We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Synchronize Send As permissions from Exchange on-premises to Exchange Online for distribution list

May 08, 2023 Views: 1793

When you move a mailbox to Exchange Online, their permissions to access distribution lists are not copied. This script replaces Send As permissions from an on-premises distribution list to the same list in Exchange Online. To run the script, create a custom command or scheduled task configured for the Group object type.

Note: Only permissions of users who already have a Microsoft 365 (Office 365) account will be processed.
Edit Remove
PowerShell
# Get the object ID in Exchange Online
try
{
    $groupExchangeId = [Guid]$Context.TargetObject.Get("adm-O365ExchangeObjectId")
}
catch
{
    $Context.LogMessage("The group is not mail-enabled in Microsoft 365", "Warning")
    return
}

# Get users who have Send As permissions in Exchange on-premises
$groupParams = $Context.TargetObject.GetMailParameters()
$sendAs = $groupParams.SendAs
if ($sendAs.Count -eq 0)
{
    return # No Send As permissions for the group
}

$sendAsTrustees = @()
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid)))
    {
        continue
    }
    
    try
    {
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    if ($object.Class -ne "user")
    {
        continue
    }
    
    if (!(($object.RecipientType -eq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -and 
        ($object.RecipientLocation -eq "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365")))
    {
        continue
    }
    
    # Get object ID in Microsoft 365
    $objectId = [Guid]$object.Get("adm-O365ObjectId")
    $sendAsTrustees += $objectId.ToString()
}

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline()

# Get permissions
$groupPermissions = Get-RecipientPermission $groupExchangeId.ToString()

# Remove unnecessary permissions
foreach ($permission in $groupPermissions)
{
    Remove-RecipientPermission $groupExchangeId.ToString() -AccessRights SendAs -Trustee $permission.Trustee -Confirm:$False
}

# Grant necessary permissions
foreach ($id in $sendAsTrustees)
{
    # Grant Send As permissions for all users who have accounts in Microsoft 365
    Add-RecipientPermission $groupExchangeId.ToString() -Trustee $id -AccessRights SendAs -Confirm:$False
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers