Skip to content

Instantly share code, notes, and snippets.

@supermarsx

supermarsx/send-as-group-exchange.md

Last active May 13, 2026 12:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save supermarsx/4a2b6ce39f8ac01e86e1bbd5a1da6b28 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save supermarsx/4a2b6ce39f8ac01e86e1bbd5a1da6b28 to your computer and use it in GitHub Desktop.
Download ZIP
Exchange On-premises Send as group alias
Raw
send-as-group-exchange.md

Exchange On-Prem: Allow a User to Send As a Group

This gist shows how to allow an Exchange on-prem user to send email as a distribution group, dynamic distribution group, or mail-enabled security group.

Example:

User:  john.smith@contoso.com
Group: sales@contoso.com

When correctly configured, recipients will see the message as coming from:

Sales <sales@contoso.com>

Not:

John Smith on behalf of Sales

1. Open Exchange Management Shell

Run the commands from the Exchange Management Shell as an account with sufficient Exchange recipient/admin permissions.

2. Find the real Exchange / AD identity of the group

Do not rely only on the display name. First resolve the group:

Get-Recipient -Identity "sales@contoso.com" | Format-List Name,DisplayName,PrimarySmtpAddress,RecipientTypeDetails,DistinguishedName

Example output fields to care about:

Name                  : Sales
DisplayName           : Sales
PrimarySmtpAddress    : sales@contoso.com
RecipientTypeDetails  : MailUniversalDistributionGroup
DistinguishedName     : CN=Sales,OU=Groups,DC=contoso,DC=com

For Add-ADPermission, using Name or DistinguishedName is safest.

3. Grant Send As permission

Basic form

Add-ADPermission -Identity "Sales" -User "john.smith" -ExtendedRights "Send As"

Safer form using DistinguishedName

$Group = Get-Recipient -Identity "sales@contoso.com"
$User  = Get-Recipient -Identity "john.smith@contoso.com"

Add-ADPermission `
  -Identity $Group.DistinguishedName `
  -User $User.SamAccountName `
  -ExtendedRights "Send As"

With explicit domain controller, useful in multi-DC environments

$DC = "dc01.contoso.local"

$Group = Get-Recipient -Identity "sales@contoso.com" -DomainController $DC
$User  = Get-Recipient -Identity "john.smith@contoso.com" -DomainController $DC

Add-ADPermission `
  -Identity $Group.DistinguishedName `
  -User $User.SamAccountName `
  -ExtendedRights "Send As" `
  -DomainController $DC

4. Verify Send As permission

Get-ADPermission -Identity "Sales" |
  Where-Object {
    $_.ExtendedRights -like "Send*" -and
    $_.User -like "*john.smith*" -and
    -not $_.IsInherited
  } |
  Format-Table User,Deny,IsInherited,ExtendedRights -Auto

Or using the resolved object:

$Group = Get-Recipient -Identity "sales@contoso.com"

Get-ADPermission -Identity $Group.DistinguishedName |
  Where-Object {
    $_.ExtendedRights -like "Send*" -and
    -not $_.IsInherited
  } |
  Format-Table User,Deny,IsInherited,ExtendedRights -Auto

Expected result should show something like:

User                  Deny IsInherited ExtendedRights
----                  ---- ----------- --------------
CONTOSO\john.smith   False False       {Send-As}

5. Test from Outlook / OWA

Outlook desktop

  1. Create a new email.

  2. Enable the From field:

    • OptionsFrom

  3. Click From.

  4. Choose Other Email Address.

  5. Enter the group address:

sales@contoso.com
  1. Send a test message to an external or internal mailbox.
  2. Confirm the message appears to come from the group.

Outlook Web App / Outlook on the web

  1. Create a new message.
  2. Show the From field.
  3. Replace your own address with:
sales@contoso.com
  1. Send a test message.

OWA is often the best first test because it avoids Outlook cached address book issues.

6. Common gotchas

Permission delay

Send As permissions may not work instantly because of:

  • Active Directory replication
  • Exchange cache
  • Outlook cached mode
  • Offline Address Book delay

If it fails immediately, wait a bit and test again with OWA.

Group hidden from address lists

If the group is hidden from address lists, Outlook may not allow the delegate to send from it cleanly.

Check:

Get-DistributionGroup -Identity "sales@contoso.com" |
  Format-List HiddenFromAddressListsEnabled

To unhide:

Set-DistributionGroup -Identity "sales@contoso.com" -HiddenFromAddressListsEnabled $false

Send As is not Send on Behalf

Send As:

Sales <sales@contoso.com>

Send on Behalf:

John Smith on behalf of Sales

For proper impersonated group sending, use Send As.

7. Optional: Grant Send on Behalf instead

Only use this if you specifically want recipients to see that the user sent the message on behalf of the group.

Set-DistributionGroup `
  -Identity "sales@contoso.com" `
  -GrantSendOnBehalfTo @{Add="john.smith@contoso.com"}

Verify:

Get-DistributionGroup -Identity "sales@contoso.com" |
  Format-List GrantSendOnBehalfTo

Remove:

Set-DistributionGroup `
  -Identity "sales@contoso.com" `
  -GrantSendOnBehalfTo @{Remove="john.smith@contoso.com"}

For a dynamic distribution group:

Set-DynamicDistributionGroup `
  -Identity "sales-dynamic@contoso.com" `
  -GrantSendOnBehalfTo @{Add="john.smith@contoso.com"}

8. Remove Send As permission

Remove-ADPermission `
  -Identity "Sales" `
  -User "john.smith" `
  -ExtendedRights "Send As"

Or with resolved DistinguishedName:

$Group = Get-Recipient -Identity "sales@contoso.com"
$User  = Get-Recipient -Identity "john.smith@contoso.com"

Remove-ADPermission `
  -Identity $Group.DistinguishedName `
  -User $User.SamAccountName `
  -ExtendedRights "Send As"

Verify removal:

Get-ADPermission -Identity $Group.DistinguishedName |
  Where-Object {
    $_.ExtendedRights -like "Send*" -and
    $_.User -like "*john.smith*" -and
    -not $_.IsInherited
  } |
  Format-Table User,Deny,IsInherited,ExtendedRights -Auto

No result means the explicit Send As permission was removed.

9. Bulk grant Send As to multiple users

$Group = Get-Recipient -Identity "sales@contoso.com"

$Users = @(
  "john.smith@contoso.com",
  "mary.jones@contoso.com",
  "ana.silva@contoso.com"
)

foreach ($UserIdentity in $Users) {
  $User = Get-Recipient -Identity $UserIdentity

  Add-ADPermission `
    -Identity $Group.DistinguishedName `
    -User $User.SamAccountName `
    -ExtendedRights "Send As"
}

10. Bulk report: who has Send As on a group

$Group = Get-Recipient -Identity "sales@contoso.com"

Get-ADPermission -Identity $Group.DistinguishedName |
  Where-Object {
    $_.ExtendedRights -like "Send*" -and
    -not $_.IsInherited -and
    -not $_.Deny
  } |
  Select-Object User,ExtendedRights,IsInherited,Deny |
  Format-Table -Auto

11. Minimal command summary

Grant Send As:

Add-ADPermission -Identity "Sales" -User "john.smith" -ExtendedRights "Send As"

Verify:

Get-ADPermission -Identity "Sales" |
  Where-Object {$_.ExtendedRights -like "Send*" -and -not $_.IsInherited} |
  Format-Table User,Deny,IsInherited,ExtendedRights -Auto

Remove:

Remove-ADPermission -Identity "Sales" -User "john.smith" -ExtendedRights "Send As"

Send on Behalf instead:

Set-DistributionGroup -Identity "sales@contoso.com" -GrantSendOnBehalfTo @{Add="john.smith@contoso.com"}
::contentReference[oaicite:1]{index=1}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment