Do mailbox permissions (like FullAccess, SendAs and folder permissions) migrate during a tenant to tenant mailbox migration?

AI generated image that vaguely shows permissions being reapplied to a migrated mailbox

Yes!

Okay, there’s a bit more to it than that.

According to Microsoft’s documentation, you can expect permissions applied to a mailbox to migrate when you use the Microsoft’s MRS-based tenant to tenant migration service. As mentioned in the title, this includes FullAccess permissions, SendAs and folder permissions. Notably, Send on Behalf permissions are not migrated.

During the preparation steps you need to do for a T2T migration, you set the ExchangeGuid on the target MailUser to the same value as the source mailbox ExchangeGuid. You also take the source mailbox LegacyExchangeDN and stamp this on the target MailUser as an X500 address. This is not only used to correctly map the source and target objects, but it is also used to allow permissions to be reapplied when a mailbox is migrated.

During the mailbox migration, the migration service records who had delegate rights to the mailbox in the source tenant, maps those identities to their target tenant counterparts, and then reapplies those permissions onto the mailbox during the finalising stage of the migration. A key thing to note here is that permissions can only be reapplied if the delegate has also already been migrated (or a MailUser already exists with the ExchangeGuid and LegacyExchangeDN-as-X500 set) so that the migration service knows who to reapply permissions to. The process that reapplies the permissions only runs once at the end of the migration, so if someone who was a delegate on the source mailbox does not yet exists in the target, they will not get their delegate access reapplied even if they migrate later.

So, if you migrate a mailbox that has access permissions applied to it (most commonly shared mailboxes but this does apply to any kind of mailbox) you should already have the users of that mailbox migrated or at least have the MailUsers created with the correct properties set in preparation for a migration in the future. That way their delegate access to the mailbox will be set, and when the users migrate later their access to the mailbox is preserved.

Leave a comment