We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Copy Send As permissions from Exchange on-premises to Exchange Online distribution list

May 08, 2023 Views: 6392

When you move a user mailbox to Exchange Online, their permissions to access distribution lists are not copied. This script copies Send As permissions from an on-premises distribution list to its counterpart in Exchange Online. To run the script, create a Custom Command or Scheduled Task configured for the Group object type.

Note: Only permissions of users who already have a Microsoft 365 (Office 365) account will be copied.
Edit Remove
PowerShell
# Get the object ID in Exchange Online
try
{
    $groupExchangeId = [Guid]$Context.TargetObject.Get("adm-O365ExchangeObjectId")
}
catch
{
    $Context.LogMessage("The group is not mail-enabled in Microsoft 365", "Warning")
    return
}

# Get users who have Send As permissions in Exchange on-premises
$groupParams = $Context.TargetObject.GetMailParameters()
$sendAs = $groupParams.SendAs
if ($sendAs.Count -eq 0)
{
    return # No Send As permissions for the group
}

$sendAsTrustees = @()
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid)))
    {
        continue
    }
    
    try
    {
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    if ($object.Class -ne "user")
    {
        continue
    }
    
    if (!(($object.RecipientType -eq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -and 
        ($object.RecipientLocation -eq "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365")))
    {
        continue
    }
    
    # Get object ID in Microsoft 365
    $objectId = [Guid]$object.Get("adm-O365ObjectId")
    $sendAsTrustees += $objectId.ToString()
}

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline()
    
foreach ($id in $sendAsTrustees)
{
    # Grant Send As permissions for all users who have accounts in Microsoft 365
    Add-RecipientPermission $groupExchangeId.ToString() -Trustee $id -AccessRights SendAs -Confirm:$False
}
Comments 10
avatar
Remco Jun 24, 2020
Hello,

Is this also possible for send on behalf permissions?

Remco
avatar
Support Aug 25, 2020

Hello Remco,

How exactly do you want to use the script in terms of Send on Behalf permissions? The thing is that unlike Send As, the Send on Behalf permissions are copied to Exchange Online by means of AAD Connect or DireSync and there is no need to use scripts for this purpose. Any additional details regarding the desired workflow would be very helpful.

avatar
Craig Aug 21, 2020
Works for adding permissions but it does not duplicate them. We need to also have it remove people who have been removed from being able to SendAs a group.
avatar
Support Aug 25, 2020
avatar
Andrew Baker May 02, 2023
Is this also for Shared Mailbox as we found that when running it will remove all the users from the sendas list on exchange online and then not add them back even though they have the send-as right
avatar
Support May 02, 2023
Hello Andrew,

The script should work fine for all Exchange recipients including shared mailboxes. Also, there is no possibility for the script to remove any delegate. All it does is adding Send As delegates in Exchange Online. If you face delegates being removed, make sure there is nothing else executed except for the script.
avatar
Oguz Jul 04, 2023
I don't have an on-prem exchange. I just have on-prem AD, Does it still work?
avatar
Support Jul 04, 2023
Hello Oguz,

No, the script will not work in this case as there is nothing to copy.
avatar
Oguz Jul 04, 2023
Actually, ı have a distribution group on On-Prem AD and I can see it in the Office365 Admin Center as a Distribution Group. I included a user to the security tab as Send As=Allow on the AD.
After that, I run Dirsync and it is a success but I can not send an email. What should I do?
avatar
Support Jul 04, 2023
Hello Oguz,

This script is dedicated to copying permissions. That is not something you need. Also, it looks like you are not using Adaxes. You just need to properly configure the mailbox permissions. If you have issues doing that, we recommend you to contact your admins or Microsoft support.
Leave a comment
Loading...

Got questions?

Support Questions & Answers