Migrating Full Office 365 Mailbox Permissions
This is a chapter from our white paper, ‘How to Manage Exchange Mailbox Permissions in Office 365 Tenant Migrations’. Download the full PDF here.
Full Office 365 Mailbox Permissions have several use cases. This includes both user-driven and administration-driven functions. In this article, we will review these use cases and how they impact migrations.
In the summary article on migrating Exchange Mailbox Permissions, we discussed that these are permissions set by the Administrator, which are not visible to the user.
The most common Full Mailbox Permission use case is Shared Mailboxes. It is not uncommon for organizations to have more Shared Mailboxes than people at the company. This is very common for work teams communicating with clients.
This means that during a migration, when a Shared Account gets migrated, if the permissions are wrong, this will directly impact the organization’s ability to service customers. When conducting migrations, you need to test this process and ensure it is working correctly!
It should be noted that configurations provide access with an AD Group, Individual Users, or both.
Perhaps the second most common, and the use case that comes to mind more often, is simply just delegating access to someone. This can be an Administrative Assistant having access to the people they support, colleagues covering for each other, or several other everyday use cases.
This needs to be done carefully and kept up-to-date. If not, migrating these can actually cause more problems. See the Stale Permissions section below.
Various processes exist where service accounts need access. Your tenant to tenant migration tooling is one example! However, several other systems may have mailbox access for some or all mailboxes. This includes eDiscovery, Compliance, Backup Solutions, and several others.
When migrating, most of these are perhaps dropped outside of a compliance need if the new company does not have a solution. Some simple planning can usually remediate these issues.
Employees On Leave
Every workforce will have a variety of situations on migration weekend. This can be employees on holiday, short term leave, or long term leave. Depending on the situation, employees may have access to another user’s mailbox, and it can be timely or impactful if these permissions are missed.
Where possible, it is a good idea to work with HR to check in on accounts for people that are on extended leave to ensure they are migrated correctly. It is also good to let their managers know so when they come back, they are aware of the system change.
Terminated Accounts & Users
For employees that have left, sometimes their work needs to be handled. Often organizations will have policies for managers and colleagues to get access to accounts for people that have left. Again, depending on timing, these can be very critical.
So far, most of this article has discussed the importance of Shared Permissions. In this section, we can remove all the positives with this one major drawback! Permissions are often out of date unless you are at one of the few firms that audit these. This is compounded by the fact that users cannot see permissions easily.
If you are one of the firms that do conduct security audits of mailbox permissions, this is great! However, the odds are not in your favor that you are integrating a company that follows suit.
At the end of the day, you need to decide if these permissions should migrate. That will come down to your regulatory environment, user behavior, and how long these have been around for.
Here are a few other items of note for this topic:
Do keep in mind if you are using AutoMap for Shared Accounts in the target but not the source. This can easily connect Shared Mailboxes to Outlook profiles, which is great. However, if the permissions are highly out of date, users will get mailboxes in their profile they may not have used for a long time. In the worst case, they had access to a regulated mailbox and now they see it again.
When migrating permissions, it is not uncommon for some to not properly map over. All the situations above discuss these common situations. If there is not a mapping, or an account or group in the target that matches the source, this is dropped in any process you use. In most cases, this is a lot of accounts and quite normal. If you can’t have this in your project, then you need to do a lot of prep, and audit to prevent it.
We spend more time day-to-day with our colleagues than we do our family. From time to time, all companies will experience the unfortunate event of losing a colleague. As technologists, we take this seriously and likely have non-standard policies to ensure our colleagues are supported in these difficult times.
In terms of migration, not handling these accounts correctly will re-open these difficult situations. It is worth working with HR to get a list of accounts that could be in this category and ensure the same level of effort is put into the handling of these accounts during the migration.
Most firms we work with will migrate full Mailbox Permissions for Shared Mailboxes and Delegates for End Users. With Quadrotech’s Cloud Commander software, you can make the right decision for your needs, rather than adjusting to your migration tooling.
Our managed operations team specializes in handling complex tenant to tenant migration projects, particularly for mergers, acquisitions, and divestitures, and we have great experience to guide your Office 365 integration.
How to Migrate Full Access Permissions
The good news is that getting a list of permissions is quite easy using get-mailbox and get-mailboxpermission commands. Just like the other levels, the options for access can be quite complex, so you need to collect and apply a lot of information.
To learn more on migrating Office 365 mailbox permissions, watch our on-demand 20-minute webinar:
Office 365 Tenant Migration:
How to Migrate Exchange Mailbox Permissions