Forum Discussion
Managing delegated access
Hi All,
I am interested in how admins are allowing 'owners' of shared mailboxes self administer. I am in the process of migrating from G Suite to o365 so investigating ways on how this can be done.
At the moment in Gmail I have shared mailboxes that 'owners' self manage. An 'owner' is identified as a person who has 'manage and edit' rights to the mailboxes calendar. So when the 'owner' logs into a web app there is an API call that looks up the calendars they manage and edit. They can then manage access to the corresponding mailboxes. They add/remove other users and a privileged account makes the updates via API calls.
When I migrate to o365 I want to replicate this type of work flow in some manner so that o365 admins don't have to manage the access rights. I have 1500 'shared' mailboxes in G Suite so there is a fair bit of admin involved. The shared mailboxes will probably be a combination of o365 shared mailboxes and user mailboxes. This is because I don't want to pay for a license for each shared mailbox but some require credentials so they can be authenticated to an app.
Any insight into how you are doing this would be appreciated.
Thanks,
Matt
Closing the loop on this one - we are using mail enabled security groups to manage access to shared mailboxes.
A group has read and manage and send on behalf access to a shared mailbox. Any member can access and send email on behalf of the shared mailbox and the owner of the group can manage add/remove members.
It was the simplest scalable solution we could find (~2000 shared mailboxes). It does mean you have lots of groups but a group owner is able to manage it through OWA without needing to contact the help desk.
I would suggest that you also look at Office 365 Groups, as they might be a good fit for some scenarios. They are designed with self-service management in mind, however they might lack some capabilities compared to shared mailboxes (exposing additional folders for example).
- In your migration planning bear in mind that in Office 365 Shared Mailboxes does not have a set of credentials...access to them is granted by setting the required permissions. In regards of self-capabilities for end users to configure access to mailboxes, I'm not aware of a way to do it and I think you need to have a minimum role in Office 365 to do it: https://support.office.com/en-us/article/give-mailbox-permissions-to-another-user-in-office-365-admin-help-1dbcf12f-a9de-4d1d-b0b3-a227f8a736d8
Thanks Juan.
I am aware that shared mailboxes don't have credentials. For the mailboxes that require credentials and delegated permissions I will be assigning a user license. For those that just require a mailbox that is under 50GB's I will configure a shared mailbox.
There might be a different management process for each one of those scenarios.
