App Protection Policies and Shared/Delegate Mailboxes with Outlook mobile
Published Apr 06 2020 06:00 AM 6,810 Views

I regularly receive questions regarding Outlook mobile’s support for shared and delegate mailbox scenarios, especially when Intune App Protection Policies are in play.


First, let us cover what Outlook mobile supports. Outlook mobile supports two scenarios, with a third scenario in development.

  1. Released: Access to shared mailboxes (using FullAccess permissions)
  2. Released: Access to another person’s mailbox using FullAccess permissions
  3. Released (May 2021): Access to another person’s mailbox using Delegate permissions

In the shared mailbox scenario, Outlook mobile enabled users (Jane) who have an identity the ability to access a shared mailbox (Support). A shared mailbox in this context, is a special mailbox type that is created using the -Shared parameter with the New/Enable-Mailbox cmdlets. Access to the shared mailbox (Support) by a primary user (Jane) is obtained via permissions and not using alternate credentials. See Shared mailboxes in Exchange Online for more information.


Outlook mobile has extended this architecture to now allow users (Jane) to add another person’s mailbox (Susan), referred to as “Access another person’s mailbox using FullAccess permissions” or more simply, a delegate mailbox scenario. Permissions are handled like the shared mailbox scenario – the primary user (Jane) is granted FullAccess on the other person’s mailbox (Susan) by an IT admin. And if the primary user (Jane) has been granted SendAs or Send on Behalf of, the primary user (Jane) can send messages as the other person’s mailbox (Susan). This is different than the traditional shared mailbox scenario because both users (Jane and Susan) have enabled identities and manage their mailboxes individually. For more information on permission assignment, see Manage permissions for recipients in Exchange Online.


By using the primary user’s permissions to gain access to the shared or delegate mailbox, the solution is more secure as credentials are not being shared amongst users. The primary user is the only identity that is authenticating and obtaining an access token in the tenant – the primary user’s access token is used to access the shared or delegate mailbox. In other words, in this scenario, multiple identities are not used within Outlook mobile.


This model has another benefit: support for app protection policies. As the primary user is the only account authenticating, it is the only account that can receive an app protection policy. Outlook mobile ensures that the app protection policy applies to all accounts associated with that identity, meaning that the primary user and any shared or delegate mailboxes are protected by the primary user’s app protection policy.


As always, if you have questions, please let us know.


Ross Smith IV
Principal Program Manager
Customer Experience Engineering

Version history
Last update:
‎Jun 07 2021 01:35 PM
Updated by: