Friday, August 18, 2017

Exchange 2010 / Online - cross organization permissions and access - PART 1

The subject of this blog post is cross organization permissions and access in an Exchange 2010 / Exchange Online hybrid environment. 

For my tests, I am using Exchange 2010 SP3 RU18 and Outlook 2010 SP2. I have the Exchange Online 1 Plan and a working hybrid environment (working to the extent that the hybrid configuration wizard completes successfully each time I run it). 

But first, why use Exchange 2010, a version that is approaching end of life? Because some organizations still use this version and I want to observe how Exchange Online and "Exchange Onsite" interacts in those circumstances.

Moreover, I am not using cached Exchange mode on the Outlook client. Please note: this is not recommended for access to mailboxes migrated to Exchange Online. However, many organizations implement virtual desktops which make the use of cached mode difficult (because of the potentially large .ost files), and especially if the desktops are "non-persistent". One of my objectives (not necessarily addressed in the present text) is to evaluate differences in access time with and without cached mode. I would not think this setting affects permissions in any way but switching to cached mode may be considered.


***


First scenarios: migrated user attempts to access on-premises elements.

  • Access mailbox of another user (still on-premises)
  • Access shared mailbox (on-premises)
  • Access calendar (on-premises)


We have a user named Aisha Bhari whose mailbox has already been migrated to Office 365. At this point, this is the only mailbox on Office 365. Every other mailbox remains on-premises.

We will test these scenarios:

Grant Aisha Bhari Full Permission access to on-premises mailbox of Alannah Shaw

Result: Aisha can add the mailbox but cannot expand the folders:


Note: "Use Cached Exchange Mode" is unchecked.




I attempted the following for troubleshooting:

  • Remove and re-add the mailbox? Still fails.
  • Wait a couple days for permissions to take effect? Still fails.



Grant Aisha Bhari access to the Finance shared mailbox through membership in a security group granted Full Access.

Can she access the shared mailbox?

No



What if we grant her permissions directly (bypassing the security group).

The attempt still fails.


Can Aisha Bhari access the calendar of Alannah Shaw?

She can open the calendar but only after 2-3 attempts.

Usually, on the first attempt, there is a delay when "connecting" and the attempt fails. We have to try until the connection is made, apparently within the timeout limit. This most likely is related to the greater latency when directly accessing mailboxes (and associated calendars) online.

Moreover, we can only see the indication "Busy" on the test meeting (but not even limited details):



Granting more permission has no effect.


Send calendar invite to Aisha Bhari

This fails. I cannot even send the invitation:







So something is not quite right.

I take some further troubleshooting steps.

Various sources indicate that the following updates for Outlook are necessary but it looks like they are already installed or not pertinent:

  • KB2956191 - already installed according to the installer
  • KB2965295 - "There are no products affected by this package installed on the system" according to the installer.
  • KB3114409 - "There are no products affected by this package installed on the system" according to the installer.


I used the Exchange Remote Connectivity Analyzer (EXRCA) which first failed because Outlook Anywhere was not enabled (it had been disabled for testing MAPI/HTTP with Outlook 2010). Once Outlook Anywhere was (re)enabled, the following EXRCA tests passed:
  • Outlook Connectivity
  • Outlook Autodiscover
  • Exchange Web Services

What effect did enabling Outlook Anywhere have on the cross organization permissions and access tested earlier?

At first nothing. Nothing changed and Aisha Bhari could still not access the resources in question.

Some time later, I retried and Aisha Bhari is now able to expand the mailbox of Alannah Shaw in her Outlook profile (Aisha Bhari's profile). In the past, I have observed that new Exchange permissions may need some time (even days) before taking effect. So I thought I would grant Aisha access to another mailbox (that of Alan Reid) and see if she could add it to her profile immediately (within minutes) and that was possible.

Moreover, Aisha is now able to see the meeting details of appointments in Alannah Shaw's calendar.

On the other hand, she still cannot add a shared mailbox or calendar to her profile (or even locate them in the GAL - only users appear).

Also, other users still cannot send her an invitation to view their calendar. Note: she belongs to a group that has "Publishing Editor" rights.

After some additional reflection, I realize the nature of the problem.

I use Azure AD Connect to synchronize users and groups to Office 365. I can see the synchronized users in the Office 365 Admin Center:


  

Because I filtered the objects to be synchronized to Office 365 by organizational unit (OU), only the users in the "ExchangeUsers" OU have been synchronized:




If I select the OU that contains the accounts associated with the shared mailboxes (no screenshot) and force synchronization, the shared mailboxes (and calendars) are now represented in Office 365:



The results are significant.

Aisha Bhari can not only access the mailbox of Alannah Shaw, as already stated...




But she can also open the Finance shared mailbox (now that we have synchronized the associated accounts to Office 365):




Moreover, Aisha can now locate and add the MktCal calendar...



She cannot open this appointment...




But that is due to lack of sufficient permissions rather than a faulty configuration of our hybrid environment:




When Aisha does have "Full Permission", she can view meeting details (in the calendar of Alannah Shaw)...



And in the FinCal calendar:




***

After some adjustments, our migrated user can access another user's mailbox, a shared mailbox and a calendar, all still located on-premises (and provided they have appropriate access rights to these resources of course). There is still much to test. We've looked at "Full Permission" but what about "Send As" and "Send on behalf of"? Also, access was granted after Aisha Bhari was migrated to Office 365. What about an on-premises user who already has access to other mailboxes and calendars? Will the permissions be retained after the migration of their mailbox? Lastly, what about users on-premises that attempt to access resources in the Cloud? These are scenarios that I plan to examine (not neccesarily in that order) in future blog posts.

References:

Understanding Hybrid Deployment Permissions with Exchange 2010 SP3

Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 1)

Outlook Anywhere must be enabled

Run Microsoft Exchange Hybrid for the long haul

At 1:14:00 in the video

1 comment:

  1. Note: Aisha Bhari was able to access the Finance shared mailbox after permissions were granted to her directly rather than through group membership. After these are revoked and Full Access is granted through a security group, she still can access the Finance shared mailbox

    ReplyDelete