Send As/Send on Behalf of permissions can be a bit confusing from time to time. What’s making them even more confusing for people is the way clients handle permissions. The ‘source of authority’ for permissions is the Global Address List, so it makes a lot of difference whether the client is using the GAL or a offline copy of it. I will try to illustrate this with several examples.
Lets start with how OWA handles things, which is the simplest case. As it is directly connected to the server, it works with the GAL and is always up to date with the latest changes (this is one of the reasons why we always ask the user to reproduce any permissions related issue in OWA). If you try to send a message as a different recipient, and you have no permissions to do so, you will be greeted by the following message:
(For those of you that do now know how to show the “From” button: start composing new message, press the “…” icon and select “Show From”)
Now, if you have been granted Send As permissions, the message will go through as if it was sent directly from the delegate mailbox and others will have no way of knowing that you were the actual sender. For Send on Behalf of permissions the address line is changed to “Sender on behalf of delegate”, but other than that, the process is virtually the same.
If you are using Outlook in Online mode, the situation is very similar. If you do not have the necessary permissions, Outlook will prevent you from sending the message with a warning message:
If you are using Outlook in cached mode however, there are some notable differences. As it works with the Offline Address Book instead of the GAL, the permissions are not updated immediately. To reflect on that, Outlook will not actually prevent you from sending a message in this scenario. Instead, the server will be the one bringing the bad news:
In case you were wondering, forcing Outlook to use the GAL instead of OAB will not make any change, as long as you are in cached mode. Depending on whether you were trying to Send As or Send on Behalf, the NDR will show up in either your own Inbox, or the delegate’s one. Same goes for the actual sent message by the way, although there are some other factors that might affect this.
Once you are given the corresponding permissions, sending should happen with no issues. In all cases, it’s strongly recommended to select the address of the delegate mailbox directly from the GAL and to never use a stored name cache entry!
Now, let’s turn to some more exotic scenarios. First of all, what happens if you have added more than one account in your Outlook profile? Well, Outlook is smart enough to note that now you have more than one ‘From’ address (Don’t forget that in Exchange you can only send mail using the primary SMTP address by default!). You can then adjust the default ‘From’ address from Account settings, but there’s one other interesting bit:
Note the additional button in the “Select From Other E-Mail Address” dialog? It brings another level of complexity, but it also gives you more options. For example, you can now send from the delegate’s address, using your own address. In other words, you can choose to send a message on behalf of:
And behold! The message is actually sent on behalf of the delegate, with the additional information in the address bar, and a copy of the sent message in your “Sent Items” folder. This of course corresponds to the default behavior in Outlook and OWA.
Now let’s try the other combination, namely sending from the delegate address using his address. This is the “Send As” scenario and for it to work, you either need to know his password or have Full Access permissions on his mailbox, in order to add his mailbox as additional account in Outlook. Otherwise, there is no way for you to select his address from the “Send Using” dropdown. Here’s how it looks like:
Of course, you can save yourself the trouble of filling this and simply select the delegate address in the ‘From’ dropdown menu (Note that Outlook will auto-select the ‘From’ address to match the currently selected mailbox). Provided you have the necessary permissions, the message will be Send As the delegate and a copy of it will be stored in the delegate’s “Sent Items”. And if you don’t have permissions, you will either get the warning message if you are running in Online mode or an NDR message will be generated and sent to the delegate mailbox.
In OWA however, we are not presented with the “Send Using” option, so even if you work directly with the delegate mailbox (using the “Open another mailbox” functionality), there is no way for you to select whether to send the message As or on Behalf of. OWA is smart enough to know the exact kind of permissions you have and will select it for you. The only downside here is that Send As permissions will take precedence over Send on Behalf of, so if you have both, you can only use the former. This also applies when sending as delegate from your own mailbox in OWA.
So what do you think will happen if you have been granted Full Access and Send on Behalf of permissions, and you configure the delegate mailbox as additional account in Outlook, then try to send a message directly? If using Online mode, the warning popup should give you a hint. In cached mode however, you will immediately get an NDR message in delegate’s Inbox, as shown in the screenshots above. As the NDR doesn’t mention anything about permissions, things might get confusing. A good idea is to test in OWA, which will definitely show whether you have permissions (and if you pay attention to the modified address line, you will know those are Send on Behalf of permissions). And in Outlook, try both scenarios: send “from the delegate” using your address and using his address. Depending on which scenario works, you will know what permissions have been granted. In the scenario we are currently describing, one will realize that sending messages directly from the additional account will not work. Instead, use the ‘Send From Other E-mail Address’ dialog and make sure that the ‘Send Using’ address matches yours. Or, remove the additional account and add it as additional mailbox instead. Or, simply make sure that you have selected a folder in your own account when composing new messages.
One other important bit that often gets overlooked: Full Access permissions DO NOT grant you permission to send messages in any form. Those need to be added explicitly!
Hope it all makes sense now!
P. S. Forgot to add information about the ‘known issue’ of sent messages ending up in the wrong Sent Items folder. As explained above, for messages that are sent on Behalf, the default behavior is to save it in the Sent Items folder of the delegate. But you can control this behavior by installing the following hotfix: http://support.microsoft.com/kb/2843677
UPDATE 04/10/2014: There is a similar guide available now on the TechNet support forums, which complements this post with additional info. Make sure to check it out here: http://social.technet.microsoft.com/Forums/office/en-US/26447ae6-26dc-4b78-9f2c-fb85cfdd6ae3/send-as-send-on-behalf-and-full-access-for-exchange-server-20102013?forum=exchangesvrgeneral