Script Repository

Copy Send As permissions from Exchange on-premises to Exchange Online distribution list

February 16, 2021 Views: 4450
Exchange Microsoft 365 (Office 365) Security

When you move a user mailbox to Exchange Online, their permissions to access distribution lists are not copied. This script copies Send As permissions from an on-premises distribution list to its counterpart in Exchange Online. To run the script, create a Custom Command or Scheduled Task configured for the Group object type.

Note: Only permissions of users who already have a Microsoft 365 (Office 365) account will be copied.
Edit Remove
PowerShell
# Get the object ID in Exchange Online
try
{
    $groupExchangeId = [Guid]$Context.TargetObject.Get("adm-O365ExchangeObjectId")
}
catch
{
    $Context.LogMessage("The group is not mail-enabled in Microsoft 365", "Warning")
    return
}

# Get users who have Send As permissions in Exchange on-premises
$groupParams = $Context.TargetObject.GetMailParameters()
$sendAs = $groupParams.SendAs
if ($sendAs.Count -eq 0)
{
    return # No Send As permissions for the group
}

$sendAsTrustees = @()
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid)))
    {
        continue
    }
    
    try
    {
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    if ($object.Class -ne "user")
    {
        continue
    }
    
    if (!(($object.RecipientType -eq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -and 
        ($object.RecipientLocation -eq "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365")))
    {
        continue
    }
    
    # Get object ID in Microsoft 365
    $objectId = [Guid]$object.Get("adm-O365ObjectId")
    $sendAsTrustees += $objectId.ToString()
}

try
{
    # Connect to Exchange Online
	$session = $Context.CloudServices.CreateExchangeOnlinePSSession()
    Import-PSSession $session -AllowClobber -DisableNameChecking
    
    foreach ($id in $sendAsTrustees)
    {
        # Grant Send As permissions for all users who have accounts in Microsoft 365
        Add-RecipientPermission $groupExchangeId.ToString() -Trustee $id -AccessRights SendAs -Confirm:$False
    }
}
finally
{
    # Close the remote session and release resources
    if ($session) { Remove-PSSession $session }
}
Comments 4
avatar
Remco Jun 24, 2020
Hello,

Is this also possible for send on behalf permissions?

Remco
Reply
avatar
Support Aug 25, 2020

Hello Remco,

How exactly do you want to use the script in terms of Send on Behalf permissions? The thing is that unlike Send As, the Send on Behalf permissions are copied to Exchange Online by means of AAD Connect or DireSync and there is no need to use scripts for this purpose. Any additional details regarding the desired workflow would be very helpful.

Reply
avatar
Craig Aug 21, 2020
Works for adding permissions but it does not duplicate them. We need to also have it remove people who have been removed from being able to SendAs a group.
Reply
avatar
Support Aug 25, 2020

Hello Craig,

Please, take a look at the following script from our repository: https://www.adaxes.com/script-repository/synchronize-send-as-permissions-from-exchange-on-premises-to-exchange-online-for-distribution-list-s580.htm.

Reply
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers