SendAs and SendOnBehalfOf with Exchange Online via PowerShell
Sometimes, there are situations where recieving department messages is not sufficient via distribution groups, but also exists the need to answer them or even write new ones using the department address and not from the personal assigned mailbox… For that, Microsoft has brought some Cmdlets that we can use with PowerShell: SendAs and SendOnBehalfOf.
So lets begin telling the differences between them:
SendAs: It let us send messages using the department address (i.e: administration@contoso.com) from the personal assigned mailbox (i.e: user@contoso.com , this way, the destinatary will recieve the sent message with the department name as the sender.
This method is really useful in situations where we have two personal addresses inside the organization (i.e: an alias) and don´t want to spend on another license to use with a new mailbox…
Also, if what we want is to set a rule where the personal assigned mailbox cannot send messages outside the organization except if the message is sent using the department address, this method is the solution for it.
SendOnBehalfOf: It let us send messages On Behalf Of the company department (i.e: user@contoso.com on behalf of administration@contoso.com), this way the destinatary will recieve the message with the sender as “User on behalf of department» (i.e: John Summer on behalf of Contoso Administration Department).
This method is really useful when what we want is to let know the destinatary who sent the message inside the company department, or who did the reply, and all the department recieve the reply when the destinatary does it.
Well once this is all cleared, lets explain the process for doing this with both methods. Lets keep in mind that to do so, we must have our PowerShell environment prepared for administrating Office365 services…
SendAs
- For use with one specific user:
$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Add-RecipientPermission department@contoso.com -AccessRights SendAs -Trustee user@contoso.com -Confirm:$false
- For use with Security or Distribution Groups:
Add-RecipientPermission department@contoso.com -AccessRights SendAs -Trustee group@contoso.com -Confirm:$false
- Viewing the SendAs permissions applied on the organization:
Get-RecipientPermission | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘null sid’)}
- Viewing the SendAs permissions applied to a specific user:
Get-RecipientPermission –Trustee User@contoso.com
- Revoke SendAs permissions to a specific user:
Remove-RecipientPermission department@contoso.com -AccessRights SendAs –Trustee user@contoso.com
SendOnBehalfOf
- For use with one specific user:
$LIveCred = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Set-DistributionGroup Department@contoso.com -GrantSendOnBehalfTo user@contoso.com
The only problem with this code is that when we run it again for another user, this last execution will replace the previous one (always with the same department) and will be the only one to send on behalf of the department. To avoid this problem here´s a workarround:
$a = Get-DistributionGroup department@contoso.com
$b = Get-User user@contoso.com
$a.GrantSendOnBehalfTo += $b.DistinguishedName
Set-DistributionGroup department@contoso.com -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo
Get-DistributionGroup department@contoso.com | fl name,grant* > List_SendOnBehalfOf_assigned_permissions_on_department.txt
This way we can add users to Send On Behalf Of in nested mode, but instead it will require to run this code each time we want to add another user and the administration task will be some lines more to achieve our goal…
- For use with Distribution and Security Groups: This is the best option, it´ll sabe us administration time, avoiding unnecessary lines in our PowerShell each time a new user enters a department…
$a = Get-DistributionGroup department@contoso.com
$b = Get-DistributionGroup «Distribution Group»
$a.GrantSendOnBehalfTo += $b.DistinguishedName
Set-DistributionGroup department@contoso.com -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo
Get-DistributionGroup department@contoso.com | fl name,grant* > List_SendOnBehalfOf_assigned_permissions_on_department.txt
I´ve added the «> List_SendOnBehalfOf_assigned_permissions_on_department.txt» on the last line to know who has SendOnBehalfOf permissions inside the department and send it to whoever asks for it (i.e: our IT Manager)
Once this is done, the user will only have to specify the address from where he wants to send the message inside OWA or Microsoft Outlook.
In Microsoft Outlook (if the user doesn´t have more than one account configured) we must enable the «From:» field inside a new E-Mail – Options – From: (above «show fields») and then we can specify the address where we want to send the message from typing it after clicking in «Othe E-Mail address»
Inside OWA occurs the same thing, and we must proceed the same way to enable de From: field.