Outlook integration
1. Goal of this Document
Feedelity connects to your Microsoft 365 tenant so it can read incoming feedback from designated shared mailboxes (e.g. info@yourbrand.be) and let your team reply to that feedback directly from inside Feedelity.
The integration must be initiated by a Microsoft 365 administrator, someone with rights to grant tenant-wide admin consent and to run Exchange Online PowerShell. A regular user account cannot complete this setup.
Because shared mailboxes have no signed-in user, Microsoft does not support standard delegated permissions for this scenario. Feedelity must instead run as a background service using application permissions. By default, application permissions grant access to every mailbox in the tenant, so this guide walks you through Microsoft's recommended approach for narrowing that down: scoping access to a specific mail-enabled security group via an Application Access Policy.(Microsoft reference: Limiting application permissions to specific Exchange Online mailboxes)
2. Implementation Steps
STEP 1: Preparation (Create Security Group)
Before connecting the app, define which mailboxes Feedelity is allowed to touch by putting them in a specific group in MS Exchange.
1) Go to the Exchange Admin Center > Recipients > Groups.
2) Click Add a group and select Mail-enabled security.
3) Name the group (e.g., Feedelity_Integration_Access).
4) Add owners (usually yourself).
5) Add Members: Add the shared mailboxes you want Feedelity to access (e.g., info@yourbrand.be).
6) Assign an email address to the group itself (e.g., feedelity-access-group@yourbrand.com).
7)Create the group.
STEP 2: Connect & Grant Consent
Next, install the Feedelity App into your tenant by granting consent.
1) Log in to Feedelity as an Administrator.
2) Navigate to Settings > Integrations and click Add Integration.
3) Select Microsoft Outlook.
4) Grant Consent: You will be redirected to Microsoft. Click Accept to grant the required permissions.
Note: At this exact moment, access is technically tenant-wide. You will immediately restrict this in the next step.
Now that the app is installed, use PowerShell to apply the restriction policy. (MS docs reference: Limiting application permissions to specific Exchange Online mailboxes)
Prerequisites: You must have the "Exchange Online PowerShell Module" installed.
1. Connect to Exchange Online
Open PowerShell as Administrator and run:
A login window will pop up. Sign in with your Microsoft 365 Administrator account.
2. Define Your Variables
Copy the block below into PowerShell. Replace the email address in quotes with the email of the security group you created in Part 1.
3. Create the Policy
Paste this command to create the restriction using the variables you defined above.
4. Verify the Policy (Optional but Recommended)
Run these tests to ensure the security is working correctly.
Test A: Verify Success (Should say "Granted")
Test B: Verify Restriction (Should say "Denied")
STEP 4: Finalize Configuration
Now that the connection is secure, tell Feedelity which mailbox to sync.
1. Navigate to Settings > Integrations > Outlook Integration (click on the tenant you just connected).
2. Click “Add channels” at the bottom of the page.
3. Type the email address of the shared mailbox (e.g., info@yourbrand.be) and confirm. Important: Ensure this mailbox is a member of the Security Group created in Step 1.
⚠️ Important Note on Timing:
It can take up to 1 hour for access restrictions (Application Access Policies) to propagate on the Microsoft Exchange servers.
If you receive an error when adding the mailbox immediately after running the PowerShell commands, please wait 15–60 minutes and try again. This is a normal Microsoft delay and not an error with Feedelity.
3. Technical Reference: Permissions & Security
This section explains the technical details behind the permissions requested during Step 2.
Why Feedelity Requires Application Permissions
Feedelity currently supports integration exclusively with Shared Mailboxes.
Because a Shared Mailbox does not have a specific licensed user with a password to "sign in," Microsoft does not allow the use of standard "Delegated Permissions" (acting on behalf of a signed-in user) for these mailboxes.
Instead, Feedelity must act as a background service using Application Permissions.
The Default Behavior: By default, Microsoft grants Application Permissions at the Tenant Level, meaning the app technically has access to all mailboxes.
The Safeguard: The Application Access Policy you created in Step 3 overrides this default, strictly limiting Feedelity’s access to the specific security group you defined.
Detailed Permissions Table
A. Application Permissions (Email Integration)
These allow the Feedelity system to access the Shared Mailboxes to process feedback without a user present.
| Permission | Type | Justification |
| Mail.ReadWrite | Application | Allows Feedelity to receive emails from the shared mailbox. |
| Mail.Send | Application | Allows your staff to reply to complaints/feedback directly from within the Feedelity interface. |
| Organization.Read.All | Application |
B. Delegated Permissions (User Authentication)
These are required to allow your team members to log in to Feedelity using their Microsoft credentials.
| Permission | Type | Justification |
| openid, email, profile | Delegated | Required for Single Sign-On (SSO). These permissions allow any user in your organization to log in to the Feedelity platform. Without these, users will not be able to access the Feedelity application. |
Managing Permissions
You can review, manage, and edit these permissions at any time in the Microsoft Entra Portal (under Enterprise Applications > Feedelity).
⚠️ Warning: Please note that modifying or revoking these permissions manually in the Entra Portal may break the functionality of the integration. Removing permissions will prevent emails from being processed or stop users from being able to log in.
4. Appendix: Creating Mail-Enabled Security Group
