Developers of applications which require access to user mailboxes often struggle with the choice between the Impersonation and Delegation access methods. While both provide programmatic rights to mailbox objects, they are designed to meet rather different needs, and for situations where a single account needs to access multiple mailboxes, Impersonation is the better choice. This post will provide an overview of why, and what the implications of using Impersonation are.
First, a point of clarification: Delegate access is geared to situations where an application needs access to mailbox items controlled by a user, and where it is likely that code will be run under the logged-on users permissions. Accordingly, Delegate access is a user-manager permission, as it presumes that the user/owner of the mailbox is explicitly granting access. Impersonation, on the other hand, has been designed to support enterprise applications, and is an administratively controlled access methodology that requires no intervention from the mailbox owner. One way to think of the differences is that Impersonation is access for applications, whereas Delegate access is access is for users.
In practice, applications using EWS Impersonation are more robust, as other applications or normal users cannot revoke permission settings on the fly as they can with Delegate settings. Furthermore, the setup and administration of Impersonation is significantly less complex and time consuming when dealing with large sets of users, as it can be set globally rather per mailbox.
From a security perspective, Impersonation is preferable to Delegate access for the following reasons:
Note that both Impersonation and Impersonation activity can be logged by both IIS and EWS native logging functionality, providing a full audit trail.
To summarize some of the reasons why EWS Application Impersonation is considered the best approach to application-level mailbox access for server/service type applications:
For more information on the points discussed in this post, please see: