QBE has a complex Active Directory Exchange environment. We have a resource AD forests that replicate accounts and groups to ExchangeForest.com. QBE’s On-Prem Exchange instance exists in ExchangeForest.com. Exchange stores mailbox permissions (FullAccess, Send on Behalf, and SendAs) in attributes on a mailbox’s Active Directory account. FullAccess and Send on Behalf are stored in the mailbox account’s msExchMailboxSecurityDescriptor AD attribute. SendAs is stored in the mailbox account’s Active Directory Advanced Security Permissions. The Outlook client reaches out to an Exchange Server using Security Identifiers (SID). Because there are replica groups and accounts, it’s important that the correct groups are granted mailbox access. Otherwise, Outlook and Exchange will incorrectly query Active Directory and will return access denied. The replica of the group in the Exchange Forest must be granted access to the mailbox. The original group in the resource forest must not.