Using Delegate Permissions to Manage Mailboxes
Office 365 Notification MC203923 published on Valentine’s Day gives the welcome news that Outlook mobile clients are gearing up to be able to use the Exchange Online delegate permissions to manage another user’s mailbox. This work builds on the shared mailbox support delivered for Outlook mobile last August.
The associated Microsoft 365 roadmap items (53666 for iOS and 53667 for Android) are equally obscure in what they say: “Delegates can access and manage messages within an owner’s inbox folder.” This is what shared mailbox support is all about. Fortunately, the notification is more helpful when it tells us that: “Delegates who have been granted full access permissions to send email and respond to calendar invitations on the behalf of another person will soon be able to do so from Outlook for iOS and Android.” Delegate access is described in this Microsoft support article.
Deployment Done by mid-April
Microsoft says that they are deploying the feature now. The minimum supported versions are Outlook mobile 4.25.0 for iOS (available in Testflight) and Outlook mobile 4.1.31 for Android. As always with Outlook mobile features, it takes a little time to get the new software everywhere. Microsoft says that worldwide deployment should be done by mid-April.
Full Access Permissions Needed
Delegate access only works when the user and the delegate both have Exchange Online mailboxes. The delegate must be assigned full access permission for the target mailbox before Outlook mobile can add it as a delegate mailbox. Permission is granted by editing the mailbox with the Microsoft 365 Admin Center. Open the mailbox properties and select the manage mailbox permissions tab. Then add the user to whom you want to grant access. Figure 1 shows the assignment of Full Access permission, referred to by the Admin Center as “Read and manage permission.”
Alternatively, run the Add-MailboxPermission PowerShell cmdlet. This example gives James Ryan full access to the mailbox owned by Kim Akers. The automapping parameter is set to false to stop Outlook desktop including the mailbox in the set of resources automatically opened by the client.
# Add full access permission to mailbox but don't automap Add-MailboxPermission -Identity Kim.Akers -AccessRights FullAccess -User James.Ryan@Office365itpros.com -AutoMapping $False
Full Access grants a delegate the ability to open the mailbox and interact with its content. It grants the delegate access to every folder, meaning that they can manage the calendar. The delegate can also read every message in the mailbox. Outlook mobile doesn’t use the set of granular folder-level permissions supported by Outlook desktop to grant delegate access to specific folders.
Permission to Send Email Needed Too
Full Access doesn’t allow a delegate to impersonate the mailbox owner when sending messages. A second permission is needed, and the delegate needs to be assigned either Send On Behalf or SendAs permission. These permissions can be added through EAC or by running the Add-MailboxRecipientPermission (SendAs) or Set-Mailbox (Send On Behalf) cmdlets. For example:
# Add permission for a user to send as another user Add-MailboxRecipientPermission -Identity Kim.Akers -AccessRights SendAs -Trustee James.Ryan Set-Mailbox -Identity Kim.Akers -GrantSendOnBehalfTo James.Ryan
It takes a few minutes to ensure that the new permissions are fully respected across Office 365.
Adding the Mailbox to Outlook Mobile
Open Outlook mobile and go to the Settings section. Select Add Email Account and then Add Shared Mailbox. Input the SMTP address of the mailbox you want to add. If your account has delegate permissions for the mailbox, Outlook mobile lists it in the set of mailbox resources accessible in the client (Figure 2).
You can also add a delegate mailbox from the list of mailboxes displayed by Outlook mobile (left-hand navigation) by selecting the mailbox add icon at the bottom of the list.
After adding the delegate mailbox, you should be able to see all the folders in the mailbox including the calendar. You can interact with any of the messages in the delegated mailbox as if you are the owner, meaning that you can delete messages, move them between folders, and so on.
To send a message, click the New message icon and compose the message ad normal. The name of the mailbox being used is displayed under the New Message label (Figure 3). Note that in this case my signature is included in messages created for the delegated mailbox.
If you’re using delegate mailboxes, you’ll want to create a separate signature for each mailbox. Do in Settings by selecting Signature and then enabling per-account signature. You can then enter a signature for each account.
Another way to send from a delegated mailbox is to compose a message and then select the mailbox to use from the drop-down list of accounts under the New Message label (Figure 4).
Delegate Access is Another Reason to Use Outlook Mobile
Adding functionality like delegate access to mailboxes underscores the advantage of using Outlook mobile with Exchange Online compared to clients based on the ActiveSync protocol. ActiveSync is a very successful protocol that helped Microsoft evangelize mobile connections to Exchange across a wide range of email clients, but it’s an aging protocol now and just doesn’t have the same functionality as the newer Microsoft sync technology. If you’re not using Outlook mobile now, maybe now’s the time to consider switching?
The Office 365 for IT Pros eBook covers clients in some detail, including how delegate access works. It’s another reason why you should be a subscriber.