Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

App Protection Policies and Shared/Delegate Mailboxes with Outlook mobile

Published Apr 06 2020 06:00 AM 6,454 Views
Microsoft

I regularly receive questions regarding Outlook mobile’s support for shared and delegate mailbox scenarios, especially when Intune App Protection Policies are in play.

 

First, let us cover what Outlook mobile supports. Outlook mobile supports two scenarios, with a third scenario in development.

  1. Released: Access to shared mailboxes (using FullAccess permissions)
  2. Released: Access to another person’s mailbox using FullAccess permissions
  3. Released (May 2021): Access to another person’s mailbox using Delegate permissions

In the shared mailbox scenario, Outlook mobile enabled users (Jane) who have an identity the ability to access a shared mailbox (Support). A shared mailbox in this context, is a special mailbox type that is created using the -Shared parameter with the New/Enable-Mailbox cmdlets. Access to the shared mailbox (Support) by a primary user (Jane) is obtained via permissions and not using alternate credentials. See Shared mailboxes in Exchange Online for more information.

 

Outlook mobile has extended this architecture to now allow users (Jane) to add another person’s mailbox (Susan), referred to as “Access another person’s mailbox using FullAccess permissions” or more simply, a delegate mailbox scenario. Permissions are handled like the shared mailbox scenario – the primary user (Jane) is granted FullAccess on the other person’s mailbox (Susan) by an IT admin. And if the primary user (Jane) has been granted SendAs or Send on Behalf of, the primary user (Jane) can send messages as the other person’s mailbox (Susan). This is different than the traditional shared mailbox scenario because both users (Jane and Susan) have enabled identities and manage their mailboxes individually. For more information on permission assignment, see Manage permissions for recipients in Exchange Online.

 

By using the primary user’s permissions to gain access to the shared or delegate mailbox, the solution is more secure as credentials are not being shared amongst users. The primary user is the only identity that is authenticating and obtaining an access token in the tenant – the primary user’s access token is used to access the shared or delegate mailbox. In other words, in this scenario, multiple identities are not used within Outlook mobile.

 

This model has another benefit: support for app protection policies. As the primary user is the only account authenticating, it is the only account that can receive an app protection policy. Outlook mobile ensures that the app protection policy applies to all accounts associated with that identity, meaning that the primary user and any shared or delegate mailboxes are protected by the primary user’s app protection policy.

 

As always, if you have questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

9 Comments
Occasional Contributor

Excited for the delegate permissions scenario to be released.

Senior Member

This is a great feature addition. May I know the ETA for delegate permissions?

Occasional Visitor

Came across this article after discovering an issue on iOS.

We have a App Protection Policy that stops email data from showing on lock screen. This works great for the users mailbox but if an email is sent to a shared mailbox, the subject and body preview are both shown on lock screen.

The shared mailbox is mounted via Outlook using Full Access permissions.

 

This seems to indicate that that your statement above is incorrect

"Outlook mobile ensures that the app protection policy applies to all accounts associated with that identity, meaning that the primary user and any shared or delegate mailboxes are protected by the primary user’s app protection policy."

Microsoft

@SimonPayne That is a bug that will be addressed in the next update.

Occasional Visitor

Thanks @Ross Smith IV 

Do you mean next Outlook App release or next Intune release?

Microsoft

@SimonPayne Outlook iOS 4.60.0 which was released this week includes the fix.

Senior Member

@Ross Smith IV Are app protection policies fully supported for outlook mobile and shared mailboxes at this point? We're having difficulty specifically with a shared mailbox on iOS and the ability to save new contacts to the shared mailbox. Intune first level support says it's expected behavior, but everything I can find says it should work.

 

Thanks,

Microsoft

@sbradbury I'm assuming you are getting "can't change account" modal dialog when attempting to add a contact to the shared mailbox. If so, that's a bug, as we should allow change to the shared/delegate mailbox. Instead of routing the support case to Intune, re-route it to Outlook as it's an Outlook implementation issue, not an SDK issue.

Senior Member

@Ross Smith IV Thank you, appreciate the feedback and yes that's the message we get. Works fine in Android, not in iOS.

 

I have no confidence I'll be able to find anyone in outlook mobile support that will pay attention to this, but I'll give it a try.

 

 

Co-Authors
Version history
Last update:
‎Jun 07 2021 01:35 PM
Updated by:
www.000webhost.com