Using Send As and Send on Behalf Of with Non-User Mail-Enabled Objects
By now, I’m sure that every Microsoft 365 tenant administrator is aware of the upcoming deprecation of basic authentication for the SMTP AUTH protocol. Microsoft recently updated the deadline to push it back six months to start in March 2026, with final retirement scheduled by April 30, 2026. The extra time is likely a reaction to customers struggling to upgrade scripts, apps, and devices to use modern authentication.
A side effect of the changeover is that the Send-MailMessage cmdlet won’t work anymore. Because it makes it relatively easy to send a message via Exchange, the Send-MailMessage cmdlet is likely one of the most popular for Exchange automation. It’s possible to use SMTP AUTH with modern authentication, but the code to effect the change is not as simple as using Send-MailMessage and despite many requests to Microsoft to create an easy-to-use upgraded version of Send-MailMessage, nothing has happened. The upshot is that the logical upgrade path is to use the Graph APIs. My preference is to use the Send-MgUserMail cmdlet, but the Send-MgUserMessage cmdlet is also a good choice.
Sending from non-User Mailboxes
The Graph SDK cmdlets do a great job of sending messages from user mailboxes, but there’s often the need to send messages from:
- Shared mailboxes. This article demonstrates the principles of sending email from a shared mailbox.
- Microsoft 365 Group mailboxes.
- Mail-enabled security groups.
- Distribution lists (including dynamic distribution lists).
The ability to send messages from these types of mail-enabled objects is governed by a mixture of Graph API and Exchange permissions. The Exchange permission is either Send As or Send on Behalf of. The former means that the sending mailbox can impersonate another mailbox, so a recipient sees the message as coming from the impersonated mailbox. The latter means that a mailbox can send a message on behalf of another mailbox, and that fact is noted and displayed in the message header. Figure 1 shows how message recipients see messages sent using the Send As and Send on Behalf of permissions. In this instance, the message is from a Microsoft 365 group.
Exchange Online recognizes which permission is possessed by the sending mailbox and adjusts the mail header accordingly. The SendAs permission is suppossed to take precedence over Send on Behalf Of, but timing could get in the way. After updating mailbox permissions, the changes must replicate across all the mailbox servers used by a tenant. In addition, Exchange Online caches mailbox permissions to improve performance. For these reasons, it’s best to allow an hour or so to allow changes to permissions to take effect. If in doubt, remove existing permissions and add the desired permission to the mailbox again.
Sending Mail from Shared Mailboxes
The required Graph permission depends on whether an interactive (delegated) or app session is used. If running in an interactive session, only delegated permissions are available. To send from a shared mailbox, consent for the Mail.Send.Shared delegated permission must be available.
If running in app-only mode, including an Azure Automation runbook, the Mail.Send application permission is necessary. Mail.Send is a very high-profile permission because it allows an app to impersonate and send mail as any other mailbox. RBAC for Applications can restrict the scope of mailboxes an app can impersonate.
Sending Mail from other Mail-Enabled Objects
The Microsoft Graph PowerShell SDK cmdlet can send messages for distribution lists, mail-enabled security groups, and Microsoft 365 groups in either interactive or app-only sessions. Two prerequisites must be met:
- The sending mailbox must be granted the SendAs or SendOnBehalfOf permission for the list or group.
- The message structure passed to Send-MgUserMail or Send-MgUserMessage must contain the email address of the list or group in the From property.
The same approach applies to sending messages from Microsoft 365 groups, distribution lists, or mail-enabled security groups. Let’s go through the steps to send a message. First, make sure to add one of the two required permissions. Here’s how to assign the Send As permission for a Microsoft 365 group to a mailbox:
Add-RecipientPermission -Identity "askhr@Office365itpros.com" -Trustee Marty.King@office365itpros.com -AccessRights SendAs
To remove the Send As permission for a mailbox from an account, run the Remove-RecipientPermission cmdlet:
Remove-RecipientPermission -Identity "askHr@office365itpros.com" -Trustee Marty.King@office365itpros.com -AccessRights SendAs
Because distribution lists and mail-enabled security groups don’t have mailboxes, you can’t assign the Send on Behalf of permission for these objects. Here’s how to add the Send on Behalf of permission for a group mailbox:
Set-Mailbox -GroupMailbox 'askhr@office365itpros.com' -GrantSendOnBehalfTo 'james.ryan@office365itpros.com'
To remove the Send on Behalf of permission for a mailbox, run the Set-Mailbox cmdlet and remove the mailbox from the set that currently hold the permission:
Set-Mailbox -Identity askHR@office365itpros.com -GroupMailbox -GrantSendOnBehalfTo @{Remove="James.Ryan@office365itpros.com"}
If you don’t want to use PowerShell, you can manage the delegate settings for mail-enabled objects through the Groups section of the Exchange admin center.
A Script to Send Email from a Mail-enabled Object
A complete script to send a message from a mail-enabled object is shown below. The important difference between the code used to send email from a user mailbox is that the message structure passed to the Send-MgUserMail or Send-MgUserMessage cmdlet includes a from property. Assuming that the account you want to use has the necessary permissions, the essential step is to create a hash table to add the from property to the message structure. The hash table contains the primary SMTP email address of the group being impersonated. Here’s an example of how to construct an address to use as the from property:
$FromSender = @{}
$FromSender.Add("emailAddress",@{'address'="askhr@Office365itpros.com"})
The from property is then included in the message structure like this:
$Message = @{}
$Message.Add('subject', $MsgSubject)
$Message.Add('toRecipients', $MsgTo)
$Message.Add('body', $MsgBody)
$Message.Add(‘from’, $FromSender)
Bringing everything together, here’s an example of a simple but complete script to send a message from a shared mailbox, Microsoft 365 group, distribution list, or mail-enabled security group. Of course, the code only works if the appropriate Exchange and Graph permissions are in place, so be sure that the mailbox being used to send the message (defined in the $MsgFrom variable) holds either the Send As or Send on Behalf Of permissions.
# Define the mailbox that is sending the message
$MsgFrom = 'Marty.King@office365itpros.com'
# Build the array of a single TO recipient detailed in a hash table
$ToRecipient = @{}
$ToRecipient.Add("emailAddress",@{'address'="Lotte.Vetler@office365itpros.com"})
[array]$MsgTo = $ToRecipient
# Define the message subject
$MsgSubject = "Important: Hello World from a mail-enabled object"
# Create the HTML content
$HtmlMsg = "</body></html><p><b>This is a message from a shared mail-enabled object using a permission that allows Marty King to send for the Knowledge Management Champions</b></p>"
# Construct the message body
$MsgBody = @{}
$MsgBody.Add('Content', "$($HtmlMsg)")
$MsgBody.Add('ContentType','html')
# Build the parameters to submit the message
$Message = @{}
$Message.Add('subject', $MsgSubject)
$Message.Add('toRecipients', $MsgTo)
$Message.Add('body', $MsgBody)
# Define details of the mail-enabled object being impersonated
$FromSender = @{}
$FromSender.Add("emailAddress",@{'address'="Km.Champions@office365itpros.com"})
$Message.Add(‘from’, $FromSender)
$EmailParameters = @{}
$EmailParameters.Add('message', $Message)
$EmailParameters.Add('saveToSentItems', $true)
$EmailParameters.Add('isDeliveryReceiptRequested', $true)
# Send the message
Send-MgUserMail -UserId $MsgFrom -BodyParameter $EmailParameters
Copies of the messages sent from a Microsoft 365 group are in the Sent Items folder of the group mailbox. Distribution lists and mail-enabled security groups don’t have mailboxes, so the sent messages are in the Sent Items folder of the sender’s mailbox.
Sending from Shared Mail-Enabled Objects Isn’t Hard
The steps described above make perfect sense because they reflect the same way that users can send messages on behalf of other mail-enabled objects as surfaced in the Microsoft 365 admin center and Exchange admin center UX. Sometimes it just takes the steps to be written down in detail to make everything comes together. Hopefully, you now realize that sending email using modern authentication via the Microsoft Graph PowerShell SDK isn’t difficult, even when sending from other than a user mailbox.
In the Figure 1, the Send As permission should only show the name of the group, shouldn’t it ?
Microsoft 365 is great but it often requires too much time for permissions to be applied when it is nearly immediate on Active Directory 🙁
An editing glitch (mine) where the wrong JPEG was uploaded and used, compounded by having to recreate the picture after resetting permissions and making sure that the new permissions replicated… Oh well, at least I had the chance to retest the code.
@Tony: Are you sure that the two screenshots SendAs and SendonBehalf are correct? They look quite similar.
Thanks Max. See other comment about editing glitch.