Permissions in Exchange hybrid deployments

 

Applies to: Exchange Server 2013, Exchange Server 2016

Topic Last Modified: 2016-01-28

The Exchange Online in Office 365 organization is based on Exchange Server and, like on-premises organizations, it also uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies.

Learn more about permissions in Exchange Online and on-premises Exchange at: Permissions

By default, the user that was used to create the Office 365 tenant is made a member of the Organization Management role group in the Exchange Online organization. This user can manage the entire Exchange Online organization, including configuration of organization-level settings and management of Exchange Online recipients.

You can add additional administrators in the Exchange Online organization, depending on the management that needs to take place. For example, you can add additional organization administrators and recipient administrators, enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All Exchange Online permissions management for Office 365 administrators must be performed in the Exchange Online organization using either the Exchange Administration Center (EAC) or remote PowerShell.

ImportantImportant:
There is no transfer of permissions between the on-premises organization and the Office 365 organization. Permissions that you've defined in the on-premises organization must be re-created in the Office 365 organization.

For more information, see Manage role groups and Manage role group members.

In on-premises Exchange deployments, users can be granted a variety of permissions to other users' mailboxes. This is called delegated mailbox permissions and it's useful when an administrative assistant needs to manage some part of another users's mailbox; for example, managing an executive's calendar. Some of these permissions can be used in Exchange hybrid deployments.

Exchange hybrid deployments support the use of the Full Access mailbox permission between mailboxes located in an on-premises Exchange organization and mailboxes located in Office 365. A mailbox on an on-premises Exchange server can be granted the Full Access permission to an Office 365 mailbox, and vice versa. For example, an Office 365 mailbox can be granted the Full Access permission to an on-premises shared mailbox.

NoteNote:
Users might receive additional credential prompts when they first access a mailbox that’s in the other organization and add it to their Outlook profile.

We don’t, however, support the use of the Send-As, Receive-As, or Send on behalf of mailbox permissions in hybrid deployments between on-premises Exchange and Office 365 organizations. These permissions are only available when both the mailbox granting the permissions, and the mailbox receiving the permissions, are in the same organization. Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as that mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, need to be moved at the same time. In addition to these permissions, the Auto Mapping feature is also unsupported when used between mailboxes in the on-premises Exchange and Office 365 organizations.

As with administrator permissions, end users in Exchange Online can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the Exchange Online organization. If the permissions granted by default are sufficient, you don't need to change anything.

If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for Exchange Online end users must be performed in the Exchange Online organization using either the EAC or remote PowerShell.

Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the Exchange Online organization. Any permissions that you've defined in the on-premises organization must be re-created in the Exchange Online organization.

For more information, see Manage role assignment policies and Change the assignment policy on a mailbox.

The following table lists the permissions granted by the default role assignment policies in the Exchange Online organization.

Default role assignment policy permissions

Management role Description

MyTeamMailboxes

The MyTeamMailboxes management role enables individual users to create site mailboxes and connect them to Microsoft SharePoint sites.

My Marketplace Apps

The My Marketplace Apps management role enables individual users to view and modify their Microsoft Office marketplace apps.

MyBaseOptions

The MyBaseOptions management role enables individual users to view and modify the basic configuration of their own mailbox and associated settings.

MyContactInformation

The MyContactInformation management role enables individual users to modify their contact information, including address and phone numbers.

MyDistributionGroupMembership

The MyDistributionGroupMembership management role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.

MyDistributionGroups

The MyDistributionGroups management role enables individual users to create, modify, and view distribution groups, and to modify, view, remove, and add members to distribution groups they own.

MyMailSubscription

The MyMailSubscription role enables individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.

MyProfileInformation

The MyProfileInformation management role enables individual users to modify their name.

MyRetentionPolicies

The MyRetentionPolicies management role enables individual users to view their retention tags, and to view and modify their retention tag settings and defaults.

MyTextMessaging

The MyTextMessaging management role enables individual users to create, view, and modify their text messaging settings.

MyVoiceMail

The MyVoiceMail management role enables individual users to view and modify their voice mail settings.

My ReadWriteMailbox Apps

The My ReadWriteMailbox Apps management role enables users to install apps with ReadWriteMailbox permissions.

My Custom Apps

The My Custom Apps management role enables users to view and modify their custom apps.

 
Show: