Script repository

Synchronize Send As permissions from Exchange on-premises to Exchange Online for distribution list

Updated on: Jan 18, 2026, Views: 4048

Exchange

The script replaces Send As permissions in Exchange Online for a mailbox with those of the mailbox in Exchange on-premises. To execute the script, create a business rule, custom command or scheduled task configured for the Group object type.

Only permissions of users who already have a Microsoft 365 (Office 365) account will be processed.

# Get the object ID in Exchange Online.
try
{
    $groupExchangeId = [Guid]$Context.TargetObject.Get("adm-O365ExchangeObjectId")
}
catch
{
    $Context.LogMessage("The group is not mail-enabled in Microsoft 365", "Warning")
    return
}

# Get users who have 'Send As' permissions in Exchange on-premises
$groupParams = $Context.TargetObject.GetMailParameters()
$sendAs = $groupParams.SendAs
if ($sendAs.Count -eq 0)
{
    return
}

$sendAsTrustees = @()
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $object = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    
    if (([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid)))
    {
        continue
    }
    
    try
    {
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    if ($object.Class -ne "user")
    {
        continue
    }
    
    if (!(($object.RecipientType -eq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -and 
        ($object.RecipientLocation -eq "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365")))
    {
        continue
    }
    
    # Get object ID in Microsoft 365.
    $objectId = [Guid]$object.Get("adm-AzureId")
    $sendAsTrustees += $objectId.ToString()
}

# Connect to Exchange Online.
$Context.CloudServices.ConnectExchangeOnline()

# Get permissions
$groupPermissions = Get-RecipientPermission $groupExchangeId.ToString()

# Remove unnecessary permissions.
foreach ($permission in $groupPermissions)
{
    Remove-RecipientPermission $groupExchangeId.ToString() -AccessRights SendAs -Trustee $permission.Trustee -Confirm:$False
}

# Grant necessary permissions.
foreach ($id in $sendAsTrustees)
{
    Add-RecipientPermission $groupExchangeId.ToString() -Trustee $id -AccessRights SendAs -Confirm:$False
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.