If you’ve worked with Exchange applications before, you’re probably familiar with the different ways to manage permission. Outlook Room Booker calendar syncing for Exchange/O365 connects via UserImpersonation on each of the managed room and user calendars.
WHY DOES MICROSOFT RECOMMEND IMPERSONATION FOR APPS?
To understand the differences, here are a few explanations from Microsoft’s developer blogs:
Accordingly, Delegate access is a user-manager permission, as it presumes that the user/owner of the mailbox is explicitly granting access. Impersonation, on the other hand, has been designed to support enterprise applications, and is an administratively controlled access methodology that requires no intervention from the mailbox owner
One way to think of the differences is that Impersonation is access for applications, whereas Delegate access is access for users.
There’s also support for better logging out of the box, which gives you much more power to audit how applications access your data:
Note that both Impersonation and Impersonation activity can be logged by both IIS and EWS native logging functionality, providing a full audit trail.
Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. Line-of-business applications that work with mail typically use Exchange Impersonation.
Delegate access is used in scenarios in which there needs to be a one-to-one relationship between users.
There are no plans to support user delegation now or in the future.
“My organization doesn’t allow Impersonation…”
If your organization has policies around impersonation, typically we see a few helpful clarifications. Generally there are two concerns:
- Service accounts shouldn’t have the ability to impersonate people (i.e. your CEO)
- Logging requests made via Impersonation is challenging compared to delegate access
When your organization doesn’t allow the use of User Mailbox Impersonation, we can limit the scope to Room Mailbox Impersonation. When you use Room Mailbox Impersonation, just make take into account that this will limit the functions of the Outlook Room Booker. Please find more information here.