Customer Engagement & Dynamics CRM Forum

Security for O365 Shared Mailbox and sending e-mail from a workflow

  • 1.  Security for O365 Shared Mailbox and sending e-mail from a workflow

    Posted Oct 07, 2019 02:44 PM
    Hi All,

    I just spent a few hours looking at an error we've been seeing in one of our workflows and finding a lot of old information posted regarding the security roles required and thought I'd share what finally worked.

    We're running D365 Online ( with Office 365 Exchange Online and have an O365 shared mailbox configured for ''. The O365 shared mailboxes are nice because there is no additional monthly fee, and are easy to share with multiple users, but does not have a specific user account associated with it. In D365, we created a new queue, and mailbox configured using server side sync.

    We have a workflow set up to send an e-mail template from the shared mailbox address, which is triggered automatically based on record creation, or if a couple of fields on the entity are modified.  The workflow can also be run on demand in case the email needs to be sent manually,

    Since the workflow was owned by an admin account, it worked perfectly when triggered through record creation or update since it ran under the user context of the workflow owner. However, when run manually by another D365 user, it would then run under that user context, and throw an error similar to "User does not have send-as privilege".  I tried several settings, including adding the delegate security role to the user, adding them to a security role that has the "send email as another user"  privilege, and "act on behalf of another user" privilege, changing the queue from a public to a private with explicit membership, but it didn't hit me until I tried to use the XRM Toolkit to set the "allow e-mails on behalf" setting for this user, that it is a queue and not a user.

    /* TLDR */
    In the end, I did not use the "send email as another user" privilege from the security role, and simply shared the queue (only read access) with the users that are allowed to send from that e-mail address. The one other setting required was a security role that enabled the 'Append To' on the queue entity (choosing user, business unit, or organization will depend on your particular security configuration).

    Jeff Woodard
    Chief Technical Officer
    Transportation Financial Services, Inc.
    West Palm Beach FL
    Academy - Online Interactive Learning from Experts

If you've found this thread useful, dive deeper into User Group community content by role