Exchange Classic Full Hybrid – Not all Mailbox Permissions fully supported and Automapping
If you want to add Mailbox Folder Permissions for an on-premises Mailbox to an User in Exchange Online, you will run into the following error.
The user was found in Active Directory but isn’t valid to use for permissions.
Try an SMTP address instead.
Here I will try to grant Editor Access Rights, for the on-premises mailbox calendar folder from John Nokes, to the Exchange Online user John Doe and running into this error.
Add-MailboxFolderPermission -Identity jnokes:calendar -User jdoe -AccessRights Editor The user "John Doe" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
The reason for is that granting access to the content of a particular folder is not supported in hybrid environments.
To solve this issue you can either move the mailbox with the calendar you want to share Editor Access Rights also to Exchange Online, or you can grant Full Access to the whole mailbox which is in contrast supported.
Besides the fact, that Full Access to the whole mailbox is mostly not desired, the user you grant full access, will also by default get mapped this mailbox in his outlook profile, which is probably also not desired.
To avoid the user is getting by default mapped this mailbox in his outlook profile, after granting Full Access to him, you can disable Automapping as follows.
Add-MailboxPermission -Identity jnokes -User jdoe -AccessRights FullAccess -Automapping $false
This command will grant John Doe Full Access to the mailbox from John Nokes but doesn’t auto-mapped the mailbox to John Doe’s Outlook profile.
After moving the mailbox to Exchange Online, you can log into Exchange Online and granting John Doe Editor Access Rights to John Nokes calendar, this time it works fine as both mailboxes resides in Exchange Online.
Import-Module ExchangeOnlineManagement
$credential = Get-Credential
Connect-ExchangeOnline -Credential $credential -ShowProgress $true
Add-MailboxFolderPermission -Identity jnokes:calendar -User jdoe -AccessRights Editor
Mailbox permissions in hybrid environments
https://docs.microsoft.com/en-us/exchange/permissions#mailbox-permissions-in-hybrid-environments
Not all mailbox permissions are fully supported in an Exchange hybrid environment.
Mailbox permissions and capabilities NOT supported in hybrid environments
https://docs.microsoft.com/en-us/exchange/permissions#mailbox-permissions-and-capabilities-not-supported-in-hybrid-environments
Support for cross-premises mailbox permissions
https://docs.microsoft.com/en-us/exchange/exchange-hybrid?redirectedfrom=MSDN#exchange-hybrid-deployment-considerations
Get-OrganizationRelationship | fl
https://docs.microsoft.com/en-us/powershell/module/exchange/get-organizationrelationship
This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
Use the Get-OrganizationRelationship cmdlet to retrieve settings for an organization relationship that has been created for federated sharing with other federated Exchange organizations or for hybrid deployments with Exchange Online.
Outlook Auto-Mapping
To disable auto-mapping for a single user, you will first have to remove the Full Access permissions and re-assign it again as follows:
Remove-MailboxPermission -Identity jnokes -User jdoe -AccessRights FullAccess
Add-MailboxPermission -Identity jnokes -User jdoe -AccessRights FullAccess -Automapping $false
In Exchange Online, you can remove all auto-mapping Full Access rights for a mailbox as follows:Remove-MailboxPermission -Identity jnokes -ClearAutoMapping
Links
Mailbox permissions in hybrid environments
https://docs.microsoft.com/en-us/exchange/permissions#mailbox-permissions-in-hybrid-environments
Cross Premise Calendar Sharing with Office 365
https://docs.microsoft.com/en-us/archive/blogs/matabra/cross-premise-calendar-sharing-with-office-365