cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Exchange Online Delegated Access vs Application Impersonation

Róbert Formódi
Copper Contributor

‎Jul 31 2018 11:31 PM

‎Jul 31 2018 11:31 PM

Exchange Online Delegated Access vs Application Impersonation

Hi All!

 

Our customer has many applications which use EWS communication with Exchange Online objects like for room mailboxes and user mailboxes. So far these application are used delegated access security model order to reach and operate its tasks on the mentioned exchange objects. Now needed to put production a 3rd party application which only and solely need Exchange Online Application Impersonation instead of Delegated Access for its operation. So inevitable to put production the Application Impersonation model in Exchange Online. My question, If I put the production the Exchange Online Application Impersonation is there any risk for that application which are used delegated access model so far?

 

https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-e...

 

https://docs.microsoft.com/en-us/exchange/permissions-exo/permissions-exo

 

Thanks!

4,381 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Róbert Formódi (Copper Contributor)
Adam Ochs

‎Aug 09 2018 10:59 AM

‎Aug 09 2018 10:59 AM

Solution

Re: Exchange Online Delegated Access vs Application Impersonation

Hello @Róbert Formódi,

 

I think you are fine either way, and the application impersonation would not interfere with existing permissions or access (after all its just another type of access).

Just assign application impersonation either using the default admin roles, or creating your own with just that role in Exchange Online. That should have no baring on anything else you are doing, and you should be good to go.

If you wanted to be extra safe, create a new account to serve as the application impersonation account, independent from the other accounts which use delegate access, and setup the new service using the new user that you have granted application impersonation too. You would 100% be in the clear that way.

Adam

1 Like
Reply
Matthias Hübner

‎Aug 27 2018 01:10 AM

‎Aug 27 2018 01:10 AM

Re: Exchange Online Delegated Access vs Application Impersonation

Hello,

I agree with Adam. In my opinion application impersonation would be the easiest way to connect a third party system to Exchange.
You should use a new user for the system, so the other systems should remain unaffected.
I'm generally mor a friend of application impersonation instead of delegated access.

Kind regards,

Matthias
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Róbert Formódi (Copper Contributor)
Adam Ochs

‎Aug 09 2018 10:59 AM

‎Aug 09 2018 10:59 AM

Solution

Re: Exchange Online Delegated Access vs Application Impersonation

Hello @Róbert Formódi,

 

I think you are fine either way, and the application impersonation would not interfere with existing permissions or access (after all its just another type of access).

Just assign application impersonation either using the default admin roles, or creating your own with just that role in Exchange Online. That should have no baring on anything else you are doing, and you should be good to go.

If you wanted to be extra safe, create a new account to serve as the application impersonation account, independent from the other accounts which use delegate access, and setup the new service using the new user that you have granted application impersonation too. You would 100% be in the clear that way.

Adam

View solution in original post

1 Like
Reply