Prevent FullAccess delegated Users to read Protected Mails in OWA!
If a user (secretary) has "Full Access Permission" to the Mailbox of another User (her Boss) she can't read protected mails in Outlook which is ok BUT: she is able to read them if she opens the other users mailbox in OWA. This is a serious security problem and shoud be fixed immediately.
Only the MailboxOwner should be able to read protected Mails.
While some of our customers consider access by a mailbox delegate a problem, others have said they consider it a must have (e.g. for executives whose admin does all their email). In some cases, both behaviors are necessary within the same organization.
We are evaluating possibilities for implementing a solution that addresses both cases.
We're highly interested in a solution for this. Is there any further information on this already?
I don’t see any way this isn’t a security flaw or loophole. It’s not a feature. If the behavior was consistent one way or the other between platforms, then maybe a feature.
Microsoft needs to do more than think about fixing this.
I also think that this is a security flaw. The encrypted emails should only be viewed with the account owner himself/herself. There are cases that executives does not want some confidential emails read by their assistants/admins. With this security flaw, now I have to search a 3rd party certificate providers to encrypt S/MIME emails.
Same here, I also consider it a serious security flaw:
In fact, even a mail with the strongest protection and "Do not forward" constraints (no copy, no forward, no print) is still accessible by a delegate on the O365 web portal.
Behaviour is not consistent between an Outlook client (where mail is protected from delegate access) and web portal, which is a problem!
We're also facing this issue and need to find a solution for this. Did you find any ways to avoid this other than completely disabling OWA access for the users in question?!
Actually, if you use a Mac (office 2016) then as a delegate you can always read the encrypted emails of your boss.
However I agree that it might not be straight forward. For user mailboxes this should not be able to happen. For shared mailboxes, maybe there can be an additional configuration available.
Really not this simple, this needs to be configurable by mailbox instead of a hard rule.
While the boss / secretary case is probably valid as such, consider also the case of a customer-service mailbox with potentially sensitive customer data.
I believe the customer-service mailbox needs to have at a minimum an Azure Information Protection license, right? That means it'll have to be a "user" mailbox with a license attached and not a "shared" mailbox, even if it's mostly used like a shared mailbox.
Even so, whoever of the customer service workers happens to be on duty may need to be able to read those.
Therefore, needs to be configurable.