Understanding Hybrid Deployment Permissions with Exchange 2010 SP3

 

Applies to: Exchange Server 2010 SP3

The Exchange Online in Microsoft Office 365 organization is based on Exchange 2010 and, like on-premises organizations, uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies. Additionally, you need to carefully plan migration of mailboxes that have been configured in a delegate/delegator relationship.

Learn more about RBAC at: Understanding Permissions

Cross-premises mailbox permissions

If you allow users to access other users' mailboxes (for example, an administrative assistant accessing an executive's calendar), you need to carefully consider the following prior to moving either mailbox to Office 365.

• Mailbox permissions migration  On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to UNRESOLVED_TOKEN_VAL(exExchangeOnline). Inherited (non-explicit) mailbox permissions and any permissions on non-mailbox objects—such as distribution lists or a mail-enabled user—are not migrated. Therefore, you have to plan for configuring these permissions in Office 365 if applicable for your organization. For example, you can use the Add-RecipientPermission and Add-MailboxPermission Windows PowerShell cmdlets to set the permissions in Office 365.

• Support for cross-premises mailbox permissions Exchange hybrid deployments support the use of the Full Access mailbox permission between mailboxes located in an on-premises Exchange organization and mailboxes located in Office 365. A mailbox on an on-premises Exchange server can be granted the Full Access permission to an Office 365 mailbox, and vice versa. For example, an Office 365 mailbox can be granted the Full Access permission to an on-premises shared mailbox.

  Note

  Users might receive additional credential prompts when they first access a mailbox that’s in the other organization and add it to their Outlook profile.

  We don’t, however, support the use of the Send-As, Receive-As, or Send on behalf of mailbox permissions in hybrid deployments between on-premises Exchange and Office 365 organizations. These permissions are only available when both the mailbox granting the permissions, and the mailbox receiving the permissions, are in the same organization. Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as that mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, need to be moved at the same time. In addition to these permissions, the Auto Mapping feature is also unsupported when used between mailboxes in the on-premises Exchange and Office 365 organizations.

Administrator Permissions

By default, the user that was used to create the Office 365 service is made a member of the Organization Management role group in the Exchange Online organization. This user can manage the entire Office 365 organization, including configuration of organization-level settings and management of Exchange Online recipients.

You can add additional administrators in the Office 365 organization, depending on the management that needs to take place. You can add additional organization administrators and recipient administrators enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All permissions management for Office 365 administrators must be performed in the Exchange Online organization using either the Exchange Control Panel (ECP) or remote PowerShell.

However, it's important to note that there is no transfer of permissions between the on-premises organization and the Office 365 organization. Any permissions that you've defined in the on-premises organization must be re-created in the Office 365 organization.

See the following topics for more information:

• Create a Role Group

• Add a Role to a Role Group

• Remove a Role from a Role Group

• Copy a Role Group

• Add Members to a Role Group

• Remove Members from a Role Group

End User Permissions

As with administrator permissions, end users in Exchange Online can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the Exchange Online organization. If the permissions granted by default are sufficient, you don't need to change anything.

If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for cloud-based end users must be performed in the Exchange Online organization using either the ECP or remote PowerShell.

Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the Exchange Online organization. Any permissions that you've defined in the on-premises organization must be re-created in the Exchange Online organization.

The following table lists the permissions granted by the default role assignment policies in the Exchange Online organization.

Default role assignment policy permissions

Management role	Description
MyBaseOptions	The MyBaseOptions management role enables individual users to view and modify the basic configuration of their own mailbox and associated settings.
MyContactInformation	The MyContactInformation management role enables individual users to modify their contact information, including address and phone numbers.
MyDistributionGroupMembership	The MyDistributionGroupMembership management role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.
MyDistributionGroups	The MyDistributionGroups management role enables individual users to create, modify, and view distribution groups, and to modify, view, remove, and add members to distribution groups they own.
MyMailSubscription	The MyMailSubscription role enables individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.
MyProfileInformation	The MyProfileInformation management role enables individual users to modify their name.
MyRetentionPolicies	The MyRetentionPolicies management role enables individual users to view their retention tags, and to view and modify their retention tag settings and defaults.
MyTextMessaging	The MyTextMessaging management role enables individual users to create, view, and modify their text messaging settings.
MyVoiceMail	The MyVoiceMail management role enables individual users to view and modify their voice mail settings.

See the following topics for more information:

• Add an Assignment Policy

• Remove an Assignment Policy

• Add a Role to an Assignment Policy

• Remove a Role from an Assignment Policy

• Change the Assignment Policy on a Mailbox

• Change the Default Assignment Policy

 © 2010 Microsoft Corporation. All rights reserved.