Preserving ‘Send on Behalf of’ permissions in Office 365

This blog post is intended to provide the information necessary for an Office 365 administrator to preserve ‘Send on Behalf of’ permissions.

In Office 365, the new Directory Synchronization tool (DirSync v2) now syncs many more attributes. One of which is the publicDelegates attribute. This is intended to allow a new customer migrating to Office 365 to retain the “Send on Behalf of’ permissions from on-premises and provide a seemless experience for end-users in this regard. The problem with this is 2-fold.

1. Users are allowed to modify their delegate permissions as a self-service action. This allows the Office 365 AD to become out of sync with the on-premises AD.

2. Unlike many other attributes that can be modified by users, the publicDelegates attribute responsible for this permission, is not written back to the on-premises AD. While a user will not necessarily be affected by this out-of-sync state, they WILL be affected when a DirSync v2 Full Sync is performed. When a Full Sync is performed, DirSync v2 will overwrite any O365 AD attribute with whatever is on-premises; the most user-impacting result is that, since this attribute is not in sync between local AD and O365’s AD, the new changes since the previous full sync will be overwritten, and users will find that they can no longer send as the other users they are required to do so for. A Full Sync is performed by DirSync v2 whenever it is either forced (by changing a registry key) or re-installed (such as a server failure or upgrade to the software).

In order to minimize the user-impact, it is recommended to backup/export the permissions prior to running a fully sync of DirSync v2 (especially for the first time post-transition from BPOS to O365) and then import the permissions after DirSync v2 has finalized.

Both of the following scripts are written assuming you are already connected to Office 365’s Exchange Online PowerShell endpoint. You can use the script in a previous blog post to accomplish this.

Script to Export (please be aware that the CSV is strictly for your records, the XML is the critical file for import):
## Script Start
get-mailbox -filter {grantSendOnBehalfTo -ne $null} | select userprincipalname, grantsendonbehalfto | export-clixml delegates.xml
get-mailbox -filter {grantSendOnBehalfTo -ne $null} | select userprincipalname, grantsendonbehalfto | export-csv delegates.csv
## Script End

Script to Import:
## Script Start
$logfile = “log-” + (get-date -uformat “%H%M-%Y%m%d”) +”.txt”
start-transcript $logfile

import-clixml delegates.xml | foreach{

“User: ” + $_.userprincipalname
foreach($i in $_.grantsendonbehalfto){

“GrantSendOnBehalfTo: ” + $i
set-mailbox -identity $_.userprincipalname -grantsendonbehalfto @{Add=$i}


“number of mailboxes with grantSendOnBehalfTo : ” + (get-mailbox -filter {grantSendOnBehalfTo -ne $null} ).count
## Script End

These will both need to be run EVERY time you run a full sync of DirSync v2.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: