Automating Exchange Out-of-Office Delegation: Secure Alternatives to Password Sharing for Team Administrators


2 views

Many organizations face this exact scenario where temporary access to an employee's mailbox is required to set or modify Out of Office (OOF) messages. The common but insecure practices we've observed include:

  • Password resets and sharing (as described in the scenario)
  • Managers maintaining shadow password lists
  • Full mailbox delegation which grants excessive permissions

Exchange Server provides several built-in solutions that don't require password sharing:

1. SendAs Permission via PowerShell

This grants just enough permission to send emails (including OOF responses) as the user:

Add-RecipientPermission "john.doe@contoso.com" -AccessRights SendAs -Trustee "manager@contoso.com"

2. Mailbox Folder Permissions

More granular control to just modify OOF settings:

Add-MailboxFolderPermission -Identity "john.doe@contoso.com:\" -User "manager@contoso.com" -AccessRights Editor

3. Exchange Admin Role

For Helpdesk staff, create a custom role:

New-ManagementRole -Name "OOF Management" -Parent "User Options"
New-RoleGroup "OOF Administrators" -Roles "OOF Management" -Members "helpdesk@contoso.com"

For more advanced scenarios, consider these automation options:

PowerShell Script for Emergency OOF

# EmergencyOOF.ps1
Param(
    [Parameter(Mandatory=$true)]
    [string]$UserToModify,
    
    [Parameter(Mandatory=$true)]
    [string]$AdminAccount,
    
    [Parameter(Mandatory=$true)]
    [string]$OOFMessage
)

$credential = Get-Credential -UserName $AdminAccount -Message "Enter admin credentials"
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $session

Set-MailboxAutoReplyConfiguration -Identity $UserToModify -AutoReplyState Enabled -InternalMessage $OOFMessage -ExternalMessage $OOFMessage

Remove-PSSession $session

Microsoft Graph API Implementation

For modern applications:

// OOF Setter using Microsoft Graph
async function setOOF(userId, message, accessToken) {
    const response = await fetch(https://graph.microsoft.com/v1.0/users/${userId}/mailboxSettings/automaticRepliesSetting, {
        method: 'PATCH',
        headers: {
            'Authorization': Bearer ${accessToken},
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({
            status: "enabled",
            externalAudience: "all",
            internalReplyMessage: message,
            externalReplyMessage: message
        })
    });
    return response.ok;
}
  • Implement just-in-time access through PIM for Azure AD roles
  • Use Azure Automation Runbooks for approved workflows
  • Audit all OOF modifications through Exchange logging
  • Consider third-party solutions like Power Automate for approval workflows

Many IT departments face the challenge of managing Out-of-Office (OOF) responses when employees are unexpectedly unavailable. The common workarounds - password resets or shadow password databases - create significant security vulnerabilities and compliance issues.

The most secure solution is configuring proper delegation through Exchange Management Shell:


# Grant Send-As permission for OOF management
Add-RecipientPermission "jane.doe@domain.com" -AccessRights SendAs -Trustee "manager@domain.com"

# Verify permissions
Get-RecipientPermission "jane.doe@domain.com" | Where-Object {$_.Trustee -eq "manager@domain.com"}

For organizations needing frequent OOF updates, consider this PowerShell automation:


function Set-DelegatedOOF {
    param(
        [Parameter(Mandatory=$true)]
        [string]$UserEmail,
        [Parameter(Mandatory=$true)]
        [string]$DelegateEmail,
        [Parameter(Mandatory=$true)]
        [string]$OOFMessage,
        [datetime]$StartTime = (Get-Date),
        [datetime]$EndTime = (Get-Date).AddDays(3)
    )
    
    try {
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/
        Import-PSSession $Session -DisableNameChecking
        
        Set-MailboxAutoReplyConfiguration -Identity $UserEmail -AutoReplyState Enabled 
            -InternalMessage $OOFMessage -ExternalMessage $OOFMessage 
            -StartTime $StartTime -EndTime $EndTime -ErrorAction Stop
        
        Write-Host "OOF set successfully for $UserEmail"
    }
    catch {
        Write-Error "Failed to set OOF: $_"
    }
    finally {
        if ($Session) { Remove-PSSession $Session }
    }
}

For modern cloud environments, the Microsoft Graph API offers a robust solution:


POST https://graph.microsoft.com/v1.0/users/{id}/mailboxSettings/automaticRepliesSetting
Content-Type: application/json

{
    "status": "scheduled",
    "externalAudience": "all",
    "scheduledStartDateTime": {
        "dateTime": "2023-12-20T08:00:00",
        "timeZone": "Pacific Standard Time"
    },
    "scheduledEndDateTime": {
        "dateTime": "2023-12-28T17:00:00",
        "timeZone": "Pacific Standard Time"
    },
    "internalReplyMessage": "Out of office until December 28...",
    "externalReplyMessage": "Out of office until December 28..."
}

When implementing any delegated access solution:

  • Always use the principle of least privilege
  • Implement audit logging for all OOF changes
  • Consider temporary access tokens instead of permanent permissions
  • Review delegated permissions quarterly