Outlook: shared folder / mailbox compatibility
The vast majority of email inboxes are so-called primary inboxes. They are used by a single person only as their primary inbox. However, there are some exceptions. This article explains Phishing Report Button compatibility within Outlook in these 2 scenarios:
Shared inboxes: These are inboxes that can be accessed by multiple people and are usually not associated with a single person. This is often used for teams or departments so that there is a single point of contact. Think
support@company.com, for instance.Shared folders / delegated access: In this scenario, a user might share access to their primary, individual inbox or a folder of their inbox with someone else (a “delegate”)
The Phishing Report Button can work in both scenarios, but technical limitations within Outlook limit compatibility based on your organization’s specific environment.
Compatibility Matrix
Microsoft offers no way for the Phishing Report Button add-in to determine the environment it is operating in, so you will have to verify this yourself.
Server Environment | Mailbox Access | Microsoft Graph API | Outlook REST API | EWS (Exchange Web Services) | Notes |
|---|---|---|---|---|---|
Microsoft 365 (Cloud) | primary mailbox | ✅ | ❌ | ❌ | Graph is the only modern, supported API. REST & EWS are deprecated. |
Microsoft 365 (Cloud) | delegated access | ✅ | ❌ | ❌ | Graph is the only modern, supported API. REST & EWS are deprecated. |
Microsoft 365 (Cloud) | shared mailbox | ✅ | ❌ | ❌ | Supported and works seamlessly with the correct access token. |
On-premise Exchange (2016+) | primary mailbox | ❌ | ✅ | ✅ | Both can be used, but REST is the more modern choice. |
On-premise Exchange (2016+) | delegated access | ❌ | ✅ | ✅ | Both can be used, but REST is the more modern choice. |
On-premise Exchange (2016+) | shared mailbox | ❌ | ✅ | ❌ | REST is the only supported api due to authentication context (see Details below) |
Details
EWS support is limited to on-premise Exchange environments and does not work properly with shared mailboxes. The reason for this is the Office JavaScript API (Office.js), which is provided by Microsoft and enables the Phishing Report Button to communicate with Outlook. Although it can authenticate the user correctly, it has no mechanism for recognizing that the user is working in the context of a shared mailbox rather than their primary inbox. It will therefore misinterpret all access attempts.
For more details regarding compatibility questions, we recommend the official Microsoft documentation.