Send As permissions cannot be applied to mailboxes migrated to Office 365.
When applying permissions through the Office 365 Exchange Admin center, the following error occurs:
The same happens when applying permissions through PowerShell:
Add-RecipientPermission -Identity SteveTest4@x500.co.uk -AccessRights SendAs -Trustee SteveTest1@x500.co.uk
You can’t use the domain because it’s not an accepted domain for your organization.
+ CategoryInfo : NotSpecified: (:) [Add-RecipientPermission], NotAcceptedDomainException
+ FullyQualifiedErrorId : [Server=CWLP265MB0082,RequestId=18a85eb6-4b33-401c-86d7-a98b38d6704e,TimeStamp=03/04/2018 11:02:15] [FailureCategory=Cmdlet-NotAcceptedDomainException] B1DA05D,Microsoft.Exchange.Management.RecipientPermission.AddRecipientPermission
+ PSComputerName : outlook.office365.com
Full Access permissions can be applied successfully.
The cause of the issue is quite clear from the error message, looking at a mailbox migrated to Office 365, there is an SMTP address present from an invalid domain (here it’s x500.local, the internal AD domain name).
There are three accepted domains (x500.co.uk, x500.onmicrosoft.com, and x500.mail.onmicrosoft.com). So, the x500.local address needs to be removed from the mailbox.
AD objects are being synchronised from local AD to Azure AD using Azure AD Connect (see here for Azure AD Connect config), therefore the object needs to be modified at source.
If you attempt to remove the address through the Office 365 Exchange Admin center, you’ll get the following error:
The operation on mailbox “Steve Test4” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’,EmailAddresses’, can’t be performed on the object ‘Steve Test4’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
Using the Exchange 2007 Management Console, remove the invalid address, and wait for replication from local AD to Azure AD (30 mins by default).
After 30 mins, review the mailbox in the Office 365 Exchange Admin center, as long as the address no longer shows, Send As permissions can be applied. Sorted!