Apply
Apply
  1. U of R Home
  2. Information Services
  3. Tech Notes
  4. Shared Account Usage in MS Outlook

Shared Account Usage in MS Outlook

Computing Services

Technote #632 v1

Title: Shared Account Usage in MS Outlook
Applies to: UofR Employees
Section: File & Deployment
Owner: Director, Communications Infrastructure
 
Last updated: May 21, 2024


Introduction
Microsoft Exchange has shared mailboxes which by default are more restrictive than the Micro Focus groupwise implementation of a generic account that supports either direct login or proxy based access. A description of the three main scenarios for use of Outlook shared mailboxes, and the pros and cons of each, are described to aid in deciding on the best choice for the circumstances.

Constraints

MFA is being implemented as part of the M365 rollout as this is a requirement to get cyber insurance from almost all insurance companies. MFA access to email must be protected by MFA. This limits flexibility in the implementation scenario where multiple users were directly logging into an account rather than accessing it via proxy (delegation).

Background

All shared mailboxes have a user account associated with them but by default they have a random password (if newly created) or the old uregina password (if migrated from Groupwise). By default these accounts are not enabled for direct login. They are not licensed so they don’t have a mailbox.  If an A1 license is added to the account then direct access to the shared mailbox is an option. If you know the password for the shared mailbox and try to Sign In directly at www.outlook.com, you will get an error unless the account has first been licensed and enabled for direct login. MFA set up for the account would also be required.

Scenarios

  1. Delegate Access: Mailbox monitored by multiple users, no Onedrive access, authentication with Sign in and MFA of the user
    This is the default where no license is assigned to the account. All users who have delegate access to the shared mailbox can ‘Add Account’ to have the mailbox show along the left side of the outlook client. Alternatively, they can access it via the web interface. As users are logging in as themselves first before accessing the shared mailbox, it is protected by their account MFA.
  2. Direct Access: Position based mailbox used by one primary user, requires OneDrive access, authentication with Sign in and MFA of the shared account
    If the corresponding shared mailbox is licensed and the password is known then the account can be added to the outlook client  and the email for that account accessed within the users mailbox. Note that MFA will have to be configured by the user the 1st time they login to the account. As M365 does not support multiple phones being added to an account this effectively limits direct access to one primary user.
  3. Mixed Access: Position based mailbox used by one primary user, but also requires shared access delegated to other users
    One primary user can directly access a mailbox while others access the mailbox via delegate permissions. This may work well in the case of a position with a shared account (like Provost) requires direct access including OneDrive storage, but the Executive Assistant needs to access the calendar to schedule meetings on the Provost’s behalf. Only the primary user would Sign In to the account directly, others would Add Account to Outlook but authenticate with their own username@uregina.ca, password and MFA.

Pros & Cons

The pros and cons for the three scenarios are described.

Pro/Con

All Access

via Delegation

All access

via Direct Login

Mixed Access

Protected by MFA

Yes

 Yes

Yes

More than one user can access

 Yes

 No

Yes

Delegation setup required

Yes

 No

Yes

Licensing/Password setup required

 No

Yes

Yes, for direct access user

Access to OneDrive available

 No

Yes

Yes,
Available to direct user only

although direct user could share

folders with delegates

Easily accessed on phone

Requires Outlook app

and switching to shared mailbox

Yes,
Can be added as a

separate mailbox in mail app

Easy for the Direct user

– Delegate access requires

outlook app

Easy transfer to new owner/delegates

 Yes,

Requires ticket to

adjust delegate access

Requires that the password be changed

and a ticket to remove the

existing MFA setup from the account

Requires both actions

from 1st two columns

Additional yearly password change

 No

Yes

Yes
Direct access user only

Email automatically sent with

shared mailbox address in the FROM:

Yes

Yes

 Yes

Sent email only shows in

shared account sent items.

Yes

 

Yes

Yes

 

Licensing

Shared mailboxes are limited to 50GB but this can be increased to 100GB with the addition of an A3 license (requires a footprints ticket).

Automapping Disabled

When Automapping is enabled, shared accounts a user has delegate access to show up automatically on the left side in the MS Outlook software app. When disabled, the user needs to individually Add Account for any they wish to have showing. It was determined that with Automapping enabled, items default as ‘From’ the user and Sent Items and Deleted items show in the user’s personal account, with only a copy going to the shared account. For these reasons, Automapping has been disabled and will not be used.

Conclusion

An explanation of shared mailboxes in M365 is provided along with pros and cons for various scenarios.

Revision History:

V0, 2024-05-03, Initial version

V1, 2024-05-21, Clarification of scenarios