VIPRE Security Knowledge

SafeSend Web Add-in Authentication

Super Administrator

Written By Marissa Fegan (Super Administrator)

Updated at November 5th, 2025

Table of Contents

1. Authentication Request 2. Token Retrieval 3. Policy Settings Retrieval 4. Confirmation Logic Execution 5. (Optional) DLP Attachment Scan 6. Reporting Summary

This article outlines the application flow for the SafeSend add-in within Microsoft Outlook, with reference to its interaction with Microsoft Entra ID, the SafeSend API, and the Microsoft Graph API. The flow ensures secure authentication, policy enforcement, optional data loss prevention (DLP) scanning, and event reporting.

 

1. Authentication Request

The process begins when SafeSend initiates a request to Outlook to obtain an authorization token. This token is required to securely access resources and retrieve policy settings.

2. Token Retrieval

Outlook handles the token retrieval process as follows:

  • It first checks its local cache for a valid token or attempts a silent token refresh using MSAL (Microsoft Authentication Library)
  • If no valid token is available, Outlook obtains a new token from Microsoft Entra ID via SSO (Single Sign-On)
  • Entra ID issues an access token scoped for use with the Microsoft Graph API
  • Outlook then returns this token to the SafeSend add-in, allowing it to make authenticated API calls.

3. Policy Settings Retrieval

With the token in hand:

  • SafeSend sends a request to the SafeSend API to fetch the latest policy settings
  • The API validates the provided Microsoft token using MSAL to ensure authenticity and authorization
  • Upon successful validation, the SafeSend API responds with the appropriate policy configuration for the user or session


4. Confirmation Logic Execution

After receiving policy settings:

  • SafeSend applies internal confirmation logic to enforce configured security and compliance rules
  • This logic determines how the user is prompted before an email can be sent externally, including checks for recipients, sensitive content, and other contextual factors

5. (Optional) DLP Attachment Scan

If DLP scanning is enabled:

  • SafeSend uploads email attachments to the SafeSend API for scanning
  • The API evaluates the files against DLP policies, such as those targeting PII, financial data, or custom keywords
  • Any rule matches or violations are returned to SafeSend to influence the user's sending decision
     

6. Reporting

Finally:

  • SafeSend sends event metadata (such as policy hits, user decisions, and DLP results) to the SafeSend API
  • This information is used for reporting, auditing, and compliance tracking purposes within the administrator portal

Summary

The SafeSend application flow leverages modern Microsoft authentication (via MSAL and Entra ID), securely retrieves user-specific policy settings, enforces configurable confirmation logic, and optionally scans email attachments for sensitive data. This architecture ensures that outbound email activity is compliant, traceable, and protected against accidental data loss.

If you have further questions or require assistance, please contact our Support team.
 

Related Articles

Deploy SafeSend Web Add-in

When using the SafeSend web add-in, there are two ways to deploy this to your org...

Add your Logo to Web Add-in

You can customize the look and feel of the VIPRE SafeSend web add-in by uploading...

Install SafeSend Web Add-in

If you are new to SafeSend and setting it up for the first time, please stop here...

Web Add-in: Data Loss Prevention

VIPRE SafeSend can prevent sensitive information from being sent out to the wrong...