Avatar of csimmons1324
Flag for United States of America asked on

Feeback On Assigning Security Groups Permissions to an O365 Shared Mailbox in a Hybrid Environment

I am looking for some advice / tips on assigning groups to a shared mailbox in a O365 hybrid environment.  

When we only had our on-prem Exchanger server my setup was as follows:

I had a security group called "Sales."  I then added users as members to this "Sales" security group.  

I then created another security group used as an access control list.  This security group was called "ACL_Shmb-Sales."  I then added the "Sales" security group as a member of the "ACL_Shmb-Sales" security group.  

I then created a shared mailbox in Exchange for "sales@mydomain.com."  I then assigned Full Access permissions on this mailbox to the "ACL_Shmb-Sales" access control list security group.  

We are now running 0365 in a hybrid environment with all of our mailboxes in the cloud.  In order to accomplish the same logic that we had with our on-prem server, I have run scripts like the one below to add my "Sales' and "ACL_Shmb-Sales" security groups from my on-prem Exchange into O365:

"enable-distributiongroup -identity "ACL_Shmb-Sales" -primarysmtpaddress "acl_shmb-sales@mydomain.com"

Within O365, I then assign the "ACL_shmb-Sales" ACL security group Full Access permissions to my "sales@mydomain" shared mailbox.  

In the limited testing that I have done, it seems that I can now add / remove users from the "Sales" security group in my on-prem AD and then those users either are granted or revoked permissions to the O365 "sales@mydomain.com" shared mailbox.  So it seems like everything is working as I intended it to.  


I am pretty green at all of this O365 hybrid stuff so I want to make sure that I went about this the right way.  From my understanding, the only downside to granting security groups permissions to mailboxes, instead of individual users, is that the members of the security group will need to manually add the shared mailboxes to their Outlook client instead of the shared mailbox being automapped like it would have been had I assigned permissions to the shared mailbox at the individual user level.  

So did I tackle this the right way?  Is this following best practices?  Any feedback is greatly appreciated.  

Microsoft 365Exchange

Avatar of undefined
Last Comment
Vasil Michev (MVP)

8/22/2022 - Mon
Vasil Michev (MVP)

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck