--- tags: - "⭐topic/\U0001F4BEsoftware/exchange" - "\U0001F6A9purpose/ℹ️documentation" - "⭐topic/\U0001F4BEsoftware/windows/server/active-directory" --- # Exchange mailbox permission > [!warning] Send As takes precedence over Send On Behalf if both are granted # Send To Managed using a list of DNs in the `authOrig` property on mailbox and distribution group AD objects. > [!bug] If the user does not already have at least one value assigned to `authOrig`, it will not be editable in ADUC/ADAC. > Maybe the type is not set in the schema, so the snapin can’t initialize it, or it just doesn’t support the DN type. PowerShell or ECP has to be used in these cases. ```powershell # `ExchangePowerShell` module/Exchange snap-in # mailbox Set-Mailbox target –AcceptMessagesOnlyFrom @{Add="user@example.com"} # distribution list Set-DistributionGroup target –AcceptMessagesOnlyFrom @{Add="user@example.com"} # `ActiveDirectory` module (on-prem only) # mailbox Set-ADUser target -Replace @{authOrig=(Get-ADUser user).DistinguishedName} # distribution list Set-ADGroup target -Replace @{authOrig=(Get-ADUser user).DistinguishedName} ``` # Send As *Send as* is an extended [ACE](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-entries) set on AD objects. ```powershell # `ExchangePowerShell` module/Exchange snap-in Add-RecipientPermission target -Trustee user -AccessRights SendAs # `ActiveDirectory` module (on-prem only) Add-ADPermission user -User target -ExtendedRights "Send As" ``` On-prem Exchange objects can be modified in ADUC: ![](../assets/Exchange%20Send%20As%20ADUC%20example.png) # Send On Behalf Managed using a list of DNs in the `publicDelegates` property on AD objects.[^1] ```powershell # `ExchangePowerShell` module/Exchange snap-in # mailbox Set-Mailbox target –GrantSendOnBehalfTo @{Add="user@example.com"} # distribution list Set-DistributionGroup target –GrantSendOnBehalfTo @{Add="user@example.com"} ``` # Full Access Managed as list of DNs in `msExchDelegateListLink` property on AD objects.[^1] ```powershell # `ExchangePowerShell` module/Exchange snap-in Add-MailboxPermission target -User user -AccessRights FullAccess -InheritanceType All ``` # Research - [Add-MailboxPermission (ExchangePowerShell) | Microsoft Learn](https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission) - [Add-RecipientPermission (ExchangePowerShell) | Microsoft Learn](https://learn.microsoft.com/en-us/powershell/module/exchange/add-recipientpermission) - [Manage permissions for recipients in Exchange Online | Microsoft Learn](https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients) - [Granting Send As and Send on Behalf Permissions in Exchange Server/Microsoft 365 | Windows OS Hub](https://woshub.com/sendas-send-onbehalf-permissions-exchange/) [^1]: [https://social.technet.microsoft.com/Forums/exchange/en-US/d11a35f4-3f1a-4d96-a549-9c2f0f7df549/which-ad-attributes-are-use-to-store-sendas-fullaccess-permissions-and-calendar-permissions](https://social.technet.microsoft.com/Forums/exchange/en-US/d11a35f4-3f1a-4d96-a549-9c2f0f7df549/which-ad-attributes-are-use-to-store-sendas-fullaccess-permissions-and-calendar-permissions)