User mailboxes can still be delegated with full access, send as, send on behalf and all that–but since you need to have it licensed anyways it is actually a full user mailbox–it is just being mis-categorized as shared. Sorry, but if you need that kind of functionality, then it should really be a user mailbox, not a shared mailbox. An example of this is any line of business application that needs to sign in and interact with the contents of a mailbox. They may be designated as shared, but in reality they are real mailboxes that happen to be shared. Some implementations of shared mailboxes aren’t really shared mailboxes at all. Reason #1: They aren’t really thinking about a shared mailbox, they are thinking of a real mailbox There are a couple of reasons for this, that I think we should cover. Some people get confused when I suggest replacing shared mailboxes with Outlook groups.
And perhaps best of all: no associated user account to manage, secure or license.Bonus! There are other work spaces like Planner, a OneNote notebook, a SharePoint file library and so on, that the members of the group can use to collaborate regarding their shared function/responsibilities.Groups are natively accessible on the Outlook mobile app.You can invite external members to collaborate in a group.Membership can be managed by those who own the function, so they do not have to involve IT to make changes.Members of the group can choose to receive inbox notifications when new messages are sent to the mailbox, or not–their choice.We still have a shared calendar (but no contacts, tasks, etc.)Īnd now look at all the other benefits on top of that:.We can still send as or send on behalf of the group’s email address.Receive mail from both inside and outside the company (an admin is required to turn the external piece on).These have most of the benefits we are typically looking for in a shared mailbox with none of the drawbacks. Why you should consider Outlook Groups instead So now you are also paying for that security hole–it’s like adding insult to injury. Oh and as we have learned, it is also often a serious compromise that we make when it comes to security. So often we end up taking this great feature that doesn’t require any licensing, but then we started using it such a way that it does require licensing.
There are other licensing considerations if you need to assign it an archive mailbox, or use litigation hold. UNLESS of course, you need to start using that shared mailbox more like a real mailbox. You see, Microsoft does not normally require you to license shared mailboxes: An interactive mailbox must be a licensed mailbox.
And/or consider a conditional access policy that would restrict the overall exposure.Īssuming you can mitigate your risks as to the above (and do you really want a shared password out there in the wild?), there is still another problem we need to work around. If possible you should at least disable basic auth and POP/IMAP on the account.
However, if you want to be able to peer into this mailbox on the go, or you have a third-party app that needs to sign-in to the mailbox, for instance, then you cannot disable sign-in. However, Microsoft does not recommend this, and in fact the best practice is to disable them for sign-in. Once changed, it is possible to login interactively. Technically there is a system generated password, and you can change that password. However, that doesn’t mean it can’t be done. As the “mobile-first” generation has come up, it is more frustrating than ever that we cannot access these accounts from a mobile device, for instance.*īy default, when you create a shared mailbox, there is no way to login to it. I am sure many of you out there have run into these issues before, since shared mailboxes at present are not easy to work with outside of a traditional Outlook client. The reality is, there are lots of problems with shared mailboxes, and have been for quite some time.
Now, recently Robert posted a very good overview of some of the security problems with shared mailboxes on his blog, and it sparked some more discussion in the group. Well worth the investment–I already consider myself fairly smart (as one can be) in the Microsoft/Office 365 space, and even I have learned a lot by participating there. It’s a great place to hang out, with lots of smart people both asking and answering good, hard questions. Before we begin our article today, I just want to say this: if you guys and gals aren’t aware of the CIAOPS community yet, then you should definitely check it out.