Send as delegates for M365 Group members

Brass Contributor

I have been researching (google) for about a week now to find an answer to this and am surprised by the lack of discussion or articles about this topic.  What we are trying to do with several M365 groups is make it so that all members get send as permission by default (send on behalf of permissions would suffice as well).  But it seems there is no way to automate this.  The group owners can add the members but the members are not getting the delegated access to send as or on behalf of. 


I have tried a work around by using the powershell command set-unifiedgroup -grandsendonbehalfof  and add the group address; so that way the group would get sendonbehalfof to itself but this did not result in the delegation going down to the members of the group.  


Does anyone know a way to accomplish this?  it seems like it would be something pretty straight forward but I have not found an answer yet.  

5 Replies
M365 Groups are not security principals, so you cannot use them to delegate permissions in this scenario. You will have to grant permissions to each of the members, individually.
Thanks, I would have thought that by adding the group the delegation would distribute to the members who are security principals; but it is not able to do that kind of distributed delegation

Having no way to automatically give send as delegation seems strange to me. I would have thought this would be a common ask but am finding very little discussion on the topic.



It may not support, how about Distribution Group?

You can do that, but with a group that is a valid security principal. Such as mail-enabled security groups. For M365 groups, this is still work in progress.
It does seem the only option that will work is a mail-enabled security group. But that sort of defeats the purpose of trying to make the members of the group send as delegates by default. I would have to add them manually to the 2nd mail enabled security group. Which means that when the owners of the group add members they still cannot update the send as permission on their own.

And you can't do embedded group membership either; I don't think. So I can't create a mail-enabled security group and then add the 1st M365 group as a member of the 2nd mail enabled security group.

I will think on this more.