Questo articolo è disponibile anche in lingua italiana al seguente link: Gestire le Shared Mailbox in modo corretto – WindowServer.it
Office 365 Shared Mailboxes are among the most used tools by companies, because they are perfect for sharing a mailbox among multiple users, without having to pay for an actual license. The SM is a mailbox to all intents and purposes, with associated folder management, but without having access credentials, which greatly reduces the attack surface.
In this article we will see some best practices to make the most of this tool in a production environment.
Permission
Each user can be delegated in three ways:
- Read and manage
- Send as
- Send on behalf of
The sending delegation do not require the read/management permission, therefore the helpdesk operator can send on behalf of the ict@contoso.com mailbox but without reading the contents of the mailbox (somewhat paradoxical).
The management provides full privileges, and this can create some doubts in those administrators who want to give a read-only mailbox (perhaps to a newly arrived intern). This can be solved using PowerShell:
Add-MailboxPermission -Identity SharedMailbox -User upn@domain.com -AccessRights ReadPermission
Add-MailboxFolderPermission -Identity SharedMailbox:\ -User upn@domain.com -AccessRights Reviewer
Add-MailboxFolderPermission -Identity SharedMailbox:\Inbox -User upn@domain.com -AccessRights Reviewer
Add-MailboxFolderPermission -Identity SharedMailbox:\Outbox -User upn@domain.com -AccessRights Reviewer
Next point: better “send as” or “send on behalf of”? The answer is it depends.
Send as is a good solution in small scenarios, where it is easy to identify who may have sent a certain email; send on behalf it is instead recommended when you want to make it clear to the outside who is sending the email. This scenario is perfect for helpdesks, marketing or purchasing departments….in short, those places where there are many users and where you want to avoid the “I received an email but I don’t know who it was”.
Outlook Automap
Once the user has been delegated, the SM is automatically mounted in his Outlook profile and this can create serious problems because is not generated a new .ost file for the Shared Mailbox, but is used instead the .ost of normal profile. Where is problem? That if the Shared is very large, the .ost file increases directly and when this file reaches about 40GB, the corruption rate is very high (with all the consequences of the case).
To disable automount you can use PowerShell, with the following command: Add-MailboxPermission -Identity -User -AccessRights FullAccess -AutoMapping $false
What happen if the same mailbox is seen by all users of my company? Again, PowerShell is the answer but with a more structured set of commands:
$listUsers = Get-Mailbox
foreach ($user in $listUsers) {
$userName = $user.Identity
$userAlias = $user.Alias
Add-MailboxPermission -Identity SharedMailbox -User $userName -AccessRights FullAccess -AutoMapping $false
Write-Host “Automap Global disattivato per utente ” $user.DisplayName -ForegroundColor Green
}
But if the automap is disabled, how does the user see the mailbox? The suggestion is to use the webmail, even if, theoretically, it may be easier to configure a new .ost file dedicated to the Shared Mailbox.
Sent Item
When an email is sent from the Shared Mailbox, the object remains in the “Sent Mail” folder of the user who performed the operation. To save a copy also in the “Sent Mail” of the Shared Mailbox, you just need to activate it in the Sent Item section.
Protection and Advanced Management
Although the Shared Mailbox is a mailbox without a user, it is no less subject to attacks and the risks are linked to the emails that arrive every day. To best defend yourself, it is recommended, at least, to activate a Microsoft Defender for Office 365 P1 license, so as to defend yourself against malware, phishing, unsafe links and much more.
Another license to evaluate is the Exchange Online P2, because three important functions are cleared:
- Limit increased to 99GB
- Online Archive
- Litigation Hold
To these are also added advanced audit log to the classic Shared Mailbox and the certainty of being able to use manual mounting in Outlook.
Conclusions
Therefore, the Shared Mailboxes are an excellent tool to use, which helps to better manage the group mailboxes but at the same time it is necessary to know how to use them and configure them in the best possible way to avoid problems both on the security and on the performance side.
Now you are a Shared Mailbox boss!
#DBS