Alex Heyne also has Full Access and Send As permissions to the on-premises Finance shared mailbox:
Note: observe the use of the CAS array, the protocol (RPC/TCP), and the RPCPort.
Now we will migrate Alex Heyne's mailbox to O365. I will leave his Outlook client open so I can see the effects of a live migration on the end user experience.
Exchange 2010 / Online - mailbox migration steps
And now, let's return to Alex Heyne's Outlook client...
Note: observe the state of the connection ("Send/Receive error" and "Disconnected").
Now we will observe if the mailbox permissions configured for our various mailboxes still function as desired (I will only provide screenshots if the operation fails).
Note: they were all verified as functional when all the "actors" were still on-premises.
- Can Alan Reid access the mailbox of Alex Heyne? - Yes
(But if originally auto-mapped it must be re-added manually)
- Can Alan Reid send as Alex Heyne? - Yes (message received by Alannah Shaw)
- Can Alex Heyne access the mailbox of Alannah Shaw? - Yes (but after an initial failure)
After a second try, it succeeds (note the message Alan Reid sent as Alex Heyne):
- Can Alex Heyne send as Alannah Shaw? - Yes
- Can Alex Heyne access the Finance shared mailbox? - Yes (but after an initial failure - see example of Alannah Shaw above)
- Can Alex Heyne send as the Finance shared mailbox? - No (this fails consistently)
I'll attempt some troubleshooting in just a moment but I'll answer one more question first:
- Can Alex Heyne access and edit the FinCal shared calendar? - Yes (no problems here)
It seems that we can "send as" another user if we are granted Send As rights directly to their mailbox but not necessarily if these rights are granted via group membership. Let's attempt some troubleshooting...
Is the group granting permissions (GMPER_Finance) synced to O365?
No (because of filtering by OU)
What if I sync it?
No change (Alex still cannot "send as" Finance)
What about Aisha Bhari who is also member of the GMPER_Finance security group?
She cannot send as the Finance shared mailbox either.
What if we mail-enable the GMPER_Finance security group?
I make the change and to ensure it takes effect immediately (on the server running Azure AD Connect)...
Start-ADSyncSyncCycle -PolicyType Initial
No change (even after successful sync).
Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 4)