action in the context menu.

10. Select Update the User and click Add.

11. In the Property to modify drop-down, select CustomAttributeBoolean1.

12. Select Remove property and click OK twice.

13. Double-click Always.

14. Select If <property><relation><value>.

15. Select If CustomAttributeBoolean1equals True and click OK.

16. Right-click the condition you created and click Add New Condition in the context menu.

17. Select If has an Exchange mailbox and click OK.

18. Click Next and finish creating the Scheduled Task.