Migration permissions problem statement


In Exchange, we can have 4 types of permissions:

  • AD Permissions (Typically Send-As and Recevice-As)
  • Folder Permissions (aka client delegations, permissions that users can grant directly from the client, for example Calendar delegation)
  • Mailbox Permissions (Typically FullAccess and ReadPermissions)
  • Send on Behalf

Over the years, in different companies I found that statistically 35% of permissions are AD, 55% are MP, 10% FP.

Presently, Office 365 supports cross-premises permissions with Outlook ONLY if they are FullAccess permissions (users and clients MUST use a supported Office versions, a supported UPN and all others Office 365 requirements). More details about cross-premise permissions are available at the following link .

In this scenario you can migrate WITHOUT ANY CONCERN (almost :)) only users that do not have any relationship with any other user/mailbox or only have FullAccess permissions relationships with other user/mailbox or group of mailboxes that only have any kind of permissions inside the group (closed groups of permissions).

To calculate the groups of users that you can migrate without breaking any relationship use the EMAT tool described here or download it from here

In case users and clients are fully “ready” to migrate Office 365 you can remove the MP relationship from the calculation. This will provide to you more flexibility for the groups creation, creating more groups with less users.

If customer does not meet Office 365 requirements or use SID History to provide permissions (because for example the customer come from several migrations) you need to consider the MP relations and you will need to re-apply the permissions (this feature will be available soon).

 

Any other permission type will works only if the source and the target of the permission are the in the same Exchange Organization (or both on premises or both migrated to Office 365).

 

Some remediation or workaround are available if you need to migrate users that have permissions that are not working cross-premises:

  • Access the mailbox (for example a shared mailbox) using the OWA “trick” ….. https://mail.contoso.com/owa/sharedmailbox@contoso.com ….this “trick” AFAIK is not working anymore in Exchange 2016 and in Exchange 2013 major than CU13 ….the “trick” is not supported and have some implication in the user licensing…..could be used just for emergency. This will not cover the Folder Permissions and the Send As
  • Add another account under the principal mailbox Outlook profile…..from Outlook 2010 you can add other account under the same Outlook profile coming from a different organization….if the principal mailbox is migrated to Office 365 you can add for example the shared mailbox that is not migrated….not all mailbox functionalities will work for the secondary mailbox like OOF….more tests are needed to confirm the scenarios that will work

 

 

Skip to main content