Blog Post

Intune Customer Success
2 MIN READ

App Protection Policies and Shared/Delegate Mailboxes with Outlook mobile

Ross Smith IV's avatar
Ross Smith IV
Icon for Microsoft rankMicrosoft
Apr 06, 2020

I regularly receive questions regarding Outlook mobile’s support for shared and delegate mailbox scenarios, especially when Intune App Protection Policies are in play.

 

First, let us cover what Outlook mobile supports. Outlook mobile supports two scenarios, with a third scenario in development.

  1. Released: Access to shared mailboxes (using FullAccess permissions)
  2. Released: Access to another person’s mailbox using FullAccess permissions
  3. Released (May 2021): Access to another person’s mailbox using Delegate permissions

In the shared mailbox scenario, Outlook mobile enabled users (Jane) who have an identity the ability to access a shared mailbox (Support). A shared mailbox in this context, is a special mailbox type that is created using the -Shared parameter with the New/Enable-Mailbox cmdlets. Access to the shared mailbox (Support) by a primary user (Jane) is obtained via permissions and not using alternate credentials. See Shared mailboxes in Exchange Online for more information.

 

Outlook mobile has extended this architecture to now allow users (Jane) to add another person’s mailbox (Susan), referred to as “Access another person’s mailbox using FullAccess permissions” or more simply, a delegate mailbox scenario. Permissions are handled like the shared mailbox scenario – the primary user (Jane) is granted FullAccess on the other person’s mailbox (Susan) by an IT admin. And if the primary user (Jane) has been granted SendAs or Send on Behalf of, the primary user (Jane) can send messages as the other person’s mailbox (Susan). This is different than the traditional shared mailbox scenario because both users (Jane and Susan) have enabled identities and manage their mailboxes individually. For more information on permission assignment, see Manage permissions for recipients in Exchange Online.

 

By using the primary user’s permissions to gain access to the shared or delegate mailbox, the solution is more secure as credentials are not being shared amongst users. The primary user is the only identity that is authenticating and obtaining an access token in the tenant – the primary user’s access token is used to access the shared or delegate mailbox. In other words, in this scenario, multiple identities are not used within Outlook mobile.

 

This model has another benefit: support for app protection policies. As the primary user is the only account authenticating, it is the only account that can receive an app protection policy. Outlook mobile ensures that the app protection policy applies to all accounts associated with that identity, meaning that the primary user and any shared or delegate mailboxes are protected by the primary user’s app protection policy.

 

As always, if you have questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

Updated Dec 19, 2023
Version 9.0
  • Everstege's avatar
    Everstege
    Copper Contributor

    Hi Ross Smith IV,

     

    I really like your article.

    We have a lot of users having multiple accounts in the same domain (please don't ask why). Using app protection policies we want to prevent sending corporate data using personal applications (like WhatsApp). Adding the account like a delegated mailbox works like a charm on the mobile devices, however the user can still add his additional account using "add account" in the Outlook app. Then the additional account is not protected by app protection policies. Can we prevent users from adding more then one account in the Outlook app somehow? we only use app protection policies and not full device management because some of the devices are personal devices.

    Any idea if Microsoft is working on a solution for this? 

     

  • sbradbury's avatar
    sbradbury
    Copper Contributor

    Ross Smith IV Thank you, appreciate the feedback and yes that's the message we get. Works fine in Android, not in iOS.

     

    I have no confidence I'll be able to find anyone in outlook mobile support that will pay attention to this, but I'll give it a try.

     

     

  • sbradbury I'm assuming you are getting "can't change account" modal dialog when attempting to add a contact to the shared mailbox. If so, that's a bug, as we should allow change to the shared/delegate mailbox. Instead of routing the support case to Intune, re-route it to Outlook as it's an Outlook implementation issue, not an SDK issue.

  • sbradbury's avatar
    sbradbury
    Copper Contributor

    Ross Smith IV Are app protection policies fully supported for outlook mobile and shared mailboxes at this point? We're having difficulty specifically with a shared mailbox on iOS and the ability to save new contacts to the shared mailbox. Intune first level support says it's expected behavior, but everything I can find says it should work.

     

    Thanks,

  • SimonPayne's avatar
    SimonPayne
    Copper Contributor

    Came across this article after discovering an issue on iOS.

    We have a App Protection Policy that stops email data from showing on lock screen. This works great for the users mailbox but if an email is sent to a shared mailbox, the subject and body preview are both shown on lock screen.

    The shared mailbox is mounted via Outlook using Full Access permissions.

     

    This seems to indicate that that your statement above is incorrect

    "Outlook mobile ensures that the app protection policy applies to all accounts associated with that identity, meaning that the primary user and any shared or delegate mailboxes are protected by the primary user’s app protection policy."

  • pradeeppm's avatar
    pradeeppm
    Copper Contributor

    This is a great feature addition. May I know the ETA for delegate permissions?

  • Jason Katz's avatar
    Jason Katz
    Copper Contributor

    Excited for the delegate permissions scenario to be released.