Outlook and private items

This is something, which cannot be stressed enough:

When you flag e-mails or calendar items as private, it will not ensure privacy!

You might argue that you have not granted “Delegate can see my private items”, but this is ONLY honored by certain clients and in certain conditions.

Symptom

I was recently approached by colleagues as users complaint that delegates could see private flagged items even they have not been granted this permission. However, not all delegates could do so and it was not conclusive.

Investigation

After I spent some time on this topic, I could narrow it down to Outlook for Mac clients with a specific configuration.

You need to understand that this flag is honored ONLY by certain clients and protocols. Here is the list of the ones I’m aware:

  • Outlook for Windows
  • Outlook for iOS
  • Outlook for Android
  • Outlook for Mac (with exception!)
  • Microsoft Graph
  • Exchange Web Services (with exception!)

Note: The list might not be complete or the behavior is changing!

IMAP4 or POP3 protocol doesn’t support this flag. This means that if you are using one of these protocols (for whatever reasons! But I’ve seen this…) to access a mailbox on Exchange, the private flag is not honored even from Outlook!

As you might have seen there are 2 items on the list with exception. Both are related to Exchange Web Services (EWS). Outlook for Mac is using this protocol for communicating with Exchange and here the issue starts.

Usually you would add to your profile an additional mailbox using the process described here:

Open and use a shared mailbox in Outlook (microsoft.com)

Open a shared Mail, Calendar or People folder in Outlook for Mac (microsoft.com)

However, when you are a delegate and have Outlook for Windows, you will most likely receive the following error:

Cannot expand the folder.

The resolution for this is to grant the delegate on the root folder the permission FolderVisible:

Cannot access another user’s mailbox folder – Exchange | Microsoft Docs

But the consequence now is,delegates using Outlook for Mac are able to see private flagged items!

Note: This does only affect Outlook for Mac, when the switch has not been toggled to use the “New Outlook“.

Here are some screenshot how you add a shared mailbox using “New Outlook” experience, which honors private flag:

And here using the “legacy” Outlook for Mac, which doesn’t honor the private flag:

Recommendations

As you can see, this flag is not really intended to protect privacy. As soon as someone has been granted access permissions, this person CAN access items. My recommendations to avoid this is as follows:

  • have private items moved to a dedicated folder, where delegates have no access to. This applies also to calendars
  • make sure that you do not grant any permissions e.g.: FolderVisbile on the root folder (drawback would be that any delegate using Outlook for Windows cannot open the mailbox)
  • make sure you have delegates using ONLYNew Outlook” turned on (it’s not realistic and you don’t have really control)

Conclusion

Don’t trust and rely on this flag as it doesn’t provide the expected feature. Train your users that they really understand what it does and where the limits are.

Maybe you find my recommendations useful or find other ways (if so, please let me know!).

1 thought on “Outlook and private items

  1. Pingback: Keeping Outlook Email Private and Confidential

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s