AutoMapping is a very practical feature in Exchange Server, but unfortunately it is somewhat limited: AutoMapping only automatically connects a mailbox in Outlook if the user has full access to the mailbox. As soon as granular permissions are configured at mailbox level, AutoMapping no longer takes effect. In this case, the user must manually reconnect the mailbox with the granular rights. However, there is another way with a simple trick.
Brief explanation of AutoMapping
If a user is given full access to another mailbox in the Exchange Admin Center, AutoMapping is included in the default setting. In this example, the user Frank is given full access to the Support mailbox:

As the name full access already suggests, Frank can now make any changes in the mailbox support and also has access to all data and folders. For example, Frank now also has access to the calendar and contacts. Send-as and Send-to-order-from are other authorizations and are not included in Full Control. In addition to the authorizations, Exchange also fills the AD attribute "msExchDelegateListLink" with the DN of the user who has full access to the mailbox:

As soon as the "msExchDelegateListLink" attribute has been filled, it is included in the autodiscover response from the Exchange server to the user. The "AlternativeMailbox" section then appears here with the data of the mailbox that is linked to the user:

AutoMapping can be controlled via the Exchange Management Shell. The standard command, which is executed by the Exchange Admin Center, is as follows:
Add-MailboxPermission support -User frank -AccessRight FullAccess -AutoMapping $True
For full access for Frank to support without automapping, the following command is sufficient:
Add-MailboxPermission support -User frank -AccessRight FullAccess -AutoMapping $False
Unfortunately, Add-Mailboxpermission cannot be used to assign granular rights to folders within the mailbox. To assign rights granularly, the CMDLet Add-MailboxFolderPermission but this in turn does not recognize the "Automapping" parameter. However, it does work via a small detour.
AutoMapping without full access to the mailbox
In order to use AutoMapping without full access, the desired rights can first be configured on the target mailbox. This is done with the "Add-MailboxFolderPermission" command and is identical to what the user can also configure in Outlook. Here, for example, the user Frank receives editor rights to the inbox of the Support mailbox:
Add-MailboxFolderPermission support:\Inbox -User frank -AccessRights Editor
For this example, let's assume that Frank should only have rights to the Inbox folder, but not to other areas of the mailbox, such as the calendar. In order for the mailbox to be connected via AutoMapping, the mailbox itself, i.e. the top level, must be visible. The following command can be used for this purpose:
Add-MailboxFolderPermission support -User frank -AccessRights FolderVisible
In the last step, only the AD attribute "msExchDelegateListLink" of the Support user needs to be filled with the DN of the Frank user:
$DN = (get-aduser frank).DistinguishedName
Set-ADUser Support -add @{"msExchDelegateListLink"="$DN"}

The next time the client runs AutoDiscover, the mailbox is then automatically connected. But now only with restricted rights:

If access is to be removed again, the rights can be restored accordingly:
remove-MailboxFolderPermission support:\Inbox -User frank
remove-MailboxFolderPermission support -User frank
Set-ADUser support -Clear "msExchDelegateListLink"

Attention: The last command "Set-ADUser support -Clear "msExchDelegateListLink"" from this example deletes all entries in the "msExchDelegateListLink" attribute. If several users have integrated the mailbox via AutoMapping, only the DN of the corresponding user may be deleted. Otherwise, the mailbox will be removed from Outlook for all users during the next AutoDisocver run.
Bei Exchange Online / Office 365 geht das nicht, oder? Get-ADUser/Set-ADUser sind unbekannt, scheint mir.
Diese Cmdlets sind im OnPrem-AD verfügbar, richtig. Aber bei einem Exchange-Hybrid kann ich die DNs dem Attribut des OnPrem-Users (der z.B. zu einer Shared Remote Mailbox gehört) hinzufügen und das wird auch mit dem Azure-AD-Sync synchronisiert.
Allerdings scheint das AutoMapping in Outlook dann nur für OnPrem- und nicht für O365-Postfächer zu funktioneren. Diese müssen nach wie vor die Shared Mailbox in den erweiterten Einstellungen hinzufügen.
Sehr schade. Oder hat jemand noch eine Idee?
Wie „bastelt“ man das Automapping mit Gruppen?
Bei uns sind die Benutzer in Gruppen und die Gruppen sind auf die Mailboxen berechtigt.
Für Benutzer werden keine Einzelberechtigungen vergeben.
Na steht doch schön da. Man nimmt sich ne Powershell liest die Gruppenmitglieder aus und trägt diese dann wie oben beschrieben auf dem entsprechenden Postfach ein. Und wenn man das zyklisch mit clear und add regelt, dann ist auch meist was aktuelles drin.
Danke für die Info.
Wie „bastelt“ man das Automapping mit Gruppen? Bei uns sind die Benutzer in Gruppen und die Gruppen sind auf die Mailboxen berechtigt.
Und wenn man das jetzt noch mit Gruppen „bastelt“, muss man eigentlich nur den Automapping Eintrag regelmäßig , indem man jedesmal nur die Gruppenmitglieder einliest. Dann geht auch clear und add. ;)
Müsste für letztgenanntes Problem nicht auch der -Remove Parameter funktionieren?
Also:
$DN = (get-aduser frank).DistinguishedName
Set-ADUser support -Remove @{msExchDelegateListLink=“$DN“}
?