Microsoft.Exchange.Data.Storage.SendAsDeniedException: Can't transport send message - Set Send-As permission for on-prem mailbox

Unable to send as from on-prem as an Exchange online user? Chances are that your access rights aren't setup correctly.

First of all there is a known issue regarding "Send-As" and "Send on behalve" in Exchange Online:

Can't manage "Send as" and "Send on behalf" permissions for Exchange Online users in an on-premises hybrid environment
Exchange Online
Symptoms

You can’t find a user who was migrated to Exchange Online in the People Picker in the Exchange Admin Center (EAC). Additionally, the "Send as" and "Send on behalf" permissions can’t be added for legacy dedicated or on-premises mailboxes.
Cause

After mailboxes are moved from the on-premises environment to Exchange Online, they are represented as Remote Mailboxes. These remote mailboxes are not displayed in the EAC People Picker.
Workaround

This issue is being investigated by Microsoft. To work around this issue, run the following Remote PowerShell cmdlets to add these permissions:

"Send as" permission: Add-ADPermission

"Send on behalf" permission: Set-Mailbox

Source

How to get around this?

Connect to Exchange Online PowerShell and run the following:

1 2 3 4 5 6 7 8 9

Add-RecipientPermission -Identity sharedmailbox@domain.nl -Trustee firstname.Lastname@domain.nl -AccesConfirm Are you sure you want to perform this action? Adding recipient permission 'SendAs' for user or group 'Firstname.Lastname@domain.nl' on recipient Identity:'sharedmailbox@domain.nl'. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A Identity Trustee AccessControlType AccessRights Inherited -------- ------- ----------------- ------------ --------- Klic Lastname, Firstname (50439) Allow {SendAs} False

Check your settings:

1 2 3 4 5 6 7

Get-RecipientPermission -Identity sharedmailbox@domain.nl Identity Trustee AccessControlType AccessRights Inherited -------- ------- ----------------- ------------ --------- Klic NT AUTHORITY\SELF Allow {SendAs} False Klic Some.User@domain.nl Allow {SendAs} False Klic Firstname.Lastname@domain.nl Allow {SendAs} False

And for a security group:

1 2 3 4 5 6 7 8 9 10

Add-RecipientPermission -Identity sharedmailbox@domain.nl -Trustee YourSecurityGroupName -AccessRights sendas Confirm Are you sure you want to perform this action? Adding recipient permission 'SendAs' for user or group 'sm.klic' on recipient Identity:'klic.klicdomain@domain.nl'. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A Identity Trustee AccessControlType AccessRights Inherited -------- --------------------- ----------------- ------------ --------- Klic YourSecurityGroupName Allow {SendAs} False

554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException.MapiExceptionNotFound - NDR when users send mail in Exchange Online

 I had never heard of this before, so maybe this helps others.

After sending an e-mail you may receive a NDR 554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException.MapiExceptionNotFound.

What this means is that there is something on in the users mailbox called "clutter".
I had to look this up in my OWA mailbox.

You will only see this option when you have "Focused Inbox" turned on.
The user itself could turn it off, but in many cases the user doesn't know how to or is out of the office or whatever.

So ofcourse this can be done with PowerShell:

First check to see the current setting

1 2 3 4 5 6 7 8 9

Get-Clutter -Identity username@domain.nl RunspaceId : 2a09c611-03b6-4926-8293-c1692c3bcb00 IsEnabled : True MailboxIdentity : username@domain.nl Identity : IsValid : True ObjectState : New

As you can see the setting "Clutter" is revered to as "IsEnabled"

Then set the value to $False

1 2 3 4 5 6 7 8 9 10

Get-Mailbox username@domain.nl | Set-Clutter -Enable $false RunspaceId : 2a09c611-03b6-4926-8293-c1692c3bcb00 IsEnabled : False MailboxIdentity : CN=username,OU=tenantname.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR10A003,DC=PROD,DC=OUTLOOK,DC=COM Identity : IsValid : True ObjectState : New

Move new mailbox from on-premises to Exchange Online with PowerShell - Exchange Hybrid new mailbox moves

If your running Exchange Hybrid then you need to create your mailboxes on premises first and then sync them to AzureAD/Office365/EXO. 

Now in my case this was a manual task, and ofcourse this was forgotten too often.
So I created this script, to automate the move.
I'm still looking for the way to let the moves be visible in the EAC, it's something with New-MigrationBatch and Start-MigrationBatch.
I just didn't find the time yet to mess with it.

If you have the right method to make this possible, drop a line below.

For now this is how I do it (this needs to run from an Exchange server on-premises or a management server with the Exchange Management Tools installed):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

# Load Exchange modules and snapin add-pssnapin microsoft.exchange.management.powershell.snapin . $env:ExchangeInstallPath\bin\RemoteExchange.ps1 # Connect to local Exchange server Connect-ExchangeServer -auto -AllowClobber # Import EXO module Import-Module -Name ExchangeOnlineManagement # Get the current date $Date = Get-Date -format dd-MM-yyyy # Get mailboxes created in the last 7 days $mailboxes = Get-Mailbox | Where-Object {$_.WhenCreated –ge ((Get-Date).Adddays(-7))} ` | Select UserPrincipalName,identity,samaccountname # Get on-prem credentials $onpremcred = Get-Credential domain\username # Set the proxy for the connection to EXO netsh winhttp set proxy proxy-server="http=proxy.domain.lan;https=proxy.domain.lan:8080" ` bypass-list="*.domain.lan;10.*" # Connect to EXO Connect-ExchangeOnline -UserPrincipalName username@domain.nl # Show the mailboxes to move $mailboxes # Create a move request per found mailboxes foreach ($mailbox in $mailboxes) { $username = $mailbox.Samaccountname $moverequestbatch = New-MoveRequest -Identity $mailbox.SamAccountName -remote ` -RemoteHostName hybridserver.domain.nl -TargetDeliveryDomain tenantname.mail.onmicrosoft.com ` -RemoteCredential $OnPremCred -BatchName "MigrationService:$username" <# === This piece is experimental === #$migrationEndpointOnPrem = tenantname.domain.nl-endpoint #$OnboardingBatch = New-MigrationBatch -Name $username -SourceEndpoint ` $MigrationEndpointOnprem.Identity -TargetDeliveryDomain tenantname.mail.onmicrosoft.com ` -CSVData ([System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\RemoteOnBoarding1.csv")) #Start-MigrationBatch -AutoStart -Name -AutoComplete -Identity $OnboardingBatch.Identity #> } # Reset the proxy netsh winhttp reset proxy <# # Some command to check your moves Get-MoveRequest Get-moverequest | Get-moverequeststatistics Get-MoveRequest | Select batchname Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest -confirm:$false Get-MoveRequest -MoveStatus CompletedWithWarning | Remove-MoveRequest -confirm:$false #>