Outlook allows users to share folders so that others can interact with items in those folders. Additionally, a user can be configured as an Outlook Delegate, allowing him or her to manage specific tasks on your behalf, such as meeting related tasks. If another user grants you folder permissions (or makes you a delegate) and you use Outlook to perform actions on that user's shared items, Outlook performs these actions using a specific permission set. However, there are a couple of different ways that you can be granted access to a user's folders. Each of these ways can create a different permission set, which can later result in conflicts.
The diagram below shows how Outlook can be exposed to conflicting permission sets. Let's start with the following facts:
- Permission set X is created when the Exchange Server Administrator grants you FullAccess permission to Allison's mailbox.
- Permission set Y is created when Allison grants you explicit folder permissions by using Microsoft Outlook. Allison can do this in one of two ways:
- Grant you individual folder permissions by right-clicking on a folder and selecting Permissions.
- Configure you as an Outlook Delegate to specific Outlook folders, such as the Calendar.
When you use Outlook to work with Allison's shared items, Outlook may initially use one specific permission set (this is Permission set Y in the diagram below). As you continue using Outlook to work with Allison's items, a particular function may be blocked within the existing context (again Permission set Y). In this case, some expected functionality may not be available. However, it is important to note that the unexpected behavior will not be consistent, nor can it be clearly defined here, because the initial context used by Outlook can differ depending on how Allison's mailbox or shared items are first accessed by Outlook.
In the diagram, you see that the elevated permissions necessary to perform tasks on Allison's other folders are not available. This occurs because Outlook is not designed to consistently work with two or more permission sets.
In some cases, Microsoft documentation points this limitation out. For example, the following Microsoft TechNet article makes reference to it:
Configure Exchange accounts for Outlook 2010
Some of the issues that can occur due to conflicting permission sets are listed in the following Microsoft Knowledge Base article:
981245 Issues that can occur when you add multiple Exchange accounts in the same Outlook 2010 profile
The bottom line: the easiest way to remember the limitation (and to avoid it) is by granting permissions using only one application: either Microsoft Outlook or Microsoft Exchange Server.
Which application should you use to give permissions to your items?
Since a user should only use one of two methods (Outlook or Exchange) to share their folders or entire mailbox, the following table will help you choose. The table lists some of the benefits and functionality that are available with each method.
Exchange FullAccess | Outlook Delegate or | |
Shared mailbox appears in the Outlook Navigation Pane | Automatically, if both of the following are true: a. Exchange FullAccess permission is granted with AutoMapping enabled on Exchange Server 2010 SP1 or later. b. You are using Microsoft Outlook 2010 or newer. Otherwise, you can manually add the shared mailbox as a second account using File | Account Settings. | Not if you are only given permission to a specific folder or are only granted Delegate access. However, there is an exception. The user can grant you at least View permissions to their top level folder. Then, you add the shared mailbox to Outlook by using the Open these additional mailboxes option. If the user wishes to grant you access to their other non-default folders, they can set folder permissions on each individual folder. |
Receive meeting invitations on other's behalf | No | Yes - if you are configured as a Delegate. No - if you only have folder permissions. |
Able to view private items in shared mailbox | No | Yes, if you are configured as a Delegate and with the option "Delegate can see my private items". Note To view private items in other folders such as contacts or email folders, you must also be granted Reviewer permission to the Calendar. |
Able to open shared mailbox in OWA | Yes | No |
Effect on Offline Outlook Data (.ost) file size | One .ost file is created. It contains the contents of both your mailbox and of the shared mailbox. | Reduced size since only specific folders are being shared and cached (the additional shared folders are cached in the same .ost that is associated with the delegate's Outlook profile). |
Other considerations | Not optimal as it requires maintaining permissions on both the Exchange Server (FullAccess) and Outlook client delegate/folder) permissions. Although the Exchange administrator can control this set of permissions, the administrator has no control over Outlook clients. Therefore, if a client chooses to configure delegate/folder permissions, they can enter an unsupported state. Additionally, the shared mailbox is fully exposed to any unexpected actions performed by the secondary user (or by any of their add-ins or devices). | This is the recommended option, as it limits the effect that other users' add-ins or devices can have on the owner's mailbox. Additionally, it prevents Outlook clients from being configured in an unsupported state. |
Additional resources
One delegate can manage multiple mailboxes. However, any given mailbox should have a limited number of delegates. Additionally, only one delegate with Editor permission is recommended. See the following Microsoft TechNet article for more information:
Best practices when using the Outlook Calendar
Exchange administrators may be interested in the following Microsoft TechNet article, which explains how to disabling Auto Mapping: