Error viewing Delegation of Exchange Online accounts

Question

Hello,

After migrating users from Exchange 2007 On premise to Exchange Online, we experience a problem viewing/managing full Access permissions for some of the mailboxes.

We get the error: Failed to get mailbox rights. Some or all identity references could not be translated.

Using the Exchange Online admin tools, we can see everything just fine. Using PowerShell in a remote session, we see something similar to:

PS Z:\> get-mailbox teuser |Get-MailboxPermission |ft -AutoSize -Wrap

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
User, Test NT AUTHORITY\SELF {FullAccess, SendAs, ReadPermission} False False
User, Test NAMPRD08\Administrator {FullAccess} True True
User, Test NAMPRD08\Domain Admins {FullAccess} True True
User, Test NAMPRD08\Enterprise Admins {FullAccess} True True
User, Test NAMPRD08\Organization Management {FullAccess} True True
User, Test NT AUTHORITY\SYSTEM {FullAccess} True False
User, Test NT AUTHORITY\NETWORK SERVICE {ReadPermission} True False
User, Test NAMPRD08\Administrator {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Domain Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Enterprise Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Organization Management {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Public Folder Management {ReadPermission} True False
User, Test NAMPRD08\Exchange Servers {FullAccess, ReadPermission} True False
User, Test NAMPRD08\Exchange Trusted Subsystem {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False
User, Test NAMPRD08\Managed Availability Servers {ReadPermission} True False
User, Test PRDMGT01\View-Only Organization Management {ReadPermission} True False

These appear to be the same set of permissions found on users that we can successfully manage through Adaxes.

Any ideas?

Answer 1

I had the exact same problem a while back, but that was caused by a corrupt owner on a few mailboxes.
However you can test the same solution on a mailbox and see if you have the same error. I believe our issue also occured after a migration.

Try running the following powershell command towards one of the mailboxes that has the problem:

Add-mailboxpermission "Name of the mailbox" -Owner "nt authority\self"

Comments

Hello,

As odsven already managed, the issue can be caused by corrupt owners of the failing mailboxes. Most typically, this occurs with migrated mailboxes. To check this, you can try running the following command in the Exchange Management Shell:

Get-MailboxPermission -Identity "CN=John Doe,OU=New York Office,DC=example,DC=com" -Owner:$True

where CN=John Doe,OU=New York Office,DC=example,DC=com is the Distinguished Name (DN) of a user that you are having issues with.

If you are getting the same error as with Adaxes, try running the same command but without the -Owner:$True part. If, on this run, you don't receive the error, then you are having an issue with corrupted mailbox owners. You'll need to repair the mailboxes that give such an error.