Back to blog

How to Manage Outlook Delegates When Merging Office 365 Tenants

Jun 11, 2020 by Mike Weaver

A businesswoman on her phone, representing an outside delegate accessing Outlook.

This is taken from the white paper ‘How to Manage Exchange Mailbox Permissions in Office 365 Tenant Migrations‘.

Migrating Outlook Delegates in any migration isn’t the easiest thing. Here at Quadrotech, we can automatically do this as part of your Office 365 tenant migration using our Cloud Commander solution.

In the overall Exchange Permissions article, we described all the common Outlook Permission types. In this post, we’ll dive into the details of the delegate issues.

The Issues with Migrating Delegates

Levels of Access

In this graphic, we can see the user interface for setting delegates. As you can see this is very granular. When writing your own collection scripts, you need to read all these options and levels to ensure that you get it right.  

Screen shot showing the UI for setting delegates.

When writing your scripts, if you don’t get everything, the access will be too loose or too great. 

One creates a data incident and the other generates help deck volume. Although a data incident is worse, adding help desk volume to your migration is also a big problem.

Reading & Setting

Reading this information isn’t very easy. You can guess with the Get-MailboxFolderPermisions command, but again, it will not be complete. The only comprehensive mechanism is reading this from the Mailbox, not a setting on the Mailbox.

Once you collect it, you then have to set it, which again is writing to the mailbox not just a setting on the account like Full Mailbox Permissions. This is a time-consuming exercise.  

Translation

As with all migrations, once you get the list of Permissions you need, you have to translate them to the user.

I have a somewhat common name. I am one of those people who gets pulled aside when landing at US airports. Someone with my name is not a good person, and they have to figure out if I am the good guy or the bad guy.

However, it reminds me of how common ‘name collision’ – two people with similar names – is. When migrating accounts, this is a common issue. When a name conflict, or collision, occurs, you need to address it. 

In the names of migrations, you have to read the account, and translate it to the target account. This is something a quick vlookup or sql script can do, but it needs to be kept up-to-date, and if you don’t have a mapping, it will fail.

The second translation issue is if some of these permissions should not move or are not allowed. In terms of delegates, few organizations have policies here outside of security access reviews. This brings us to our final issue.

Stale Permissions

One item in migration that causes a major problem is stale permissions. When we are trying to group users, these pesky items make planning so much more complex and for no reason.

It is very easy for users to add permissions. However, without some formal policy in place, they can go on forever. Some firms do annual audits, ask users to review it, or have some form of automation to pull these permissions regularly.

If the organization migrating has been on Exchange for a long time and they have never done clean-up, the right decision may be to not migrate these permissions, or only move them for VIP users.

The whole issue of merging Office 365 tenants is incredibly complex, but our specialist team is here to help. If you have an upcoming tenant migration project and would like some guidance, please get in touch.

To learn more about moving Exchange permissions in tenant migrations, please watch our 20-minute webinar:

Office 365 Tenant Migration:
How to Migrate Exchange Mailbox Permissions
REGISTER NOW