Full Mailbox Access Rights + Send On Behalf = Send As ?

Update 21.08.2015: as of Exchange 2010 SP3 Ru8 this is not valid anymore.

More Info here: https://support.microsoft.com/en-us/kb/2987104

 

The following is valid for Exchange 2007 and Exchange 2010.

Consider the following Scenario:

We have two Users: User A (UserA@mp3.lol) and User B (UserB@mp3.lol).

You grant User B Full Access Permission for User A’s Mailbox:


 
 
Additionally you grant User B also Send on Behalf Rights for User A’s Mailbox:

Now User B should be able to Send On Behalf of User A, right?

Right! Or at least 50% right…

User B configures an Outlook Profile for User A, using his credentials.

Now User B tries to send an Email to User C for example. You would expect that User C receives an Email from “User B on behalf of User A”.

When you check the Inbox of User C, the Email appears to have come directly from User A. This means that User B actually Sent an Email As User A.

The same happens if User B logs into OWA and opens the Mailbox of User A, sends an Email to User C, here you also observe the the Emails comes from User A and not from User B on Behalf of User A.

You scratch your head, check this behavior maybe once or twice and say: let me check the Send As Permissions for User A’s Mailbox…Surprize!

User B isn’t listed in the Send As Permissions of User A’s Mailbox:

So, how can User B Send As User A without Send As Permissions ?

This behavior is an expected behavior since Exchange 2003 and is also present in Exchange 2007 and Exchange 2010.

There has been a change in Exchange 2003 to the Send As permission behavior.

https://support.microsoft.com/kb/895949 - “Send As” permission behavior change in Exchange 2003

Article states:

“Prior to this change, any user with the “Full Mailbox Access” permission for a mailbox also had the ability to “Send As” the mailbox owner.”

If you scroll down in this Article, you will find under the More Information section the following:

There are three exceptions to the new “Send As” behavior for:

  • A mailbox owner
  • The associated external account mailbox
  • A delegate of the mailbox owner

If any of these three accounts have “Full Mailbox Access” permission, they can send as the owner without explicit "Send As" permission. A mailbox owner and the associated external account both have “Full Mailbox Access” permission by default, while delegate accounts do not.

Back to our original description, we added Full Mailbox Access Permissions and Send On Behalf permissions for User B to User A’s Mailbox, which also explains why we can actually Send As User A. We run in the third exception here, where User B also became a delegate for User A ( when we granted the Send On Behalf Permissions ).

 

Now, how do you actually Send On Behalf ?

It’s simple, you should only instruct User B to do the following:

Outlook:

Compose a new Email, click the Options tab, and make the From Field visible. Now go back to your Email and choose From : User A

Now, when sending out the Email to User C, it will appear to be coming from User B on Behalf of User A.

OWA:

User B should not open User A’s Mailbox. He should just go into Options, choose Show From, Choose From: User A

Now, when sending out the Email to User C, it will appear to be coming from User B on Behalf of User A.