Unexpected Results of User Initiated Outlook Delegation
Without getting too much into it, all Exchange Administrators have had to deal with this scenario at some stage or another. In my opinion Microsoft still have not address this very well for enterprise or even small customers. The whole end user experience is misleading, it creates the wrong end result, Administrators often then make the problem worse – until it’s all gone a bit haywire and has to be unpicked.
What’s done wrong
A Mailbox Owner wants to delegate their Mail and or Calendar to someone else. Be it a Personal Assistant (PA) / Executive Assistant (EA) or even just a peer/colleague perhaps while they are out of the office for a week. However, the experience never seems to go quite right. The Mailbox Owner *thinks* they delegated correctly but the delegate can’t add the mailbox in Outlook, and if they can they only see the Inbox and not the other folders they expected to see so now they can’t file or check other emails. Delegates can’t set up the Out of Office that their colleague forgot to set. None of the rules are working and so on.
I’ve even seen just the actual Calendar Folder shared without using the wizard. All sorts of horrible variations or permissions are given and then the delegate can’t figure out how to add the Calendar and now wonders why they can’t accept meetings on the Mailbox Owners behalf!
In wades the Exchange Admin and sets up Full Access on the Exchange back-end but emails are still going out as “Sent On Behalf Of”, so now the external recipients know ‘Boss man Joe’ isn’t answering his own emails. So, again in steps our Exchange Admin and adds SendAs rights to the mailbox. All adding Permission on top of Permission…
A bit of a mess
Well, now we have quite the mess. Mailbox Full Access plus Folder Sharing with Send on Behalf of and SendAs.
The Delegate now has the mailbox added in to Outlook the way they personally added it “as an additional mailbox” but, automapping is also on. So if and when they go to remove the Additional Mailbox when they think they are finished, automapping keeps bringing it back. The Delegates own OST has grown huge now over time. Sigh.
Tip for noobs: – automapping also does not create its own OST
SendAs and Send on Behalf Of
Mailboxes having both Send on Behalf of and SendAs is a recipe for disaster. Unexpected behavior from the conflicting permissions seriously ensues for different Exchange versions and different client versions and types (Outlook and OWA) and sometimes just granting Full Access (to say solve seeing all folders) on top of User Delegation can set SendAs permissions anyway!
Inevitably it all leads to a massive unpicking and rolling back solution that nearly always involves the user having to recreate their Outlook Profile. Not a great experience and usually involves some heated complaints and definitely user downtime. EA/Pas in some ways are the most productive people on the Senior Leadership Team!
There are also added problems with phantom Delegation happening and not getting cleaned up correctly, made worse when a Delegate leaves the organization and they are phantom’d on to a live mailbox.
Don’t believe me? Have a search of the Internet for publicDelegate and publicDelegateBL problems… Exchange Phantom Delegation
How should it be done?
For Shared Mailboxes, trust me follow this route: https://www.neroblanco.co.uk/2015/04/the-shared-mailbox-dilemma/ and use Security Groups for Access.
For Personal Mailboxes, it’s a bit trickier. When you delegate using the Outlook Delegation Wizard “File -> Account Settings -> Delegate Access” you are presented with the long-standing Delegation Box.
I can add a colleague / admin / PA / EA and set any sort of Access and notify them, even choose whether to share my Private Items.
The dirty little SoBo secret…
However, did you know that setting ANYTHING at all on this screen, even just “Reviewer to my Notes” folder will set Send on Behalf of to the Person you delegate to.
Know which method does what and document it
The moral of the story here is that you should make sure that the Helpdesk and Administrators know which method applies what levels of Access and Sending.
Users should have a very clear picture in their mind of what problem they are trying to solve. A true Boss/Admin relationship in my mind should follow the Shared Mailbox Blog from above: Full Access + SendAs with Mailbox Auditing enabled.
- Are they wanting someone just to READ and keep an eye on email, or check calendar invites and remind them of meetings.
- Maybe they do want someone to respond to email and Calendar – but Send on Behalf of, or Send As.
- Maybe the Mailbox Owner only wants invites going to the Delegate, or to themselves and the Delegate?
- Perhaps they also want emails filed and such like.
Have a description for each scenario or in my opinion only have one supported method of self-delegation – especially for Calendars. Don’t allow Folder Sharing at the Calendar Level if you can help it.
Always have users accept the Default Option for “Deliver meeting requests addressed to me and responses to meeting requests where I am the organiser to”: My delegates only, but send a copy of meeting requests and responses to me. Trust me, it will make your life easier.
Casual Self Delegation
Casual delegation, can follow the User Delegation method via the Outlook Wizard but you should have a clear internal Helpdesk TechNote outlining that
- Send on Behalf of will always be set
- Sub folders are NOT shared
- Limitations of the method
- Cannot create or run Rules
- Cannot set Out of Office
- Cannot use SendAs
- Cannot use Signatures
- Does not get it’s own OST
- Cannot log on at OWA
- For a Delegate to “add the additional Mailbox” the Mailbox Owner MUST also enable Folder Visible (at a minimum) at the Root Folder Level – in addition to the Outlook Delegation Wizard
- Never allow Send on Behalf of and SendAs to be set for the same user or Group
- Don’t set Full Access with automapping – it creates a whole bunch of other issues over and above what Microsoft thought it would it would fix
- Accept that you may have to get the user to strip[ out their delegation and start again – including re-creating the Outlook Profile
- I strongly advise against letting delegates work in ono-cache mode
Microsoft really need to re-visit the Outlook experience and re-engineer the GUI brining it into line and asking the right sort of questions and explaining what will and won’t get set. It’s old now, it’s been that way since Outlook 2003 at least as far as I can remember.
Maybe even granting Full Access and SendAs should be allowed by “Self”. An option to cascade Folder Permissions, AND to remove Folder Permissions in one sweep – but certainly it should warn about setting Send on Behalf of and the need to set Folder Visible – or just do it!
Setting Full Access with automapping needs to create it’s own OST
Best practices when using the Outlook Calendar