maandag 28 november 2011

Use Existing AD security groups to manage Office 365 Mailbox Permissions such as Full Control or SendAs

You probably noticed that existing AD security groups do get synced to Office 365, but you cannot select them within the Exchange EMC to manage user permissions.
Also, existing user permissions for mailboxes are reset after the move.

We use many groups to manage mailbox permissions such ach full control of sendas permissions and would like to use the existing populated groups for managing permissions.

Existing security groups are not mail enabled and probably set to global.
To set permissions in Office 365 EMC the group needs to be universal and mail enabled.
To accomplish using existing groups I changed the grouptype for my existing groups.
We had global security groups with name GG_Mailbox_Mailboxname.
Grouptype was set to -2147483646 ( attribute editor ).
Notice that the group does not show up in the "New Distribution Group" wizard when browsing for existing AD groups.

To use the group within the EMC I first changed the grouptype to -2147483640.
Only a 1 digit difference.
Once changed, U will find the group in the "New Distribution Group" wizard when browsing for existing AD groups.

Double click the group to add it as an existing group and click next in the wizard.

Notice that the grouptype, name and pre-Windows 2000 name already get pre-populated.
The group type we already changed with the attribute editor in AD.
The only thing left to do is setting an Alias for the group because the group needs to be mail enabled.
Click next and New on the following screen.

Click finish to finish the wizard.
The changed do need to be synchonized to Office 365 so it is wize to force a Dirsync Synchronization, otherwize wait for the synchronization.
To force Dirsync Synchronization, refer to the following article.

Once the group is synced, notice that it is possible to choose the group when setting full access permissions on a mailbox. One thing I noticed that once I changed the grouptype and Dirsync replicated the changes, the existing permissions groups got visible again within the full access details of the user. Groups that I used in the On-Prem situation got migrated to Office 365.

The one thing you do need to re-configure is SendAs permissions.
These permissions cannot be set within the EMC for Office 365, only with Powershell.

Setup a remote powershell connection to Office 365.
To do this I refer to the following article.
Once connected to Exchange Online for Office 365, use the following cmdlets to add SendAs permissions for the just created / edited security group.

For easy copy pasting :
Add-RecipientPermission -trustee -AccessRights SendAs

Where is the mailbox that you want to set the permissions for and the trustee is the person or group you want to grant the permission.

Hope this helps!
It certainly made my life easyer :).

1 opmerking:

  1. Great article and just the information I was looking for!