In February 2020, Microsoft added delegate support for mailboxes to Outlook mobile. At the time, an administrator had to grant full access permission for a mailbox to a delegate before the delegate could add the mailbox to Outlook mobile. Message center notification MC250343 (April 12) covers the provision of end user options in the mobile clients to delegate permissions. The update is described in roadmap items 67273 (Android) and 67274 (iOS) and has now rolled out to clients. I used Outlook for iOS version 4.2118.0 for this review.
End User Delegation
The roadmap item says that a user can give someone else (the delegate) permissions to manage email and calendar events on their behalf. In normal Outlook-based delegation, this would happen by granting the delegate read access to the mailbox and read-write access to the Inbox. However, as noted below, Outlook mobile has its own approach to delegation management.
To see the new option, go to the settings section for the client and select your mailbox. The Share Your Inbox option is towards the bottom of the screen (Figure 1). As you can see, I already have a delegate set up for my mailbox.
Figure 1: The choice in Outlook for iOS to add a new delegate
Click Add People and input the email address of the new delegate. You can select only people from your organization. Next, decide what permission the delegate should have (Figure 2). Because this is an end-user delegation rather than one assigned by an administrator, the approach and nomenclature used aligns with Outlook desktop where the assignee grants a role to the delegate.
Review: Can only read items.
Author: Can read and create items.
Editor: Can read, create, and modify items.
You can change the role assigned to a delegate at any time by selecting the delegate under Share Your Inbox and selecting the new role.
Figure 2: Granting delegate permission to a user
Note the caveat at the bottom of Figure 2. Access is only granted to the Inbox folder meaning that the delegate can process inbox items but can’t, for instance, go to the calendar to create a new meeting.
If the delegate needs to send email on behalf of the user, an administrator must assign send as or send on behalf of permission to the delegate.
Granting access is silent. The permissions are present, but the mailbox owner must inform the delegate that they can now add the mailbox in Outlook mobile to access the Inbox. In addition, administrators don’t know anything about the delegation, which is perfectly fine until they’re asked to solve problems. Or, as in the case of tenant-to-tenant migrations, an audit of mailbox permissions is needed to make sure that the permissions are taken over to the target tenant.
The Problem
All the above sounds good and I am sure that Outlook mobile users will be happy to delegate access to their mailbox direct from the client without administrator intervention. The problem is that Outlook mobile has done its own thing to make this feature work, likely by exploiting the Microsoft sync technology which connects Outlook mobile clients to mailbox contents. The delegation applied to the mailbox doesn’t work with Outlook desktop or OWA. For example, if you grant editor access to your mailbox to a user and they try to add a shared folder in OWA to open the mailbox, they can’t see any folders. In Figure 3 we see OWA after a user assigned editor access to my mailbox has added it as a shared folder. OWA displays my name and the option to create a new folder. There’s no trace of the Inbox, and attempting to create a new folder generates an error.
Figure 3: Outlook mobile’s delegate access doesn’t work for OWA
Slow and Odd Approach
Given the number of support incidents which often pile up relating to delegate access to mailboxes, it’s probably wise for Microsoft to take a phased approach to enabling end-user delegation in mobile clients (even delegation which only works for mobile clients). First the Inbox, then perhaps the calendar, and finally full access, or something like that.
The target audience for this feature are users who don’t use Outlook desktop or OWA (where delegate access functionality is more developed). Although it’s good to see end-user delegation appearing in Outlook mobile, creating delegation which doesn’t work for other clients is bad practice. In this light, administrators might prefer to control the process and continue to have users request delegate access to be configured for their mailbox, including access to the calendar and the ability to send delegated email. If that’s the case, the method outlined in this post remains the right way to configure delegate access for Outlook mobile.
Learn what happens behind the scenes by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep our subscribers informed about what’s going on and what’s important across the Office 365 ecosystem.
8 Replies to “Outlook Mobile Introduces Its Own Delegation Model for Mailbox Access”
How does this method and the method linked at the bottom handle MFA? If the person granting access has MFA setup on their account does the delegate accessing email trigger it?
Authentication is tied to the person seeking access. If their account is authenticated with MFA, they can access any mailboxes they have delegate access for. The fact that the account granting delegate access requires that account to use MFA is immaterial.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
How does this method and the method linked at the bottom handle MFA? If the person granting access has MFA setup on their account does the delegate accessing email trigger it?
Authentication is tied to the person seeking access. If their account is authenticated with MFA, they can access any mailboxes they have delegate access for. The fact that the account granting delegate access requires that account to use MFA is immaterial.
Ohh right okay that makes sense. Thanks for the clarification.
I really don’t like it as an admin, is there any chance to control it via any policies or Intune profiles?
Not so far.