In Exchange Server and Microsoft 365 (Exchange Online), you can give users permission to send email on behalf of another user or mailbox. In this article, we'll look at how to grant send as/send on behalf rights through the Exchange Admin Center and using PowerShell.
- There are two types of permissions in Exchange to send on behalf of another mailbox or group:Send as - allow the user to send emails from another mailbox. The recipient in this one does not see that in fact the letter was sent to him by another user;
- Send on behalf - the rights are similar to Send-As, but when sending, the real sender of the letter is shown in the From field. In the screenshot below from Outlook, you can see that user AAA sent an email on behalf of the BBB mailbox (aaa@email.io on behalf of bbb@email.io).
Grant Send as rights in Exchange Server.
In on-prem Exchange Server 2019, 2016, 2013, you can grant mailbox rights through the Exchange Admin Center.
- Log in to ECP: https://exchange1/ecp;
- Go to the section Recipients -> Mailboxes -> find the user's mailbox to which you want to grant rights;
- Open the user properties and go to the Mailbox Delegation tab ;
- Here you can give another user the SendAs or SendOnBehalf rights by adding their account to the appropriate section.
If you grant the user the Send as and Send on behalf rights at the same time, Send as will be used by default when sending emails.
Similarly, you can grant rights to send on behalf of a distribution group and mail enabled security groups (tab group delegation).
You can grant send as permissions using PowerShell. To do this, start the EMS console or connect to your Exchange server remotely from the PowerShell console.
To grant SendAs rights, run the command (rights are assigned at the account level in Active Directory, they can also be configured manually on the Security tab in the user properties in the ADUC console):
Get-Mailbox secretar@site.io | Add-ADPermission -User kbuldogov@site.io -ExtendedRights "Send As"To grant the SendOnBehalf right, another command is used:
Set-Mailbox -Identity secretar@site.io -GrantSendOnBehalfTo kbuldogov@site.io
The previous command clears the current access list and adds only the new account to it. If you want to add a new user to the SendOnBehalf access list, run:
Set-Mailbox secretar@site.io -GrantSendOnBehalfTo @{Add="kbuldogov@site.io"}
You can grant send permissions to all mailboxes in a specific Organizational Unit in Active Directory:
Get-Mailbox | Where {$_.DistinguishedName -like "*OU=Service,OU=MSK,DC=site,DC=io*"} | Set-Mailbox -GrantSendOnBehalfTo @{add="User1","User2"}
If you want to grant rights to send on behalf of an Exchange distribution group, use a different command:
Set-DistributionGroup -Identity msk_admins@site.io -GrantSendOnBehalfTo @{Add="kbuldogov@site.io"}
To grant send rights on behalf of a dynamic distribution group:
Set-DynamicDistributionGroup "IT_DeptUsers" -GrantSendOnBehalfTo @{Add="kbuldogov@site.io"}
To send an email on behalf of another mailbox in Outlook or OWA, you need to add a From field to the interface. After that, when creating a new letter, you need to select from the drop-down list on behalf of which mailbox you want to send (for the first time you need to select a user from the address book manually).
On on-premises Exchange Server, you may have to wait up to two hours for customizations to propagate, or you may have to restart the Exchange Information Store service.
If when sending about the name of another mailbox you receive a bumper:
You do not have permission to send to this recipient. For assistance, contact your system administrator
or
You can't send a message on behalf of this user unless you have permission to do so. You cannot send a message on behalf of this user without the appropriate permission.
Try:
- Try to send an email on behalf of a mailbox from OWA;
- If sending from OWA works, try deleting Offline Address Boot (OAB, C:\Users\%username%\AppData\Local\Microsoft\Outlook\Offline Address Books) while Outlook is off.
Send email on behalf of Microsoft 365 (Exchange Online).
In Exchange Online, you can grant send on behalf of a mailbox or distribution group using the Exchange Admin Center.- Go to the Recipients section , select Mailboxes (or Groups );
- Find the box to which you want to grant rights;
- Open the mailbox settings, go to the Settings tab and select Edit manage delegates;
- Then select the user you want to grant access to and the type of permissions (Send as or Send on behalf).
You can also grant sendas rights to Exchage Online using PowerShell. Connect to your Micorosft 365 tenant using the Exchange Online PowerShell (EXO) module:
Connect-ExchangeOnline -UserPrincipalName my@site.onmicrosoft.com -ShowProgress $true
To allow a user to send email on behalf of a distribution group, use the Add-RecipientPermission cmdlet:
Add-RecipientPermission <GroupName> -Trustee <MailboxName> -AccessRights SendAs
To give a user rights to send mail (Send As) on behalf of a distribution group:
Get-DistributionGroup -Identity global_server_admins | Add-RecipientPermission -AccessRights SendAs -Trustee my
To grant the SendOnBehalf right to a userbox, run:
Get-Mailbox maxadm | Set-Mailbox -GrantSendOnBehalfTo HenriettaMTo grant send rights on behalf of a Microsoft365 group:
Set-UnifiedGroup msteams_cc294d -GrantSendOnBehalfTo maxadmGet a report with a list of users who have SendOnBehalf rights to the specified mailbox:
Get-Mailbox maxadm | Where {$_.GrantSendOnBehalfTo -ne $null} | Select UserprincipalName,GrantSendOnBehalfTo
Display a list of users with SendAs rights on the mailbox:
Get-RecipientPermission maxadm
Find all mailboxes in the organization that have SendAs permissions for the specified user:
Get-Recipient | Get-RecipientPermission -Trustee HenriM@site.onmicrosoft.com | Select Identity, Trustee, AccessRights
To remove SendAs rights on a mailbox, use the Remove-RecipientPermission cmdlet:
Get-Recipient maxadm | Remove-RecipientPermission -AccessRights SendAs –Trustee HenriettaM@site.onmicrosoft.com