0

Is it possible to combine delegate and impersonation access types?

Example: Using service account credentials to impersonate Bill, I need to access Jane's calendar using Bill's permission levels.

Because I have the service account credentials, I could simply impersonate Jane and edit her calendar that way - but I want to verify that Bill should have access to Jane's calendar. Also, I want to ensure that there is an audit trail showing the calendar was edited on Bill's behalf.

Does EWS provide any kind of fake "credentials" to use for this purpose?

This is related to my other question because I believe the only way to access Jane's calendar is via delegate access, even though it was shared with Bill: What is the recommended way to access shared *personal* calendars in EWS?

ZZZZZ
  • 3
  • 1

1 Answers1

1

When you say shared personal calendars this sounds like your talking about https://support.microsoft.com/en-us/office/import-or-subscribe-to-a-calendar-in-outlook-on-the-web-503ffaf6-7b86-44fe-8dd6-8099d95f38df . So the reason you don't see them when you query them in EWS is the Client itself is providing that feature and EWS is just a Mailbox access API so it showing you what exists on the server. If you use a MAPI editor like OutlookSpy of MFCMapi and view the Mailbox in question that might make more sense as this will show you what is in the raw underlying contents of Mailbox itself (including any hidden folders etc).

Impersonation sets the underlying Security context for any calls you make to EWS so if you impersonate Bill and then access Jane's Calendar you will be doing it under the security context of Bill so any delegate rights applied to bill will apply. Based on the link Erik posted it sounds more like the issues you are having is to do with the library itself. EWS has two different types for FolderId's the distinguishedfolderidtype https://learn.microsoft.com/en-us/dotnet/api/exchangewebservices.distinguishedfolderidtype.mailbox?view=exchange-ews-proxy allows you to specify the Mailbox associated with the request your making. So for instance if you where looking for a User Created Folder in Jane's Mailbox you might start with a FindFolder operation using the distinguishedfolderidtype on Janes Inbox. In that library they have used the concept of Accounts (or "Account instance") rather then Mailboxes which at one level makes sense and makes it easy to understand but in some scenarios it doesn't give the same flexibility that the underlying API provides (eg you really need to be able to access another mailbox outside of using the "Account instance" as this may not work well when you have Shared Mailboxes or Group Mailboxes where Account means something different).

Glen Scales
  • 20,495
  • 1
  • 20
  • 23
  • Thanks for confirming that this should be possible. The shared personal calendar I'm talking about is the first default calendar that gets created for every account. On Office 365 it's always named "Calendar", and it's the only calendar you can "delegate" to other users. Therefore I assumed it would be possible to get a list of all these calendars which have been shared with the user - otherwise to compile a list, we would have to check all other mailboxes and compile that internally? Screenshot of calendar in Outlook for Web: https://i.postimg.cc/tggrZLGC/share-default-cal.png – ZZZZZ Sep 02 '21 at 15:00
  • Those exist as links you can query the links to get the underlying folderid i would suggest https://stackoverflow.com/questions/23766747/ews-access-all-shared-calendars/23773834#23773834 although with that library your using it maybe an issue then using the FolderId – Glen Scales Sep 02 '21 at 23:35