SOLVED

Safe Links API

Copper Contributor

Hi all,

I'm confused about the Safe Links feature which is called "Do not rewrite URLs, do checks via SafeLinks API only".

 

There are two descriptions which are contradictory to me.

 

1st:

2nd:

  • Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place but the URLs are scanned prior to message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively via APIs at the time of URL click.
    (https://learn.microsoft.com/en-us/defender-office-365/safe-links-about)

So what exactly happens, if I enable the API check only? Are links scanned prior delivery or not?

 

Thanks

2 Replies
best response confirmed by RobertR2 (Copper Contributor)
Solution

@RobertR2, yes both options will cause the Safe Links scan at delivery.

 

The difference between them is the rewrite URL option changes the URL inside the body, injecting our Safe Links in to the URL. This means by clicking the URL, the user will go via the Safe Links infrastructure before being redirected to the destination - this doesn't require any client side support and will work across any client as we are changing the URL itself to point to our Safe Links.

 

The API only option does not change the content of the message but requires client side support such as the Outlook client. The click is intercepted at the client and we do the validation of the site via an API call rather than via the redirect method in rewrite.

 

The difference is not what happens during delivery, it's what happens when the user clicks on the message. We perform scan both at delivery and at click with both settings, but the API only method requires client side support for time of click protection.

 

Hope that helps..

@cammurray Thanks, that what I somehow expected. The documentation should be updated to give a clear understanding.

1 best response

Accepted Solutions
best response confirmed by RobertR2 (Copper Contributor)
Solution

@RobertR2, yes both options will cause the Safe Links scan at delivery.

 

The difference between them is the rewrite URL option changes the URL inside the body, injecting our Safe Links in to the URL. This means by clicking the URL, the user will go via the Safe Links infrastructure before being redirected to the destination - this doesn't require any client side support and will work across any client as we are changing the URL itself to point to our Safe Links.

 

The API only option does not change the content of the message but requires client side support such as the Outlook client. The click is intercepted at the client and we do the validation of the site via an API call rather than via the redirect method in rewrite.

 

The difference is not what happens during delivery, it's what happens when the user clicks on the message. We perform scan both at delivery and at click with both settings, but the API only method requires client side support for time of click protection.

 

Hope that helps..

View solution in original post