Safe Links is protection system in Microsoft Exchange that scans and executes links inside emails to determine if they are malicious or not.

When a user clicks on a link inside an email, it first gets executed by Safe Links, then if links is safe it will execute it again as the user. This causes an issue with RAPS approval emails as the links inside those emails contain a one time use token. Those tokens get consumed by Safe Links and when the user actually opens the link they get told that the token is invalid. However, the approval inside Pronto already occurred since Safe Links already executed the link.

To prevent this from happening a policy needs to be created to exclude Pronto server links from Safe Links.

The following steps will show how to configure this policy:

1. Login to: https://security.microsoft.com
2. Navigate to Email & collaboration > Policies & rules > Threat policies

   

1. Under Policies, click Safe Links

   

1. Click Create
2. Name the policy and optionally provide a description

   

1. Click Next
2. Assign the policy to either specific users, groups, or domains

   

1. Click Next
2. Click Manage 0 URLs 
3. Depending on how tightly you want to configure this enter either your Pronto Server or a wildcard with stratusmanagedcloud.com domain and click Save.
   Example:
   xi.customer.stratusmanagedcloud.com (replace with URL of your Pronto server) or
   *.customer.stratusmanagedcloud.com (replace with URL of your Pronto server) or
   *.stratusmanagedcloud.com

   

1. Click Done
2. Click Next > Next > Submit
3. Make sure that the priority on this policy is higher than any other policy that would not have these exclusions

   

1. The policy can take anywhere from 5 minutes to 24 hours to apply, but usually is applied within a few minutes.