Forum Discussion

JonasBack's avatar
JonasBack
Steel Contributor
Oct 31, 2018

Shared Mailbox can have a password and login enabled without license

I'm very much aware of the license requirements for Shared Mailboxes in Exchange Online and for all Shared Mailboxes we always give licensed users access to them. If we need to login to the actual shared mailbox, we assigned them a license. This could be necessary if you also have some 3rd party application that actually need to login to the mailbox and fetch e-mail for some reason.

 

I have recently realized that you CAN actually set a password to a Shared Mailbox. Just go to admin.microsoft.com > Users > Active Users > select the Shared Mailbox > Reset password. After this, you can login with the username/password. Of course, if you access it via portal.office.com you won't see Outlook but if you go directly to outlook.office365.com you will get access to the mailbox.

 

 

Anyone know anything more about this feature? Limitations?

 

I'm not looking to break the licensing terms, all our physical users for all our customers have their own personal accounts but there are scenarios where you have a 3rd party application accessing the mailbox for some reason.

  • This "feature" has been around for years, but despite probing Microsoft numerous times about it, we haven't received a clear answer. Until we do so, assume that it's unsupported, and that it breaks the license agreement.

     

    Applications should still be able to access the mailbox via delegate/impersonation permissions.

  • AliceVi's avatar
    AliceVi
    Copper Contributor
    Hi there,
    seems like Microsoft patched this function, and it's been a few month.
    It's no longer possible now sadly.
    We used this to avoid using a generic account or giving out 20+ licenses for every operator, but I guess that was not the best work-around!
    • ArendvanDijk's avatar
      ArendvanDijk
      Brass Contributor
      Just tested, at default the userobject of a Shared Mailbox is still enabled and can be used for interactive login. Why does Microsoft do this and then recommend that it is better to disable this userobject? (https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account).

      Surely it makes much more sense to automatically disable the corresponding userobject when creating a Shared Mailbox? Sometimes Microsoft's choices are incomprehensible...
      • TherealKillerbe's avatar
        TherealKillerbe
        Brass Contributor
        Exchange Online uses a separate identity provider as Entra ID. When you get the shared mailbox, you will see that the identity of the shared mailbox is disabled in the IDP used by Exchange Online.
        (Get-mailbox email address removed for privacy reasons | Get-user).AccountDisabled = True
        However the Entra ID account is enabled, and the identity in the IDP for Exchange is synced from Entra ID, however the account state isn't.
        (Get-MGBetaUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled = True
        Even more confusing, using Microsoft.graph (1.0) does not return any value:
        (Get-MGUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled =
        However Entra ID shows that the account is enabled.
  • @hether licensed or not we have seen that users can login directly into a shared-mailbox with credentials. it is actually a big problem. as the expectation is that they can't access them with a password and then we also don't  apply MFA to them. 

    • hbilke's avatar
      hbilke
      Copper Contributor

      Brian_Thomas_Grant and others

       

      The funny thing is (just checked twice)

       

      O365 / EOL:

      Created a shared mailbox

      assigned access rights and mailaddresses

      OK

      Users: new account w/o assigned license appears / is created

      Login is NOT disabled

      HT? What is this? 

       

      hRy

       

       

  • You can actually access a shared mailbox without any workaround or license assignment etc.

    Just delegate a licensed user with full access to that shared mailbox, configure the shared mailbox to an Outlook or mobile device and authenticate with the credentials of the licensed delegated user.

    In my humble opinion, in that way you don't break any license agreement as the user that represents the shared mailbox stays in AD disabled and the user who accesses the mailbox is licensed and delegated.

    Kind regards
    Spikar
  • Todd Harrison's avatar
    Todd Harrison
    Brass Contributor

    Hi,

     

    Sorry for the stupid follow up question, but when you say "we assigned them a license", what exactly are you assigning the license to? Is it the associated "user" account that is tied to the shared mailbox?

     

    I have a situation where I need a 3rd party app to log into the shared mailbox and parse the emails contained within. This application requires a username and a password to be provided to be able to connect and I am struggling a little to figure out what credentials I should be providing.

     

    I am not an Exchange expert so I apologize if this is something straight forward to do.

    • A user object (in this case the user account representing the shared mailbox) that uses it's own password to access a cloud resource (in this case it's own mailbox) by whatever protocol, requires a license.

       

      If the shared mailbox object is synchronized using AAD Connect, you must enable the user object in the local Active Directory and set a password, synchronize the object and assign a license. 

       

      If the shared mailbox object is a cloud-only object, assign a license and set the password.

       

      -Thomas 

      • Brent Berwick's avatar
        Brent Berwick
        Copper Contributor

        If it requires a license and has to be enabled, is there any point in actually using a shared mailbox to begin with?

         

        We recently set up a shared mailbox but need to be able to add it to an iOS device for mobile mail.  Turns out that is not possible without going the route discussed here.  The more I'm looking in to it the more I'm realizing I don't see the point in using the shared mailbox to begin with.

  • This "feature" has been around for years, but despite probing Microsoft numerous times about it, we haven't received a clear answer. Until we do so, assume that it's unsupported, and that it breaks the license agreement.

     

    Applications should still be able to access the mailbox via delegate/impersonation permissions.

  • Hi Jonas.

     

    Did you perform the conversion of a shared mailbox to a General mailbox?

     

    • JonasBack's avatar
      JonasBack
      Steel Contributor
      No, it's still a Shared Mailbox so it's still available in admin.microsoft.com > Groups > Shared Mailboxes aswell.
  • Interesting. My approach usually is to create a "service account mailbox" (with license) to access shared mailboxes for applications.

     

    Here is a passage from

    https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits

     


    Note

    A shared mailbox is not designed for direct logon. The user account for the shared mailbox itself should stay in a Disabled (or "disconnected") state.


     

    So while it might be technically possible, especially for applications you need to either license the mailbox or use a separate licensed mailbox for the shared mailbox access.


    Quadrotech - Management, Reporting and Migration for Office 365

Resources