Configure Exchange to support delegated mailbox permissions in a hybrid deployment

Delegated mailbox permissions enable someone to manage some part of another user's mailbox. A common example of this scenario is an administrative assistant who needs to manage an executive's mailbox and calendar. Hybrid deployments between an on-premises Exchange organization and Microsoft 365 or Office 365 support the Full Access and Send on Behalf delegated mailbox permissions. However, depending on the version of Exchange in your on-premises organization, you might need extra configuration to use delegated mailbox permissions in a hybrid deployment. For example:

  • Exchange 2016: Extra configuration is required.
  • Exchange 2013: A supported Exchange 2013 Cumulative Update (CU) and extra configuration is required.
  • Exchange 2010: Not supported anymore.

For more information about the specific requirements to support delegated mailbox permissions in a hybrid deployment, take a look at Permissions in Exchange hybrid deployments.

The following sections step you through the configuration of Exchange 2013 and Exchange 2016 on-premises deployments to enable support for delegated mailbox permissions. Before you follow these steps, you need to make sure you're on the latest Exchange 2013/2016 CU. For more information, see Hybrid deployment prerequisites.

Exchange 2013 And Exchange 2016

The following table describes the requirements to enable support for delegated mailbox permissions based on the environment when you moved mailboxes to the cloud:

Exchange Server version ACLable object synchronization enabled or disabled Action required
Exchange 2013 CU9 or earlier n/a Manually configure each mailbox to support Access Control Lists (ACLs)
Exchange 2013 CU10 or later Disabled Enable ACLable object synchronization at the organization level
Manually enable ACLs on each mailbox moved to the cloud before ACLable object synchronization was enabled at the organization level.
No extra configuration is needed for mailboxes moved to the cloud after ACLable object synchronization is enabled at the organization level.
Exchange 2013 CU10 or later Enabled No extra configuration is needed.
Exchange 2016 Disabled Enable ACLable object synchronization at the organization level
Manually enable ACLs on each mailbox moved to the cloud before ACLable object synchronization was enabled at the organization level.
No extra configuration is needed for mailboxes moved to the cloud after ACLable object synchronization is enabled at the organization level.
Exchange 2016 Enabled No extra configuration is needed.

Enable ACLable object synchronization

To enable ACLable object synchronization at the organization level, do the following.

  1. Install the latest version of Microsoft Entra Connect (Microsoft Entra Connect) on all of your Microsoft Entra Connect servers. This is needed to allow Microsoft Entra Connect to synchronize the attributes needed to support hybrid permissions. You can download Microsoft Entra Connect from Microsoft Entra Connect.

  2. Open the Exchange Management Shell on an Exchange 2013 or Exchange 2016 server running the latest available CU, or the immediately previous CU.

  3. Run the following command.

    Set-OrganizationConfig -ACLableSyncedObjectEnabled $True
    

After you do this step, any mailboxes that you move to the cloud will be properly configured to support delegated mailbox permissions. If mailboxes were moved to the cloud before completing these steps, you need to manually enable ACLs on those mailboxes using the steps in Enable ACLs on remote mailboxes.

Important

ACLs aren't enabled on remote mailboxes created in the cloud. If you create a remote mailbox in the cloud via on-premises Exchange, you need to use the ACLableSyncedObjectEnabled parameter when running New-RemoteMailbox or Enable-RemoteMailbox.

Enable ACLs on remote mailboxes

To enable ACLs on mailboxes moved to the cloud before ACLable object synchronization was enabled at the organization level, do the following.

  1. Open the Exchange Management Shell on an Exchange 2013 or Exchange 2016 server running the latest available CU, or the immediately previous CU.

  2. To enable ACLs on a single mailbox, run the following command:

    Set-RemoteMailbox <UserMailbox's Identity> -ACLableSyncedObjectEnabled
    
  3. To enable ACLs on all mailboxes moved to the cloud, run the following command:

    Get-RemoteMailbox -ResultSize unlimited | Set-RemoteMailbox -ACLableSyncedObjectEnabled
    
  4. To verify that the mailboxes have been successfully updated, run the following command:

    Get-RemoteMailbox -ResultSize unlimited | Format-Table DistinguishedName,msExchRecipientDisplayType -AutoSize