Without much ado, Microsoft started rolling out updates to expand the scope of delegate permissions supported in Hybrid configurations. The rollout is expected to complete by the end of April and will bring support for cross-premises Send on behalf or and folder-level delegation.
While no EHLO blog post has been published yet, the support articles (linked in the text below) have been updated to reflect the changes. In addition, the following item appeared on the Office 365 Roadmap:
Once the changes are completed, the following set of permissions will be supported:
- Full Access (automapping is NOT yet supported)
- Send on behalf of
- Folder-level permissions
Note that all of the above permissions are only supported via the desktop Outlook client. Outlook for mobiles or OWA are not supported. Send As permissions are also not supported yet, neither is automapping. Those might be coming in future updates.
To take advantage of the new functionalities, some additional changes might be required, depending on your Exchange server version. In a nutshell, those include updating to the latest CU applicable and making sure that support for Access Control Lists (ACLs) is enabled for mail objects. Depending on the server version, you might need to manually enable ACLs for some objects. You will also need AAD Connect version 1.1.553.0 or later to make sure the permissions are correctly synced between on-premises and Exchange Online. Additional information can be found in this support article.
It’s important to note that ACLs are not enabled on Remote mailbox objects and you will have to perform some additional actions for those. To work around this, Microsoft recommends that you create mailboxes on-premises and move them to Office 365 instead of creating Remote mailboxes. More information is available in this article. Some other considerations and additional troubleshooting information about all cross-premises delegation scenarios can be found in the following KB article.
I expect these improvements will get some more coverage in the coming weeks, as the rollout completes. Overall, this is a much welcomed, albeit a little overdue improvement.