It may become necessary for an admin or delegate to access a mailbox (other than their own) in OWA. There's two ways to do this and most people are familiar with the change in the URL method, which is what I'll be covering in this post.
In Wave14 (Exchange 2010), you merely had to append the user's smtp address to the suffix the OWA URL. So, for example, to access Amy Luu's mailbox in my test tenant, I would add the following: firstname.lastname@example.org
In Wave15 (Exchange 2013), we merely need to add another character at the end of the URL for this to work: email@example.com/
Would this method work if users were part of say, a readaccess security group with rights to read the mailbox?
Yes, yes it would. The security descriptors (http://msdn.microsoft.com/en-us/library/windows/desktop/aa379561) would still be read and matched against the user that is attempting to access the mailbox.