Outlook Mobile Introduces Its Own Delegation Model for Mailbox Access

Moving from Administrator-Performed Delegation

In February 2020, Microsoft added delegate support for mailboxes to Outlook mobile. At the time, an administrator had to grant full access permission for a mailbox to a delegate before the delegate could add the mailbox to Outlook mobile. Message center notification MC250343 (April 12) covers the provision of end user options in the mobile clients to delegate permissions. The update is described in roadmap items 67273 (Android) and 67274 (iOS) and has now rolled out to clients. I used Outlook for iOS version 4.2118.0 for this review.

End User Delegation

The roadmap item says that a user can give someone else (the delegate) permissions to manage email and calendar events on their behalf. In normal Outlook-based delegation, this would happen by granting the delegate read access to the mailbox and read-write access to the Inbox. However, as noted below, Outlook mobile has its own approach to delegation management.

To see the new option, go to the settings section for the client and select your mailbox. The Share Your Inbox option is towards the bottom of the screen (Figure 1). As you can see, I already have a delegate set up for my mailbox.

The choice in Outlook for iOS to add a new delegate
Figure 1: The choice in Outlook for iOS to add a new delegate

Click Add People and input the email address of the new delegate. You can select only people from your organization. Next, decide what permission the delegate should have (Figure 2). Because this is an end-user delegation rather than one assigned by an administrator, the approach and nomenclature used aligns with Outlook desktop where the assignee grants a role to the delegate.

  • Review: Can only read items.
  • Author: Can read and create items.
  • Editor: Can read, create, and modify items.

You can change the role assigned to a delegate at any time by selecting the delegate under Share Your Inbox and selecting the new role.

Granting delegate permission to a user
Figure 2: Granting delegate permission to a user

Note the caveat at the bottom of Figure 2. Access is only granted to the Inbox folder meaning that the delegate can process inbox items but can’t, for instance, go to the calendar to create a new meeting.

If the delegate needs to send email on behalf of the user, an administrator must assign send as or send on behalf of permission to the delegate.

Granting access is silent. The permissions are present, but the mailbox owner must inform the delegate that they can now add the mailbox in Outlook mobile to access the Inbox. In addition, administrators don’t know anything about the delegation, which is perfectly fine until they’re asked to solve problems. Or, as in the case of tenant-to-tenant migrations, an audit of mailbox permissions is needed to make sure that the permissions are taken over to the target tenant.

The Problem

All the above sounds good and I am sure that Outlook mobile users will be happy to delegate access to their mailbox direct from the client without administrator intervention. The problem is that Outlook mobile has done its own thing to make this feature work, likely by exploiting the Microsoft sync technology which connects Outlook mobile clients to mailbox contents. The delegation applied to the mailbox doesn’t work with Outlook desktop or OWA. For example, if you grant editor access to your mailbox to a user and they try to add a shared folder in OWA to open the mailbox, they can’t see any folders. In Figure 3 we see OWA after a user assigned editor access to my mailbox has added it as a shared folder. OWA displays my name and the option to create a new folder. There’s no trace of the Inbox, and attempting to create a new folder generates an error.

Outlook mobile's delegate access doesn't work for OWA
Figure 3: Outlook mobile’s delegate access doesn’t work for OWA

Slow and Odd Approach

Given the number of support incidents which often pile up relating to delegate access to mailboxes, it’s probably wise for Microsoft to take a phased approach to enabling end-user delegation in mobile clients (even delegation which only works for mobile clients). First the Inbox, then perhaps the calendar, and finally full access, or something like that.

The target audience for this feature are users who don’t use Outlook desktop or OWA (where delegate access functionality is more developed). Although it’s good to see end-user delegation appearing in Outlook mobile, creating delegation which doesn’t work for other clients is bad practice. In this light, administrators might prefer to control the process and continue to have users request delegate access to be configured for their mailbox, including access to the calendar and the ability to send delegated email. If that’s the case, the method outlined in this post remains the right way to configure delegate access for Outlook mobile.

Learn what happens behind the scenes by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep our subscribers informed about what’s going on and what’s important across the Office 365 ecosystem.

8 Replies to “Outlook Mobile Introduces Its Own Delegation Model for Mailbox Access”

  1. How does this method and the method linked at the bottom handle MFA? If the person granting access has MFA setup on their account does the delegate accessing email trigger it?

    1. Authentication is tied to the person seeking access. If their account is authenticated with MFA, they can access any mailboxes they have delegate access for. The fact that the account granting delegate access requires that account to use MFA is immaterial.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.