Forum Discussion
User with full access to shared mailbox can't open protected email in Outlook
Hi!
The current model is that a user only has access to content that grants rights to the user's identity or a group that contains that user's identity. Since granting rights to a shared mailbox does not make the user a member of a group, this doesn't allow the user of a shared mailbox to gain access to content that grants rights only to that mailbox.
We are currently working on addressing this scenario (grant users of a shared mailbox access to protected content sent to the mailbox). Please note that this is only an issue for Do Not Forward since for labels with admin defined permissions it is easy to address by adding the users of the mailbox to the policy.
No ETA yet, but this work is well under way.
For other Delegated Access scenarios (e.g. admin assistant) we intend to provide administrator-level control to define whether access should be granted or not, but this is further down the road.
Hope this helps.
Thanks for the explanation Esaggese. I still have a couple of questions about this situation that I hope you can clarify.
Why is it that if the user opens Outlook on the web and opens the shared mailbox from there, they are able to view the protected email messages? If they don't have rights to access the content, I wouldn't expect it to work there either.
Second, you mentioned adding a user to a group as a way that they get rights to the content. If I assigned a group full access rights to the shared mailbox and added the users to the group, would that allow them access to the content? Based on what you've said, I don't think so, but wanted to be sure.
We had initially tried creating this mailbox as an O365 Group, which it sounds like would have worked better with the content protection. Unfortunately, we have a hybrid exchange environment configured with centralized mail flow. We couldn't get external email delivered to the group, and after searching through the documentation I discovered that is a known issue with this configuration. That's why we ended up deleting the group and going with a shared mailbox instead.
Thanks!
Steve
There are two primary ways to establish delegated access to a mailbox.
One is OWA delegation, in this case, the delegated user logs in as Delegated which does not grant access to the mailbox's email either in OWA or in Outlook.
The other scenario is mailbox delegation from ECP. In that case, when logging in through OWA the user will request licenses in the context of the mailbox and as such they user will get access to content protected for the mailbox.
We are working to bringing these behaviors into alignment, so both through OWA or through Outlook, you can control whether the user with delegated access to a mailbox is granted licenses to the content protected to the mailbox.
Regarding a group, what you describe would still not work, since even using a group, rights have only been granted to the mailbox, not to the group, so only the mailbox, and not the groups of which the mailbox is part, get access.
Yes, using an O365 group would have addressed this better than a shared mailbox, but we realize that solution is not ideal for all scenarios, so we are working to enable the shared mailbox users to get access to content in the mailbox regardless of the client. Hopefully we will have this ready in coming months.
HTH
Hi Esaggese
I'd also like to follow up on this thread as we need to prevent our assistants with delegated full-access permissions from accessing another users (lawyers) protected Mails through OWA.
The issue is also referenced here:
https://office365.uservoice.com/forums/928576-microsoft-information-protection-mip/suggestions/33578686-prevent-fullaccess-delegated-users-to-read-protect
Is there anything we can do about this other than completely disabling OWA access?!
Kind regards
PatrickHi Esaggese,
I wanted to follow up on this thread as it has been several months now. You had mentioned in March of this year:
"For other Delegated Access scenarios (e.g. admin assistant) we intend to provide administrator-level control to define whether access should be granted or not, but this is further down the road.
Hope this helps."
Has there been any updates regarding development on this? Essentially, I'm curious if there is a way to PREVENT certain admin assistants who normally have full control as a delegate of the mailbox from reading certain messages. So emails marked with a certain policy would only be available to open by the user's mailbox, with the admin unable to read/view.
Thank you and I look forward to hearing from you.
I would also like to know if there has been any update to this. Thank you.
Steve Whitcher I'm travelling right now so I cannot really test this, but here are some thoughts. When it comes to accessing shared mailboxes in Outlook, there are few different methods. You can access a given folder directly or use the Open another mailbox functionality or even have the shared mailbox automapped. All of these are practically the same, and they only expose some functionalities in Outlook. On the other hand, you can also add a mailbox as Additional account (via File -> Add account), which makes Outlook treat it the same as your primary account.
My point being, if you haven't tried this already, try adding the shared mailbox as additional account. Using the "open another mailbox" functionality in OWA is practically the same method, and since it works OK for you I suspect using the analog in Outlook should work as well.
I suspect it will only apply to features that do not explicitly depend on the AIP add-in though.
