Forum Discussion
User with full access to shared mailbox can't open protected email in Outlook
Thanks for the explanation Esaggese. I still have a couple of questions about this situation that I hope you can clarify.
Why is it that if the user opens Outlook on the web and opens the shared mailbox from there, they are able to view the protected email messages? If they don't have rights to access the content, I wouldn't expect it to work there either.
Second, you mentioned adding a user to a group as a way that they get rights to the content. If I assigned a group full access rights to the shared mailbox and added the users to the group, would that allow them access to the content? Based on what you've said, I don't think so, but wanted to be sure.
We had initially tried creating this mailbox as an O365 Group, which it sounds like would have worked better with the content protection. Unfortunately, we have a hybrid exchange environment configured with centralized mail flow. We couldn't get external email delivered to the group, and after searching through the documentation I discovered that is a known issue with this configuration. That's why we ended up deleting the group and going with a shared mailbox instead.
Thanks!
Steve
There are two primary ways to establish delegated access to a mailbox.
One is OWA delegation, in this case, the delegated user logs in as Delegated which does not grant access to the mailbox's email either in OWA or in Outlook.
The other scenario is mailbox delegation from ECP. In that case, when logging in through OWA the user will request licenses in the context of the mailbox and as such they user will get access to content protected for the mailbox.
We are working to bringing these behaviors into alignment, so both through OWA or through Outlook, you can control whether the user with delegated access to a mailbox is granted licenses to the content protected to the mailbox.
Regarding a group, what you describe would still not work, since even using a group, rights have only been granted to the mailbox, not to the group, so only the mailbox, and not the groups of which the mailbox is part, get access.
Yes, using an O365 group would have addressed this better than a shared mailbox, but we realize that solution is not ideal for all scenarios, so we are working to enable the shared mailbox users to get access to content in the mailbox regardless of the client. Hopefully we will have this ready in coming months.
HTH
- RickMay 05, 2020Copper Contributor
Hi Esaggese
I'd also like to follow up on this thread as we need to prevent our assistants with delegated full-access permissions from accessing another users (lawyers) protected Mails through OWA.
The issue is also referenced here:
https://office365.uservoice.com/forums/928576-microsoft-information-protection-mip/suggestions/33578686-prevent-fullaccess-delegated-users-to-read-protect
Is there anything we can do about this other than completely disabling OWA access?!
Kind regards
Patrick - Jason KatzNov 25, 2019Copper Contributor
Hi Esaggese,
I wanted to follow up on this thread as it has been several months now. You had mentioned in March of this year:
"For other Delegated Access scenarios (e.g. admin assistant) we intend to provide administrator-level control to define whether access should be granted or not, but this is further down the road.
Hope this helps."
Has there been any updates regarding development on this? Essentially, I'm curious if there is a way to PREVENT certain admin assistants who normally have full control as a delegate of the mailbox from reading certain messages. So emails marked with a certain policy would only be available to open by the user's mailbox, with the admin unable to read/view.
Thank you and I look forward to hearing from you.
- ScottVAMTJan 07, 2020Copper Contributor
I would also like to know if there has been any update to this. Thank you.
- EsaggeseJan 08, 2020Iron Contributor
ScottVAMT Access to protected content sent to a shared mailbox is in the market now for users directly being granted access to the mailbox. We still don't have a solution for users that are granted access to the mailbox via a group. We will continue working on it.