Shared Account Usage in MS Outlook
Computing Services
Technote #632 v1
Title: Shared Account Usage in MS OutlookApplies to: UofR Employees
Section: File & Deployment
Owner: Director, Communications Infrastructure
Last updated: May 21, 2024
Introduction
Microsoft Exchange has shared mailboxes which by default are more restrictive than the Micro Focus groupwise implementation of a generic account that supports either direct login or proxy based access. A description of the three main scenarios for use of Outlook shared mailboxes, and the pros and cons of each, are described to aid in deciding on the best choice for the circumstances.
Constraints
MFA is being implemented as part of the M365 rollout as this is a requirement to get cyber insurance from almost all insurance companies. MFA access to email must be protected by MFA. This limits flexibility in the implementation scenario where multiple users were directly logging into an account rather than accessing it via proxy (delegation).
Background
All shared mailboxes have a user account associated with them but by default they have a random password (if newly created) or the old uregina password (if migrated from Groupwise). By default these accounts are not enabled for direct login. They are not licensed so they don’t have a mailbox. If an A1 license is added to the account then direct access to the shared mailbox is an option. If you know the password for the shared mailbox and try to Sign In directly at www.outlook.com, you will get an error unless the account has first been licensed and enabled for direct login. MFA set up for the account would also be required.
Scenarios
- Delegate Access: Mailbox monitored by multiple users, no Onedrive access, authentication with Sign in and MFA of the user
This is the default where no license is assigned to the account. All users who have delegate access to the shared mailbox can ‘Add Account’ to have the mailbox show along the left side of the outlook client. Alternatively, they can access it via the web interface. As users are logging in as themselves first before accessing the shared mailbox, it is protected by their account MFA. - Direct Access: Position based mailbox used by one primary user, requires OneDrive access, authentication with Sign in and MFA of the shared account
If the corresponding shared mailbox is licensed and the password is known then the account can be added to the outlook client and the email for that account accessed within the users mailbox. Note that MFA will have to be configured by the user the 1st time they login to the account. As M365 does not support multiple phones being added to an account this effectively limits direct access to one primary user. - Mixed Access: Position based mailbox used by one primary user, but also requires shared access delegated to other users
One primary user can directly access a mailbox while others access the mailbox via delegate permissions. This may work well in the case of a position with a shared account (like Provost) requires direct access including OneDrive storage, but the Executive Assistant needs to access the calendar to schedule meetings on the Provost’s behalf. Only the primary user would Sign In to the account directly, others would Add Account to Outlook but authenticate with their own username@uregina.ca, password and MFA.
Pros & Cons
The pros and cons for the three scenarios are described.
Pro/Con |
All Access via Delegation |
All access via Direct Login |
Mixed Access |
---|---|---|---|
Protected by MFA |
Yes |
Yes |
Yes |
More than one user can access |
Yes |
No |
Yes |
Delegation setup required |
Yes |
No |
Yes |
Licensing/Password setup required |
No |
Yes |
Yes, for direct access user |
Access to OneDrive available |
No |
Yes |
Yes, although direct user could share folders with delegates |
Easily accessed on phone |
Requires Outlook app and switching to shared mailbox |
Yes, separate mailbox in mail app |
Easy for the Direct user – Delegate access requires outlook app |
Easy transfer to new owner/delegates |
Yes, Requires ticket to adjust delegate access |
Requires that the password be changed and a ticket to remove the existing MFA setup from the account |
Requires both actions from 1st two columns |
Additional yearly password change |
No |
Yes |
Yes |
Email automatically sent with shared mailbox address in the FROM: |
Yes |
Yes |
Yes |
Sent email only shows in shared account sent items. |
Yes
|
Yes |
Yes
|
Licensing
Shared mailboxes are limited to 50GB but this can be increased to 100GB with the addition of an A3 license (requires a footprints ticket).
Automapping Disabled
When Automapping is enabled, shared accounts a user has delegate access to show up automatically on the left side in the MS Outlook software app. When disabled, the user needs to individually Add Account for any they wish to have showing. It was determined that with Automapping enabled, items default as ‘From’ the user and Sent Items and Deleted items show in the user’s personal account, with only a copy going to the shared account. For these reasons, Automapping has been disabled and will not be used.
Conclusion
An explanation of shared mailboxes in M365 is provided along with pros and cons for various scenarios.
Revision History:
V0, 2024-05-03, Initial version
V1, 2024-05-21, Clarification of scenarios