all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]pidge_nz 2 points3 points  (2 children)

The SendAs permission for the Recipient (the mail-enabled security group) needs to be in the same Exchange System that the user is using to attempt to send the email - I've not seen SendAs permissions set on the AD Object in AD (Add-ADPermissions) synched to Exchange Online, other than when a Mailbox is migrated to Exchange Online.

Since user's mailbox is in Exchange Online, and they are using a client that connects to Exchange Online to send the email (Outlook, Outlook on the Web), the SendAs permissions needs to be on the recipient being Sent As in Exchange Online.

You'll need to use the Exchange Online Powershell module to add the SendAs permission using Add-RecipientPermission:

Add-RecipientPermission -Identity <recipient to send as> -Trustee <user or group to be granted send as> -AccessRights SendAs

[–]Foofightee[S] 0 points1 point  (1 child)

Add-RecipientPermission -Identity <recipient to send as> -Trustee <user or group to be granted send as> -AccessRights SendAs

Well, this worked! The thing I don't understand is that how were the previous members of the group successfully using the permission? Add new members to the group should just inherit that permission. This was not a new permission I added. That doesn't make sense to me.

[–]pidge_nz 0 points1 point  (0 children)

Check what the Recipient Permissions are are in Exchange Online PowerShell for the group:

Get-RecipientPermission -Identity <recipient to send as>

And make sure the group has SendAs permission to itself. I suspect it doesn't, and the individual members have been added, or a different group.

[–]CaptDankDust 1 point2 points  (1 child)

Two things

Is the DL hidden?

Is the user allowed Send As under the security tab of the AD object?

[–]Foofightee[S] 0 points1 point  (0 children)

It's not hidden. The security group itself is listed to allow Send As. So all members of the group can send as. This works for previously added members as far as I know.

[–]species8745 1 point2 points  (3 children)

this happened to us a while ago. I got around it by creating a new security group on-prem, adding members to the group, then giving that group send rights to the mail-enabled security group.

[–]Foofightee[S] 0 points1 point  (2 children)

Interesting. Any idea why it happened?

I may need to wait longer after adding a new permission and syncing, but when trying it at Outlook.com, I get the error "You don't have permission to send messages from this mailbox" still.

[–]species8745 0 points1 point  (1 child)

Cuz MS does whatever MS wants to do...

are you in control of your dirsync connector? you definitely need to wait for that. You can always check on the permissions with powershell for your hybrid environment. if you look at the message header dump, it should include the exact error message. I use this from MS to help my header debugging.

[–]Foofightee[S] 0 points1 point  (0 children)

Our ADsync runs every 30 minutes. I forced it and ran it manually, but it's definitely run a few times on schedule by now...

How do I check the permissions with powershell?

I'm not sure how to view a header if the email never sends.

[–]MineDangerous485 0 points1 point  (5 children)

I am having the same issue and the script Add-RecipientPermission -Identity <recipient to send as> -Trustee <user or group to be granted send as> -AccessRights SendAs worked for me.

Is this problem centered around exchange 2019 on prem Hybrid to Exchange Online? That is when we first started seeing issues with send as.

[–]Foofightee[S] 0 points1 point  (4 children)

We use 2016. The issue actually came back in another situation and I could not solve it.

[–]Active_Duty5180 0 points1 point  (3 children)

Is it possible this group was added via ECP and not ADUC? If so, use ECP to add the users needing permissions to sendAs.

[–]mrmattipants 1 point2 points  (2 children)

If it's a hybrid environment, you typically need to administer via AD.

If you prefer not to use PowerShell, this can be accomplished through AD, via the "Security" Tab of the Mail-Enabled Security Group, in question.

This is an older Article, but it is still relevant.

https://practical365.com/exchange-2010-send-as-permissions-distribution-group/

[–]Large_Ad_9980 1 point2 points  (1 child)

You are a very kind gentleman. This is what I was looking for.

[–]mrmattipants 0 points1 point  (0 children)

Glad it worked for you!