Impersonation vs Delegate Access in Exchange/Exchange Online

we can access and modify other (or specific) user’s mail items, calendar events, and other exchange related objects using either by delegate access or impersonation with Exchange Web Services (EWS) Managed API. Both methods are used in different scenario and they require different set of permissions.

Impersonation is used in scenarios in which a single account needs to access many accounts (ex: service account). An application can be written to display mailbox data such as number of unread items, calendar, and so on. The application can use a dedicated service account to access multiple users’ mailboxes to display their respective data.

Delegate access is used in scenarios in which there needs to be a one-to-one relationship between users. One common application of delegate access is the sharing of calendars between users, such as when an admin manages an executive’s calendar, or a when handful of individuals working on a project need to coordinate calendars.

A user or account that has been granted impersonation rights will have the same rights as the user whom they are impersonating. Typically, service accounts are given the ability to impersonate the mailbox owner. In that case, the impersonating account has full mailbox rights, just as the mailbox owner does.

With delegate access, the delegate can be granted more granular rights, up to and including full mailbox access. Delegate access can also be configured per folder, or per mailbox. For example, a user can grant the delegate read-only access to the Inbox, read-write access to a calendar folder, and so on.

For more details, refer this article : Exchange Impersonation vs. Delegate Access

Advertisement

Leave a Comment