by Steven Lee Myers and Eric Lichtblaue

May 25, 2016

WASHINGTON — The State Department’s inspector general has sharply criticized Hillary Clinton’s exclusive use of a private email server while she was secretary of state, saying she had not sought permission to use it and would not have received it if she had.

In a report delivered to members of Congress on Wednesday, the inspector general said that Mrs. Clinton “had an obligation to discuss using her personal email account to conduct official business” with officials responsible for handling records and security but that inspectors found “no evidence” that she had.

The review “found no evidence” that Mrs. Clinton had requested or received approval from anyone at the department to conduct her state business on a personal email.

It said that she “had an obligation” to do so, given the well-known security risks involved in using a personal account. And it also said that department officials “did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business.”

It also added new detail about Mrs. Clinton’s motivation for using the private server, which she has said was set up for convenience. In November 2010, her deputy chief of staff for operations prodded her about “putting you on state email or releasing your email address to the department so you are not going to spam.” Mrs. Clinton, however, replied that she would consider a separate address or device “but I don’t want any risk of the personal being accessible.”

The report, as well as an F.B.I. investigation and other legal challenges seeking information about her use of the server, is certain to keep alive a controversy that has shadowed Mrs. Clinton’s campaign for the presidency. The events have all come to a climax just as she is close to defeating Senator Bernie Sanders for the Democratic presidential nomination.

Mrs. Clinton and her aides have played down the inquiries, saying that she would cooperate with investigators to put the email issue behind her. Even so, through her lawyers, she declined to be interviewed by the State Department’s inspector general as part of his review. So did several of her senior aides.

Mrs. Clinton’s campaign spokesman, Brian Fallon, issued a statement emphasizing the findings that the problems with record keeping extended beyond Mrs. Clinton’s tenure.

“Contrary to the false theories advanced for some time now, the report notes that her use of personal email was known to officials within the Department during her tenure, and that there is no evidence of any successful breach of the Secretary’s server,” Mr. Fallon said in the statement.

The report broadly criticized the State Department as well, saying that officials had been “slow to recognize and to manage effectively the legal requirements and cybersecurity risks” that emerged in the era of emails, particularly those of senior officials like Mrs. Clinton.

It said that “longstanding systemic weaknesses” in handling electronic records went “well beyond the tenure of any one secretary of state” but the body of the report focused on the 30,000 emails that Mrs. Clinton sent and received on her private server.

The State Department issued numerous warnings dating back a decade about the cyber-security risks of using personal emails accounts for government business, the report said, and Mrs. Clinton was personally sent a memo in 2011 warnings of hackers trying to target unclassified, personal email accounts. She was also given a classified, in-person briefing on the dangers, the report said.

The report found that while dozens of State Department employees used personal email accounts periodically over the years, only three officials were found to have used it “exclusively” for day-to-day operations: Mrs. Clinton; Colin Powell, the secretary of state under President George W. Bush; and Scott Gration, the ambassador to Kenya from 2011 to 2012.

The review “found no evidence” that Mrs. Clinton had requested or received approval from anyone at the department to conduct her State Department business on a personal email. But it said that she “had an obligation” to do so, given the well-known security risks involved in using a personal account. And it also said that department officials “did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business.”

But while State Department officials never directly told Mrs. Clinton or Mr. Powell that they needed to end their use of personal email, the report found, they did do so with Mr. Gration, a lower-level diplomat who did not have their political clout.

The response to Mr. Gration’s situation “demonstrates how such usage is normally handed when Department cybersecurity officials become aware of it,” the report said.

State Department security officials warned Mr. Gration in 2011 that he was not authorized to be using personal email for government business in Kenya. He continued doing so anyway, however, and the State Department initiated disciplinary action against him over “his failure to follow these directions” and several other undisclosed infactions, the report said. He resigned in 2012 before any discipline was imposed.

The report did not delve deeply into the issue that has become the focus of the F.B.I.’s investigation — the references in dozens of emails to classified information, including 22 emails that the Central Intelligence Agency considered “top secret.”

But it called into question the security risk of using a private server for what were clearly sensitive discussions of the nation’s foreign policy. It noted that Mrs. Clinton sent or received most of the emails that traversed her server from a mobile device, her BlackBerry.