Enabling Cross-premises delegate access

Question

I am trying to enable cross-premises delegate access in my organization (specifically folder level permission), but my experience is not matching what I have seen documented and was hoping others might have ran into this already.

From my understanding, in order to allow a cloud user to add an on-premises user as a delegate, you simply need to set the following on-prem:

Set-OrganizationConfig -ACLableSyncedObjectEnabled $true

And to enable on-prem users to add a cloud user as a delegate you simply need to do this for every user that was migrated prior to setting 'ACLableSyncedObjectEnabled' to $true:

Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741818}}

However, what I am finding is that while the second thing is working (on-prem users can add cloud users as delegates), the first is not (cloud users still can't assign delegate permissions to an on-prem user). If you try the users still appear in the GAL like:

And trying to add them as a delegate results in:

non-local users cannot be given rights on this server.

Is there an undocumented requirement somewhere that I am missing?

We are currently running Exchange 2013 CU19 on-premises.

mitch king · Answer

https://support.microsoft.com/en-gb/help/4051497/a-remote-mailbox-created-in-on-premises-active-directory-is-not

marc pituley · Answer

&nbsp;Yeah I have seen that already and have&nbsp;set&nbsp;msExchRecipientDisplayType on&nbsp;all migrated mailboxes, and that works for allowing on-premises users&nbsp;to add a cloud mailbox user as a delegate.However, my problem is the reverse.&nbsp; A cloud mailbox user is not able to add an on-premises user as a delegate.

andy david · Answer

It may not be enabled in your tenant yet. You cant enable it yourself in 365.
&nbsp;
Set-OrganizationConfig -ACLableSyncedObjectEnabled $true
&nbsp;
applies to on-prem only, not Office 365

connan_olufson · Answer

Is the way to check if your tenant has been enabled to run Get-OrganizationConfig from Exchange Online PowerShell and look for the value of&nbsp;ACLableSyncedObjectEnabled?&nbsp; It was set to false for my organization when I last checked.My organization has the same problem as Marc's (on-prem users can add cloud users as delegates; cloud users still can't assign delegate permissions to an on-prem user).Is there an updated timeline for the roll out, I believe that I read that it should have been completed by April?

andy david · Answer

If the on-prem mailboxes no longer have that red slash over them when adding as delegates, then you know your tenant is enabled. :)&nbsp; I know that sounds snide, but its not meant to be, its realty the only true indicator.&nbsp; If that isn't true for you, you could always open a case with 365 and ask them to check on it / enable it.

Forum Discussion

Enabling Cross-premises delegate access

10 Replies

Resources