Full Mailbox Access Rights + Send On Behalf = Send As ?
Update 21.08.2015: as of Exchange 2010 SP3 Ru8 this is not valid anymore.
More Info here: https://support.microsoft.com/en-us/kb/2987104
The following is valid for Exchange 2007 and Exchange 2010.
Consider the following Scenario:
We have two Users: User A (UserA@mp3.lol) and User B (UserB@mp3.lol).
You grant User B Full Access Permission for User A’s Mailbox:
Additionally you grant User B also Send on Behalf Rights for User A’s Mailbox:
Now User B should be able to Send On Behalf of User A, right?
Right! Or at least 50% right…
User B configures an Outlook Profile for User A, using his credentials.
Now User B tries to send an Email to User C for example. You would expect that User C receives an Email from “User B on behalf of User A”.
When you check the Inbox of User C, the Email appears to have come directly from User A. This means that User B actually Sent an Email As User A.
The same happens if User B logs into OWA and opens the Mailbox of User A, sends an Email to User C, here you also observe the the Emails comes from User A and not from User B on Behalf of User A.
You scratch your head, check this behavior maybe once or twice and say: let me check the Send As Permissions for User A’s Mailbox…Surprize!
User B isn’t listed in the Send As Permissions of User A’s Mailbox:
So, how can User B Send As User A without Send As Permissions ?
This behavior is an expected behavior since Exchange 2003 and is also present in Exchange 2007 and Exchange 2010.
There has been a change in Exchange 2003 to the Send As permission behavior.
https://support.microsoft.com/kb/895949 - “Send As” permission behavior change in Exchange 2003
Article states:
“Prior to this change, any user with the “Full Mailbox Access” permission for a mailbox also had the ability to “Send As” the mailbox owner.”
If you scroll down in this Article, you will find under the More Information section the following:
There are three exceptions to the new “Send As” behavior for:
- A mailbox owner
- The associated external account mailbox
- A delegate of the mailbox owner
If any of these three accounts have “Full Mailbox Access” permission, they can send as the owner without explicit "Send As" permission. A mailbox owner and the associated external account both have “Full Mailbox Access” permission by default, while delegate accounts do not.
Back to our original description, we added Full Mailbox Access Permissions and Send On Behalf permissions for User B to User A’s Mailbox, which also explains why we can actually Send As User A. We run in the third exception here, where User B also became a delegate for User A ( when we granted the Send On Behalf Permissions ).
Now, how do you actually Send On Behalf ?
It’s simple, you should only instruct User B to do the following:
Outlook:
Compose a new Email, click the Options tab, and make the From Field visible. Now go back to your Email and choose From : User A
Now, when sending out the Email to User C, it will appear to be coming from User B on Behalf of User A.
OWA:
User B should not open User A’s Mailbox. He should just go into Options, choose Show From, Choose From: User A
Now, when sending out the Email to User C, it will appear to be coming from User B on Behalf of User A.
Comments
Anonymous
July 19, 2012
Great write up! Clears up a few things. So when is the Send-As permission used by itself? I'll keep digging and try to find out.Anonymous
November 15, 2012
Good job bro....Hats off for clearing this up...Anonymous
January 17, 2013
The comment has been removedAnonymous
October 10, 2013
superb!!!!!!!!!!!!!!!!!!!!!!!!!!! really helped me to understand this. thks a lot.Anonymous
December 11, 2014
It's nice to see clear explanations with great examples!Anonymous
December 30, 2014
I recently had a case where we encountered an "issue" where users granted full mailbox accessAnonymous
January 29, 2015
Outlook 2010 - additional Mailbox added - Mails are "sent as", instead of "sent on behalf of"
http://support.microsoft.com/kb/2986475 - Updaterollup 8 for Exchange Server 2010 Service Pack 3 (Search for “2987104” on this site)Anonymous
January 29, 2015
Outlook 2010 - additional Mailbox added - Mails are "sent as", instead of "sent on behalf of"
http://support.microsoft.com/kb/2986475 - Updaterollup 8 for Exchange Server 2010 Service Pack 3 (Search for “2987104” on this site)