Conflicting permission sets when working with shared or delegated folders in Outlook
Published Mar 26 2019 08:40 AM 29.5K Views
Microsoft

Outlook allows users to share folders so that others can interact with items in those folders. Additionally, a user can be configured as an Outlook Delegate, allowing him or her to manage specific tasks on your behalf, such as meeting related tasks. If another user grants you folder permissions (or makes you a delegate) and you use Outlook to perform actions on that user's shared items, Outlook performs these actions using a specific permission set. However, there are a couple of different ways that you can be granted access to a user's folders. Each of these ways can create a different permission set, which can later result in conflicts.

 

Important Outlook for Microsoft 365 introduced Calendar sharing improvements that are based on the REST protocol. A shared calendar that syncs using the improved calendar sharing model is not susceptible to the limitation described in this blog post. To determine if you are using the new Calendar sharing model or if your organization supports it, see the Microsoft Support articles Calendar sharing in Microsoft 365 and Outlook calendar sharing updates.

 

The diagram below shows how Outlook can be exposed to conflicting permission sets. Let's start with the following facts:

 

  • Permission set X is created when the Exchange Server Administrator grants you FullAccess permission to Allison's mailbox.

  • Permission set Y is created when Allison grants you explicit folder permissions by using Microsoft Outlook. Allison can do this in one of two ways:

    • Grant you individual folder permissions by right-clicking on a folder and selecting Permissions.

    • Configure you as an Outlook Delegate to specific Outlook folders, such as the Calendar.

 

When you use Outlook to work with Allison's shared items, Outlook may initially use one specific permission set (this is Permission set Y in the diagram below). As you continue using Outlook to work with Allison's items, a particular function may be blocked within the existing context (again Permission set Y). In this case, some expected functionality may not be available. However, it is important to note that the unexpected behavior will not be consistent, nor can it be clearly defined here, because the initial context used by Outlook can differ depending on how Allison's mailbox or shared items are first accessed by Outlook.

 

ConflictingPermissionSets.jpg

 

In the diagram, you see that the elevated permissions necessary to perform tasks on Allison's other folders are not available. This occurs because Outlook is not designed to consistently work with two or more permission sets.

 

In some cases, Microsoft documentation points this limitation out. For example, some of the issues that can occur due to conflicting permission sets are listed in the following Microsoft Knowledge Base article:

 

981245 Issues that can occur when you add multiple Exchange accounts in the same Outlook 2010 profile

 

The bottom line: the easiest way to remember the limitation (and to avoid it) is by granting permissions using only one application: either Microsoft Outlook or Microsoft Exchange Server.

 

Note for Office 365 mailbox users: If you and the person sharing their calendar with you both have Exchange Online mailboxes on Office 365, you may be able to take advantage of a new shared calendar experience. The new calendar sharing model makes significant improvements to the user experience. For more information about the new model, see the following Office help article:

 

Calendar Sharing in Office 365

 

Which application should you use to give permissions to your items?

Since a user should only use one of two methods (Outlook or Exchange) to share their folders or entire mailbox, the following table will help you choose. The table lists some of the benefits and functionality that are available with each method.

 

 

Exchange FullAccess

Outlook Delegate or
  Shared Folder

Shared mailbox appears in the Outlook Navigation Pane

Automatically, if both of the following are true:

a. Exchange FullAccess permission is granted with AutoMapping enabled on Exchange Server 2010 SP1 or later.

b. You are using Microsoft Outlook 2010 or newer.

Otherwise, you can manually add the shared mailbox as a second account using File | Account Settings.

Not if you are only given permission to a specific folder or are only granted Delegate access. However, there is an exception. The user can grant you at least View permissions to their top level folder. Then, you add the shared mailbox to Outlook by using the Open these additional mailboxes option. If the user wishes to grant you access to their other non-default folders, they can set folder permissions on each individual folder.

Receive meeting invitations on other's behalf

No

Yes - if you are configured as a Delegate.

No - if you only have folder permissions.

Able to view private items in shared mailbox

No

Yes, if you are configured as a Delegate and with the option "Delegate can see my private items".

Note To view private items in other folders such as contacts or email folders, you must also be granted Reviewer permission to the Calendar.

Able to open shared mailbox in OWA

Yes

No

Effect on Offline Outlook Data (.ost) file size

One .ost file is created. It contains the contents of both your mailbox and of the shared mailbox.

Reduced size since only specific folders are being shared and cached (the additional shared folders are cached in the same .ost that is associated with the delegate's Outlook profile).

Other considerations

Not optimal as it requires maintaining permissions on both the Exchange Server (FullAccess) and Outlook client delegate/folder) permissions. Although the Exchange administrator can control this set of permissions, the administrator has no control over Outlook clients. Therefore, if a client chooses to configure delegate/folder permissions, they can enter an unsupported state. Additionally, the shared mailbox is fully exposed to any unexpected actions performed by the secondary user (or by any of their add-ins or devices).

This is the recommended option, as it limits the effect that other users' add-ins or devices can have on the owner's mailbox. Additionally, it prevents Outlook clients from being configured in an unsupported state.

 

Solution: Avoid the conflicts

The manager, delegate, and possibly the Exchange admin must consider the details in the above table and decide which changes to make to ensure an optimal configuration. For example, the necessary changes may involve one of the following solutions:

 

Option 1

Action - If the delegate needs to manage all of the manager's folders, then they should maintain Full Access permissions. However, the manager needs to remove the delegate using the Outlook client. To do this, the manager clicks on File, then clicks Account Settings, and then clicks Delegate Access to remove the delegate.

Result - The delegate will no longer receive the manager's meeting invitations in their own mailbox. The delegate must open the manager's Inbox to respond to their meeting invitations.

 

Option 2

Action - The Exchange admin uses either the Exchange Admin Center or the Exchange Online PowerShell to remove Full Access permissions:

‣ they open the Exchange Admin Center and then open the manager mailbox. In the Mailbox permissions tab, they remove the delegate from Full Access.

‣ or the admin runs the Exchange Online PowerShell cmdlet:

Remove-Mailboxpermission –identity ManagerAlias –user DelegateAlias –Accessrights FullAccess

Result - The delegate no longer sees the manager's mailbox in their Outlook profile nor in OWA. The manager does not need to make any changes in the Delegate Access dialog in Outlook, unless they now want to also grant access to the Inbox. The delegate continues to receive meeting requests and responses based on the Delegate Access settings.

Additional resources

One delegate can manage multiple mailboxes. However, any given mailbox should have a limited number of delegates. Additionally, only one delegate with Editor permission is recommended. See the following Office Help article for more information:

 

Best practices when using the Outlook Calendar

 

Exchange administrators may be interested in the following Microsoft Docs article, which explains how to disabling Auto Mapping:

 

Disable Outlook Auto-Mapping with Full Access Mailboxes

2 Comments
Co-Authors
Version history
Last update:
‎Jul 18 2022 11:12 AM
Updated by: