0

Exchange Autodiscover – How Delegate Mailboxes Are Returned

Back with Exchange 2010 SP1 a feature was added so that mailbox which were delegated Full Mailbox access to other mailboxes would automatically have the additional mailbox made accessible in Outlook.  As an example Debora was granted Full Mailbox access to the mailbox called Postmaster.  With no additional configuration, in Debora's Outlook client (2007 and up) the Postmaster mailbox would automatically appear without her taking any additional action.

Pretty neat, eh?

Well almost.  This would auto-map all mailboxes a user had Full Mailbox access to and if this was a substantial amount the Outlook client would get a bit cluttered.  If the Postmaster mailbox was something that Debora checked one a year (not recommended!) then what was the point in having it permanently visible in Outlook?

Exchange 2010 refined the feature, and it was possible to control whether or not a mailbox would auto-map.  This capability is exposed only in PowerShell.  To leverage, use the –AutoMapping $False parameter.  The below example grants Andrew Ehrensing full access permission to ScottSchnoll's mailbox and disables the auto-mapping feature:

Add-MailboxPermission –Identity sschnoll –User "Andrew Ehrensing" -AccessRight FullAccess  -Automapping $False

 

Back In Black Backlink

<Courtesy link to AC/DC>

For the Automapping feature to work, it is necessary to set it using an Exchange 2010 SP1+ management tool.  This is because only that version sets the necessary backlink onto the user who is delegated the Full Mailbox permission. The attribute is msExchDelegateListLinkBL.  This is what Autodiscover looks at to determine if there are additional mailboxes that Outlook needs to be told about.  This means that any Full Mailbox access permissions which were set in a previous version will not have the backlink set, and this will not appear.  Do not fret as this is pretty easy to remediate.  All we need to do is get a list of the Full Mailbox permissions and re-set them with an current version of the management shell.  More on that later in this post.

After the cmdlet was executed to grant FMA for Andrew onto Scott's mailbox, we can check the properties of both accounts to see what is there for the msExchDelegate entries.  Note that the red highlighting shows that  the msExchDelegateListLinkBL is present on Andrew's user object.  msExchDelegateListLink is present on Scott's user object.   The commands are shown here.  Note that they are set to use wildcards when searching as I want to show what is set for any thing to do with msExchDelegate on each user object.

 Get-ADUser sschnoll -Properties * | Select-Object Name, *msExchDelegate*

 

Get-ADUser aehrensing -Properties * | Select-Object Name, *msExchDelegate*

 

Using Get-ADUser to View msExchDelegate Entries

Autodiscover uses the msExchDelegateListLinkBL to understand what should be handed down to Outlook.  It can look at this attribute for the mailbox it is processing and easily discover the other mailboxes that it should include in the Autodiscover response.  Else for every Autodiscover request Exchange would have to search the entire directory.

Correcting Pre Exchange 2010 SP1 Assigned Full Mailbox Access

As noted above Full Mailbox Access permissions which were set using older tools did not set the msExchDelegateListLinkBL.  If you want the auto-mapping feature to work in such cases, then you need to re-add the permissions.  This is listed on TechNet and is fairly straight forward:

Outlook User Experience

Initially Andrew sees only his own mailbox.

Outlook Showing User's Mailbox

Once Full Mailbox to Scott's mailbox has been granted, in Outlook 2010 SP2 we see that Andrew automatically has Scott's mailbox displayed.  This  is the lower red arrow.

Outlook Showing User's Mailbox And Archive Mailbox

As mentioned above, it is Autodiscover that is responsible for telling Outlook what to do.  What is Autodiscover handing down in the XML payload?  Let's take a look!

 

Autodiscover Example of Full Mailbox Access In XML

Prior to granting Andrew Full Mailbox Access to Scott's mailbox the below is the content of the XML tab when testing the email auto configuration tool:

Test Email Auto Configuration When No Full Mailbox Access Is Set

And as a comparison, this is after Full Mailbox Access has been configured.  Note that under the AlternativeMailbox section the type is Delegate.

Test Email Auto Configuration Showing Alternate Mailbox

Test Email Auto Configuration When Full Mailbox Access Has Been Granted

We can see that there is no an AlternativeMailbox section where the Delegate is handed to the client so that it can then work out how to mount the additional mailbox.

The same section is also used for archive mailboxes.  In the below image, Andrew has an archive in the local Exchange organisation.  Note that under the AlternativeMailbox section the type is archive.

Test Email Auto Configuration Showing Archive Mailbox

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *