Send As Permission Not Staying Applied - Exchange 2016

MTMP 1 Reputation point
2022-02-08T15:55:20.41+00:00

For a particular user/mailbox an account can be added to the Send As Permission however that account periodically disappears from the field and the Send As permission contains no entries.

This permission has been added several times through the Exchange 2016 - Exchange Admin Center (EAC). This permission will stick for what seems randomly minutes, hours and even weeks more recently. However it seems to remove itself periodically. It has stayed applied across server reboots and updates. But periodically the permission is no longer applied. An attempt to add via Exchange Management Shell using the Get-Mailbox "userMailbox" | Add-ADPermission - User "mailboxWithAccess" -ExtendedRights "Send As" as has not stayed applied.

The permission is not being applied through a group but by directly adding a user. The user being added to the Send as permission has a different email domain but both are part of the same Active Directory Domain. There have been send as permissions applied the same way though EAC to different mailboxes and so far none of those mailboxes have had the Send As Permission disappear.

The affected user will receive a message in outlook when sending on behalf "This message could not be sent. You do not have the permission to send the message on behalf of the specified user." and then it is noted the permission is once again missing.

Thank you for your assistance.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP
    2022-02-08T17:11:59.183+00:00

    Is the account associated with this mailbox in an elevated group or was at one time?
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

    If so that is expected:

    https://www.reddit.com/r/exchangeserver/comments/7golo5/send_as_permission_adminsdholder_protected_groups/

    If so, remove that account from all elevated domain groups and clear the admin count:

    Set-AdUser -Identity <user> -Clear adminCount  
    
    0 comments No comments

  2. Aaron Xue-MSFT 2,586 Reputation points Microsoft Vendor
    2022-02-09T05:31:52.507+00:00

    Hi @MTMP ,

    If the account in a protected group, it’s normal behavior.

    "AdminSDHolder" checking for changes every hour on protected users and groups.

    You could get more details about AdminSDHolder from this document.

    You need to romove the user from the administrator group.

    Here’s also a similar case for you reference.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.