SOLVED

Exchange Online Delegated Access vs Application Impersonation

%3CLINGO-SUB%20id%3D%22lingo-sub-221863%22%20slang%3D%22en-US%22%3EExchange%20Online%20Delegated%20Access%20vs%20Application%20Impersonation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-221863%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20customer%20has%20many%20applications%20which%20use%20EWS%20communication%20with%20Exchange%20Online%20objects%20like%20for%20room%20mailboxes%20and%20user%20mailboxes.%20So%20far%20these%20application%20are%20used%20delegated%20access%20security%20model%20order%20to%20reach%20and%20operate%20its%20tasks%20on%20the%20mentioned%20exchange%20objects.%20Now%20needed%20to%20put%20production%20a%203rd%20party%20application%20which%20only%20and%26nbsp%3B%3CSPAN%3E%3CSPAN%20class%3D%22gt-baf-cell%20gt-baf-word%22%3Esolely%20%3C%2FSPAN%3E%3C%2FSPAN%3Eneed%20Exchange%20Online%20Application%20Impersonation%20instead%20of%20Delegated%20Access%20for%20its%20operation.%20So%20inevitable%20to%20put%20production%20the%20Application%20Impersonation%20model%20in%20Exchange%20Online.%20My%20question%2C%20If%20I%20put%20the%20production%20the%20Exchange%20Online%20Application%20Impersonation%20is%20there%20any%20risk%20for%20that%20application%20which%20are%20used%20delegated%20access%20model%20so%20far%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Fexchange-web-services%2Fimpersonation-and-ews-in-exchange%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Fexchange-web-services%2Fimpersonation-and-ews-in-exchange%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fpermissions-exo%2Fpermissions-exo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fpermissions-exo%2Fpermissions-exo%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-221863%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237961%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Delegated%20Access%20vs%20Application%20Impersonation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237961%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20agree%20with%20Adam.%20In%20my%20opinion%20application%20impersonation%20would%20be%20the%20easiest%20way%20to%20connect%20a%20third%20party%20system%20to%20Exchange.%3CBR%20%2F%3EYou%20should%20use%20a%20new%20user%20for%20the%20system%2C%20so%20the%20other%20systems%20should%20remain%20unaffected.%3CBR%20%2F%3EI'm%20generally%20mor%20a%20friend%20of%20application%20impersonation%20instead%20of%20delegated%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EMatthias%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226700%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Delegated%20Access%20vs%20Application%20Impersonation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226700%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3871%22%20target%3D%22_blank%22%3E%40R%C3%B3bert%20Form%C3%B3di%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20you%20are%20fine%20either%20way%2C%20and%20the%20application%20impersonation%20would%20not%20interfere%20with%20existing%20permissions%20or%20access%20(after%20all%20its%20just%20another%20type%20of%20access).%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20assign%20application%20impersonation%20either%20using%20the%20default%20admin%20roles%2C%20or%20creating%20your%20own%20with%20just%20that%20role%20in%20Exchange%20Online.%20That%20should%20have%20no%20baring%20on%20anything%20else%20you%20are%20doing%2C%20and%20you%20should%20be%20good%20to%20go.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20wanted%20to%20be%20extra%20safe%2C%20create%20a%20new%20account%20to%20serve%20as%20the%20application%20impersonation%20account%2C%20independent%20from%20the%20other%20accounts%20which%20use%20delegate%20access%2C%20and%20setup%20the%20new%20service%20using%20the%20new%20user%20that%20you%20have%20granted%20application%20impersonation%20too.%20You%20would%20100%25%20be%20in%20the%20clear%20that%20way.%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All!

 

Our customer has many applications which use EWS communication with Exchange Online objects like for room mailboxes and user mailboxes. So far these application are used delegated access security model order to reach and operate its tasks on the mentioned exchange objects. Now needed to put production a 3rd party application which only and solely need Exchange Online Application Impersonation instead of Delegated Access for its operation. So inevitable to put production the Application Impersonation model in Exchange Online. My question, If I put the production the Exchange Online Application Impersonation is there any risk for that application which are used delegated access model so far?

 

https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-e...

 

https://docs.microsoft.com/en-us/exchange/permissions-exo/permissions-exo

 

Thanks!

2 Replies
Highlighted
Best Response confirmed by Róbert Formódi (Occasional Contributor)
Solution

Hello @Róbert Formódi,

 

I think you are fine either way, and the application impersonation would not interfere with existing permissions or access (after all its just another type of access).

Just assign application impersonation either using the default admin roles, or creating your own with just that role in Exchange Online. That should have no baring on anything else you are doing, and you should be good to go.

If you wanted to be extra safe, create a new account to serve as the application impersonation account, independent from the other accounts which use delegate access, and setup the new service using the new user that you have granted application impersonation too. You would 100% be in the clear that way.

Adam

Highlighted
Hello,

I agree with Adam. In my opinion application impersonation would be the easiest way to connect a third party system to Exchange.
You should use a new user for the system, so the other systems should remain unaffected.
I'm generally mor a friend of application impersonation instead of delegated access.

Kind regards,

Matthias