Developers of applications which require access to user mailboxes often struggle with the choice between the Impersonation and Delegation access methods. While both provide programmatic rights to mailbox objects, they are designed to meet rather different needs, and for situations where a single account needs to access multiple mailboxes, Impersonation is the better choice. This post will provide an overview of why, and what the implications of using Impersonation are.
First, a point of clarification: Delegate access is geared to situations where an application needs access to mailbox items controlled by a user, and where it is likely that code will be run under the logged-on users permissions. Accordingly, Delegate access is a user-manager permission, as it presumes that the user/owner of the mailbox is explicitly granting access. Impersonation, on the other hand, has been designed to support enterprise applications, and is an administratively controlled access methodology that requires no intervention from the mailbox owner. One way to think of the differences is that Impersonation is access for applications, whereas Delegate access is access is for users.
In practice, applications using EWS Impersonation are more robust, as other applications or normal users cannot revoke permission settings on the fly as they can with Delegate settings. Furthermore, the setup and administration of Impersonation is significantly less complex and time consuming when dealing with large sets of users, as it can be set globally rather per mailbox.
From a security perspective, Impersonation is preferable to Delegate access for the following reasons:
Note that both Impersonation and Impersonation activity can be logged by both IIS and EWS native logging functionality, providing a full audit trail.
To summarize some of the reasons why EWS Application Impersonation is considered the best approach to application-level mailbox access for server/service type applications:
A good places to start reading:
Authentication and EWS in Exchangehttps://msdn.microsoft.com/en-us/library/office/dn626019(v=exchg.150).aspx
Impersonation and EWS in Exchangehttps://msdn.microsoft.com/en-us/library/office/dn722377(v=exchg.150).aspxWith Impersonation a service account has full access to a defined set of mailboxes. What it can access in those mailboxes (such as specific folders) cannot be filtered or defined. Only an Exchange Admin can configure an EWS Impersonation account for impersonating and configure its mailboxes to allow the impersonation.
Delegate access and EWS in Exchangehttps://msdn.microsoft.com/en-us/library/office/dn641957(v=exchg.150).aspxDelegate access allows a user to access certain folders in another user's mailbox Delegate permissions can be set by a mailbox owner or administrator using an app or other app code.
For more information on the points discussed in this post, please see: