Jul 31 2018 11:31 PM
Hi All!
Our customer has many applications which use EWS communication with Exchange Online objects like for room mailboxes and user mailboxes. So far these application are used delegated access security model order to reach and operate its tasks on the mentioned exchange objects. Now needed to put production a 3rd party application which only and solely need Exchange Online Application Impersonation instead of Delegated Access for its operation. So inevitable to put production the Application Impersonation model in Exchange Online. My question, If I put the production the Exchange Online Application Impersonation is there any risk for that application which are used delegated access model so far?
https://docs.microsoft.com/en-us/exchange/permissions-exo/permissions-exo
Thanks!
Aug 09 2018 10:59 AM
SolutionHello @RobertFormodi,
I think you are fine either way, and the application impersonation would not interfere with existing permissions or access (after all its just another type of access).
Just assign application impersonation either using the default admin roles, or creating your own with just that role in Exchange Online. That should have no baring on anything else you are doing, and you should be good to go.
If you wanted to be extra safe, create a new account to serve as the application impersonation account, independent from the other accounts which use delegate access, and setup the new service using the new user that you have granted application impersonation too. You would 100% be in the clear that way.
Adam
Aug 27 2018 01:10 AM
Aug 09 2018 10:59 AM
SolutionHello @RobertFormodi,
I think you are fine either way, and the application impersonation would not interfere with existing permissions or access (after all its just another type of access).
Just assign application impersonation either using the default admin roles, or creating your own with just that role in Exchange Online. That should have no baring on anything else you are doing, and you should be good to go.
If you wanted to be extra safe, create a new account to serve as the application impersonation account, independent from the other accounts which use delegate access, and setup the new service using the new user that you have granted application impersonation too. You would 100% be in the clear that way.
Adam