Conflicting permission sets when working with shared or delegated folders in Outlook

This post has been republished via RSS; it originally appeared at: Outlook Global Customer Service & Support Team Blog articles.

Outlook allows users to share folders so that others can interact with items in those folders. Additionally, a user can be configured as an Outlook Delegate, allowing him or her to manage specific tasks on your behalf, such as meeting related tasks. If another user grants you folder permissions (or makes you a delegate) and you use Outlook to perform actions on that user's shared items, Outlook performs these actions using a specific permission set. However, there are a couple of different ways that you can be granted access to a user's folders. Each of these ways can create a different permission set, which can later result in conflicts.

 

The diagram below shows how Outlook can be exposed to conflicting permission sets. Let's start with the following facts:

 

  • Permission set X is created when the Exchange Server Administrator grants you FullAccess permission to Allison's mailbox.
  • Permission set Y is created when Allison grants you explicit folder permissions by using Microsoft Outlook. Allison can do this in one of two ways:
    • Grant you individual folder permissions by right-clicking on a folder and selecting Permissions.
    • Configure you as an Outlook Delegate to specific Outlook folders, such as the Calendar.

 

When you use Outlook to work with Allison's shared items, Outlook may initially use one specific permission set (this is Permission set Y in the diagram below). As you continue using Outlook to work with Allison's items, a particular function may be blocked within the existing context (again Permission set Y). In this case, some expected functionality may not be available. However, it is important to note that the unexpected behavior will not be consistent, nor can it be clearly defined here, because the initial context used by Outlook can differ depending on how Allison's mailbox or shared items are first accessed by Outlook.

 

ConflictingPermissionSets.jpg

 

In the diagram, you see that the elevated permissions necessary to perform tasks on Allison's other folders are not available. This occurs because Outlook is not designed to consistently work with two or more permission sets.

 

In some cases, Microsoft documentation points this limitation out. For example, some of the issues that can occur due to conflicting permission sets are listed in the following Microsoft Knowledge Base article:

 

981245 Issues that can occur when you add multiple Exchange accounts in the same Outlook 2010 profile

 

The bottom line: the easiest way to remember the limitation (and to avoid it) is by granting permissions using only one application: either Microsoft Outlook or Microsoft Exchange Server.

 

Note for Office 365 mailbox users: If you and the person sharing their calendar with you both have Exchange Online mailboxes on Office 365, you may be able to take advantage of a new shared calendar experience. The new calendar sharing model makes significant improvements to the user experience. For more information about the new model, see the following Office help article:

 

Calendar Sharing in Office 365

 

Which application should you use to give permissions to your items?

Since a user should only use one of two methods (Outlook or Exchange) to share their folders or entire mailbox, the following table will help you choose. The table lists some of the benefits and functionality that are available with each method.

 

 

Exchange FullAccess

Outlook Delegate or
  Shared Folder

Shared mailbox appears in the Outlook Navigation Pane

Automatically, if both of the following are true:

a. Exchange FullAccess permission is granted with AutoMapping enabled on Exchange Server 2010 SP1 or later.

b. You are using Microsoft Outlook 2010 or newer.

Otherwise, you can manually add the shared mailbox as a second account using File | Account Settings.

Not if you are only given permission to a specific folder or are only granted Delegate access. However, there is an exception. The user can grant you at least View permissions to their top level folder. Then, you add the shared mailbox to Outlook by using the Open these additional mailboxes option. If the user wishes to grant you access to their other non-default folders, they can set folder permissions on each individual folder.

Receive meeting invitations on other's behalf

No

Yes - if you are configured as a Delegate.

No - if you only have folder permissions.

Able to view private items in shared mailbox

No

Yes, if you are configured as a Delegate and with the option "Delegate can see my private items".

Note To view private items in other folders such as contacts or email folders, you must also be granted Reviewer permission to the Calendar.

Able to open shared mailbox in OWA

Yes

No

Effect on Offline Outlook Data (.ost) file size

One .ost file is created. It contains the contents of both your mailbox and of the shared mailbox.

Reduced size since only specific folders are being shared and cached (the additional shared folders are cached in the same .ost that is associated with the delegate's Outlook profile).

Other considerations

Not optimal as it requires maintaining permissions on both the Exchange Server (FullAccess) and Outlook client delegate/folder) permissions. Although the Exchange administrator can control this set of permissions, the administrator has no control over Outlook clients. Therefore, if a client chooses to configure delegate/folder permissions, they can enter an unsupported state. Additionally, the shared mailbox is fully exposed to any unexpected actions performed by the secondary user (or by any of their add-ins or devices).

This is the recommended option, as it limits the effect that other users' add-ins or devices can have on the owner's mailbox. Additionally, it prevents Outlook clients from being configured in an unsupported state.

 

Additional resources

One delegate can manage multiple mailboxes. However, any given mailbox should have a limited number of delegates. Additionally, only one delegate with Editor permission is recommended. See the following Office Help article for more information:

 

Best practices when using the Outlook Calendar

 

Exchange administrators may be interested in the following Microsoft Docs article, which explains how to disabling Auto Mapping:

 

Disable Outlook Auto-Mapping with Full Access Mailboxes

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.