Exchange mailbox permission
Send As takes precedence over Send On Behalf if both are granted
Send To
Managed using a list of DNs in the authOrig property on mailbox and distribution group AD objects.
If the user does not already have at least one value assigned to
authOrig, it will not be editable in ADUC/ADAC. Maybe the type is not set in the schema, so the snapin can’t initialize it, or it just doesn’t support the DN type. PowerShell or ECP has to be used in these cases.
# `ExchangePowerShell` module/Exchange snap-in
# mailbox
Set-Mailbox target –AcceptMessagesOnlyFrom @{Add="user@example.com"}
# distribution list
Set-DistributionGroup target –AcceptMessagesOnlyFrom @{Add="user@example.com"}
# `ActiveDirectory` module (on-prem only)
# mailbox
Set-ADUser target -Replace @{authOrig=(Get-ADUser user).DistinguishedName}
# distribution list
Set-ADGroup target -Replace @{authOrig=(Get-ADUser user).DistinguishedName}
Send As
Send as is an extended ACE set on AD objects.
# `ExchangePowerShell` module/Exchange snap-in
Add-RecipientPermission target -Trustee user -AccessRights SendAs
# `ActiveDirectory` module (on-prem only)
Add-ADPermission user -User target -ExtendedRights "Send As"
On-prem Exchange objects can be modified in ADUC:
Send On Behalf
Managed using a list of DNs in the publicDelegates property on AD objects.1
# `ExchangePowerShell` module/Exchange snap-in
# mailbox
Set-Mailbox target –GrantSendOnBehalfTo @{Add="user@example.com"}
# distribution list
Set-DistributionGroup target –GrantSendOnBehalfTo @{Add="user@example.com"}
Full Access
Managed as list of DNs in msExchDelegateListLink property on AD objects.1
# `ExchangePowerShell` module/Exchange snap-in
Add-MailboxPermission target -User user -AccessRights FullAccess -InheritanceType All