Forum Discussion
User with full access to shared mailbox can't open protected email in Outlook
I have applied the Do Not Forward information protection template to messages addressed to a shared mailbox. When a user who has full access rights to the shared mailbox tries to open one of these protected messages in outlook, she gets a message stating that she doesn't have permission to open it. If she opens the shared mailbox in OWA and opens the email from there, it opens and displays successfully.
Should she be able to open a protected message from a shared mailbox that she has full access rights to? Why would outlook say she doesn't have permission? What can I do to allow her access to the messages using Outlook?
14 Replies
Hi!
The current model is that a user only has access to content that grants rights to the user's identity or a group that contains that user's identity. Since granting rights to a shared mailbox does not make the user a member of a group, this doesn't allow the user of a shared mailbox to gain access to content that grants rights only to that mailbox.
We are currently working on addressing this scenario (grant users of a shared mailbox access to protected content sent to the mailbox). Please note that this is only an issue for Do Not Forward since for labels with admin defined permissions it is easy to address by adding the users of the mailbox to the policy.
No ETA yet, but this work is well under way.
For other Delegated Access scenarios (e.g. admin assistant) we intend to provide administrator-level control to define whether access should be granted or not, but this is further down the road.
Hope this helps.
Thanks for the explanation Esaggese. I still have a couple of questions about this situation that I hope you can clarify.
Why is it that if the user opens Outlook on the web and opens the shared mailbox from there, they are able to view the protected email messages? If they don't have rights to access the content, I wouldn't expect it to work there either.
Second, you mentioned adding a user to a group as a way that they get rights to the content. If I assigned a group full access rights to the shared mailbox and added the users to the group, would that allow them access to the content? Based on what you've said, I don't think so, but wanted to be sure.
We had initially tried creating this mailbox as an O365 Group, which it sounds like would have worked better with the content protection. Unfortunately, we have a hybrid exchange environment configured with centralized mail flow. We couldn't get external email delivered to the group, and after searching through the documentation I discovered that is a known issue with this configuration. That's why we ended up deleting the group and going with a shared mailbox instead.
Thanks!
Steve
There are two primary ways to establish delegated access to a mailbox.
One is OWA delegation, in this case, the delegated user logs in as Delegated which does not grant access to the mailbox's email either in OWA or in Outlook.
The other scenario is mailbox delegation from ECP. In that case, when logging in through OWA the user will request licenses in the context of the mailbox and as such they user will get access to content protected for the mailbox.
We are working to bringing these behaviors into alignment, so both through OWA or through Outlook, you can control whether the user with delegated access to a mailbox is granted licenses to the content protected to the mailbox.
Regarding a group, what you describe would still not work, since even using a group, rights have only been granted to the mailbox, not to the group, so only the mailbox, and not the groups of which the mailbox is part, get access.
Yes, using an O365 group would have addressed this better than a shared mailbox, but we realize that solution is not ideal for all scenarios, so we are working to enable the shared mailbox users to get access to content in the mailbox regardless of the client. Hopefully we will have this ready in coming months.
HTH
