Exchange Online
Manage shared mailboxes, distribution lists, aliases, and mailbox delegation.
Dex connects to Exchange Online via Microsoft Graph plus the Exchange Online Management REST endpoint (app-only auth) and lets admins and employees manage shared mailbox access, distribution list membership, primary email aliases, and mailbox delegation from plain-language requests — with policy-gated approvals and audit logs.
What Dex does with Exchange Online
Dex handles both admin workflows and employee self-service — all policy-guardrailed and audit-logged.
For admins (CoAdmin)
- Discover every shared mailbox (M365 unified groups) and distribution list in the tenant
- Grant and revoke mailbox delegation (Full Access, Send As) on shared mailboxes
- Add and remove members from distribution lists and mail-enabled security groups
- Change a user's primary email alias safely — validates domain verification, checks for cross-tenant collisions, preserves the old address as a secondary alias
- Identify users by GUID, UPN, primary email, or display name (with disambiguation when multiple match)
- Configure internal-only email forwarding with approval guardrails
- Share calendars between users (self-service)
For employees (self-service)
- Request Full Access or Send As permission on a shared mailbox (e.g. support@, sales@)
- Request to join a distribution list
- Change your own primary email alias (within verified tenant domains)
- Share your calendar with a specific colleague
- Set up internal email forwarding (approval-gated)
Just ask Dex
Your team types a request in plain language. Dex investigates, plans, and executes — with the right guardrails.
Admin prompts
- >Grant sarah@acme.com Full Access and Send As on the support@acme.com shared mailbox
- >Remove john@acme.com from the "all-sales" distribution list and add the 5 users in this spreadsheet
- >Change mike.smith@acme.com's primary email to michael.smith@acme.com and keep the old one as an alias
- >Show me every shared mailbox in the tenant and who currently has delegated access to each
- >Move everyone in the "Contractors" DL into "External-Contractors" and delete the old list
Employee prompts
- >I need Send As permission on support@acme.com so I can reply from the queue
- >Request to join the "all-hands@acme.com" distribution list
- >Change my email alias to j.doe@acme.com — keep the old one as a secondary
- >Share my calendar with my manager (read-only)
Policy actions
Every action Dex can take on Exchange Online is declared, scoped, and guardrailed. Admins control which apply, who approves them, and whether they're limited to self-service.
| Action | What it does |
|---|---|
mailbox_delegation | Grant delegated Full Access on a shared mailbox |
send_as | Grant Send As permission on a shared mailbox or user |
distribution_list_membership | Add or remove members from a distribution list |
change_primary_alias | Change a user's primary email alias (preserves old as secondary) |
calendar_share | Share your own calendar with another user |
email_forwarding_internal | Configure internal-only email forwarding |
How to configure Exchange Online
Onboarding takes minutes. Dex validates your credentials before saving them.
Setup steps
- 1Complete the Dex Microsoft 365 integration — most Exchange operations (DL membership, discovery) use the shared M365 Graph consent.
- 2For mailbox delegation and primary-alias changes, create a dedicated Azure app registration with the Exchange.ManageAsApp application permission and grant admin consent.
- 3Assign the Exchange Administrator (or Mail Recipients) role to the app's service principal in the Entra ID admin center under Roles and administrators.
- 4In Dex, enable the Exchange integration — Graph operations reuse the M365 connection; Exchange Online management operations use the Exchange.ManageAsApp credentials.
- 5Run Exchange discovery — Dex enumerates unified groups (shared mailboxes) and mail-enabled groups (distribution lists) via Graph, and generates per-resource policy targets.
- 6Test a low-risk operation (e.g. add yourself to a test distribution list) to confirm both Graph and Exchange Management auth are working.
No extra credentials
This integration is covered by your Microsoft 365 tenant authorization to Dex. There are no per-app credentials to create or rotate.
Requirements
- •Microsoft 365 tenant with Exchange Online (any Business or Enterprise plan with Exchange)
- •Global Administrator required to grant the Exchange.ManageAsApp application permission and assign the Exchange Administrator role to the service principal
- •Graph credentials are inherited from the Dex Microsoft 365 connection — no app-specific setup for DL membership or discovery
- •Mailbox delegation and primary-alias changes require a separate Azure app registration with Exchange.ManageAsApp and Exchange Administrator or Mail Recipients role
- •Primary alias changes validate that the target domain is verified in the tenant and ensure no user/group collisions before applying
Related integrations
Directory & IdentityMicrosoft Entra ID
Manage Entra ID users, groups, licenses, and sign-in risk through Microsoft Graph.
Learn more →
CollaborationMicrosoft Teams
Manage Teams membership, route approvals to team owners, and send direct messages.
Learn more →
Directory & IdentitySharePoint
Grant, audit, and query SharePoint sites and lists through Microsoft Graph.
Learn more →
See Dex run Exchange Online
Book a 30-minute walkthrough with our team and see how autonomous IT works in your environment — or get started for free.