Outlook: Grant mail delegate sharing permissions from the new Outlook

🚨 The Signal: Users can now grant mailbox and folder delegate permissions directly from the new Outlook app. This decentralises a critical access control function, increasing the risk of unauthorised data exposure if not managed carefully.

The Impact

End users and security teams are affected by increased risk of unauthorised mailbox access and data exfiltration.

• End users: Can inadvertently grant excessive permissions, leading to data exposure.
• Security teams: Must monitor new delegation vectors for compliance and risk.
• Compliance officers: Need to update policies for user-managed delegation.
• Admins: May face increased support requests for permission issues.

The Action

1. Review existing Exchange Online mailbox delegation policies for 'SendAs' and 'FullAccess' permissions.
2. Educate end-users on the secure delegation of mailbox and folder access.
3. Implement or refine audit logging for mailbox permission changes via PowerShell: `Set-Mailbox -Identity <MailboxName> -AuditEnabled $true`
4. Regularly audit delegated mailbox permissions using `Get-MailboxPermission` and `Get-RecipientPermission` cmdlets.
5. Consider implementing Conditional Access policies to restrict delegate access based on device compliance or location.

Domain: Exchange · Impact: high · Workload: Exchange Online · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898