How to Assign SendAs to AzureAD-synced User on an AzureAD-synced Mail-enabled Security Group

Dieter Tontsch (GMail) 937 Reputation points
2022-09-17T15:20:00.197+00:00

I wonder what's the correct procedure in order to assign SendAs (eventually also SendOnBehalf) permissions to a Distribution LIst in EXO which is synced from on-premises. I need to assign this permission to users (wich EXO mailbox) which are also synced via AzureADConnect from on-prem to Azure/EXO.

EXO tells me "You can only manage this group in your on-premises environment. Use 'Active directory users & groups' or 'Exchange Admin Center' tools to edit or delete this group.". If I try to do so from on-prem ECP (we still have one Exchange 2016 on-prem in our Hybrid Environment for such management purposes), I see that I can only modify SendOnBehalf, but also I can also grant it to the few mailboxes which are still on-prem. My O365 mailbox users do not show up. and SendAs is the same, I can only select from on-prem mailboxes. But even though - for SendAs, I cannot assign at least these user, I do get
"Active Directory operation failed on dc-hostname. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"

All we managed to achieve was assigning SendOnBehalf through Exchange Powershell on-prem, which at least synchronizes to AzureAD - and finally works for SendOnBehalf at least.

Set-DistributionGroup xx@company.com -GrantSendOnBehalfTo user1, user2, user3  

But trying to assign SendAs via "Add-ADPermission -Identity "mobileX IT" -User user1 -AccessRights ExtendedRight -ExtendedRights "Send As"" through Exchange PowerShell. also returns this Access Denied error, like via ECP GUI.

So, what's the correct procedure in order to assign, preferable SendAs, but at least SendOnBehalf to Azure-synched users for a Azure-synched group. In this case the group is a mail-enabled security group on-prem and became a mail-enabled security group synched from on-premises in EXO.

thanks
Dieter

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,488 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,603 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,073 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 147.6K Reputation points MVP
    2022-09-17T15:42:39.79+00:00

    You assign assign send as in the location where the mailbox of the sender is.
    For a group synced to ExO , the send as is applied in ExO for a mailbox that is in ExO.

    https://learn.microsoft.com/en-us/powershell/module/exchange/add-recipientpermission?view=exchange-ps
    Using ExO Powershell:

    Add-RecipientPermission <group> -AccessRights SendAs -Trustee <User>  
    

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.