Wednesday, July 15, 2015

Creating Shared Mailbox in a Hybrid Deployment

The first thing to be aware of when creating shared mailboxes in a hybrid deployment is security. Sharing mailboxes between on-premises and O365 is not supported. So, if a group of people need to share a mailbox then their mailboxes all need to be on-premises or all in O365.

On-Premises Shared Mailboxes

Creating an on-premises shared mailbox is pretty straight forward. Create the shared mailbox in the on-premises Exchange and it all works.

In Exchange 2013, shared mailboxes are explicitly listed as a recipient type in the Exchange admin center (EAC). You can create and manage the shared mailboxes there.

In Exchange 2010, shared mailboxes are not part of the Exchange Management Console (EMC). You need to create the shared mailbox by using the New-Mailbox cmdlet in the Exchange Management Shell (EMS). For example:
New-Mailbox HelpDesk -shared -UserPrincipalName HelpDesk@MyDomain.com
After creating the shared mailbox in Exchange 2010, you need to give users permission to access it. Assign Full Mailbox permissions to let users manage the contents of the mailbox. You may also want to give SendAs permissions depending on your scenario.

Office 365 Share Mailboxes

In Office 365, the web-based management interface provides the same option to create shared mailboxes as Exchange 2013 does. However, in a hybrid environment, you can't create the shared mailboxes directly in Office 365.

If you create the share mailbox directly in Office 365 there is no Active Directory reference to the shared mailbox on-premises. This prevents Outlook from properly adding the shared mailboxes because autodiscover does not work properly. In a hybrid environment, autodiscover is directed to the on-premises Exchange organization and won't be able to direct Outlook to the correct location of the shared mailbox because there is no information in Active Directory about the shared mailbox in the on-premises AD.


In a hybrid environment, you should perform the following steps instead:
  1. Create a Remote Mailbox in Office 365 from the on-premises Exchange organization.
  2. Run Dirsync (or wait for several hours).
  3. In Office 365, convert the mailbox to a shared mailbox. Available when the recipient is selected as seen in the screenshot to the right.
  4. In Office 365, configure Full Access and SendAs permissions to the shared mailbox as required.
It's a bit more of a hassle to create a shared mailbox in Office 365 for a hybrid environment, but it does work!

When you create the shared mailbox directly in Office 365, you'll see the following symptoms:
  • Shared mailboxes are not automatically added to Outlook.
  • If you attempt to add the shared mailbox to Outlook manually in the properties of the Exchange account, then Outlook will continually prompt for credentials and hang.

3 comments:

  1. Thanks for confirming what I already believed!

    Is there any official documentation on this? Even with Exchange 2016, it seems like it should be easier to create a shared mailbox in Office 365 in a hybrid environment.

    ReplyDelete
  2. No, I haven't seen official documentation to this effect. I worked this out by testing at the time. I haven't tested with Exchange 2016 yet, but I don't expect it to be any different.

    ReplyDelete
  3. Awesome, thank you! I've been doing O365 admin for around four years, but my former colleague handled most day-day account creations. I'd like to point out that you can create a shared account directly on Office365 if all the users to access it are cloud or external users. But if a line of business process needs to send email through a hybrid, your method is needed to create the local account references.

    ReplyDelete