Script repository

# Get the object ID in Exchange Online
try
{
    $groupExchangeId = [Guid]$Context.TargetObject.Get("adm-O365ExchangeObjectId")
}
catch
{
    $Context.LogMessage("The group is not mail-enabled in Microsoft 365", "Warning")
    return
}

# Get users who have Send As permissions in Exchange on-premises
$groupParams = $Context.TargetObject.GetMailParameters()
$sendAs = $groupParams.SendAs
if ($sendAs.Count -eq 0)
{
    return # No Send As permissions for the group
}

$sendAsTrustees = @()
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid)))
    {
        continue
    }
    
    try
    {
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    if ($object.Class -ne "user")
    {
        continue
    }
    
    if (!(($object.RecipientType -eq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -and 
        ($object.RecipientLocation -eq "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365")))
    {
        continue
    }
    
    # Get object ID in Microsoft 365
    $objectId = [Guid]$object.Get("adm-O365ObjectId")
    $sendAsTrustees += $objectId.ToString()
}

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline()

# Get permissions
$groupPermissions = Get-RecipientPermission $groupExchangeId.ToString()

# Remove unnecessary permissions
foreach ($permission in $groupPermissions)
{
    Remove-RecipientPermission $groupExchangeId.ToString() -AccessRights SendAs -Trustee $permission.Trustee -Confirm:$False
}

# Grant necessary permissions
foreach ($id in $sendAsTrustees)
{
    # Grant Send As permissions for all users who have accounts in Microsoft 365
    Add-RecipientPermission $groupExchangeId.ToString() -Trustee $id -AccessRights SendAs -Confirm:$False
}