Differences between Shared Mailboxes, Distribution Lists and Office 365 GroupsAlex Fields
Before we begin our article today, I just want to say this: if you guys and gals aren’t aware of the CIAOPS community yet, then you should definitely check it out. It’s a great place to hang out, with lots of smart people both asking and answering good, hard questions. Well worth the investment–I already consider myself fairly smart (as one can be) in the Microsoft/Office 365 space, and even I have learned a lot by participating there.
Now, recently Robert posted a very good overview of some of the security problems with shared mailboxes on his blog, and it sparked some more discussion in the group. The reality is, there are lots of problems with shared mailboxes, and have been for quite some time.
The many problems with shared mailboxes
I am sure many of you out there have run into these issues before, since shared mailboxes at present are not easy to work with outside of a traditional Outlook client. As the “mobile-first” generation has come up, it is more frustrating than ever that we cannot access these accounts from a mobile device, for instance.*
By default, when you create a shared mailbox, there is no way to login to it. However, that doesn’t mean it can’t be done. Technically there is a system generated password, and you can change that password. Once changed, it is possible to login interactively. However, Microsoft does not recommend this, and in fact the best practice is to disable them for sign-in.
However, if you want to be able to peer into this mailbox on the go, or you have a third-party app that needs to sign-in to the mailbox, for instance, then you cannot disable sign-in. If possible you should at least disable basic auth and POP/IMAP on the account. And/or consider a conditional access policy that would restrict the overall exposure.
Assuming you can mitigate your risks as to the above (and do you really want a shared password out there in the wild?), there is still another problem we need to work around. An interactive mailbox must be a licensed mailbox. You see, Microsoft does not normally require you to license shared mailboxes:
UNLESS of course, you need to start using that shared mailbox more like a real mailbox. There are other licensing considerations if you need to assign it an archive mailbox, or use litigation hold.
So often we end up taking this great feature that doesn’t require any licensing, but then we started using it such a way that it does require licensing. Oh and as we have learned, it is also often a serious compromise that we make when it comes to security. So now you are also paying for that security hole–it’s like adding insult to injury.
Why you should consider Outlook Groups instead
Now consider Outlook Groups. These have most of the benefits we are typically looking for in a shared mailbox with none of the drawbacks. Let’s take a gander. With an Outlook Group it is possible to:
- Receive mail from both inside and outside the company (an admin is required to turn the external piece on)
- We can still send as or send on behalf of the group’s email address
- We still have a shared calendar (but no contacts, tasks, etc.)
And now look at all the other benefits on top of that:
- Members of the group can choose to receive inbox notifications when new messages are sent to the mailbox, or not–their choice
- Membership can be managed by those who own the function, so they do not have to involve IT to make changes
- You can invite external members to collaborate in a group
- Groups are natively accessible on the Outlook mobile app
- Bonus! There are other work spaces like Planner, a OneNote notebook, a SharePoint file library and so on, that the members of the group can use to collaborate regarding their shared function/responsibilities
- And perhaps best of all: no associated user account to manage, secure or license
Some people get confused when I suggest replacing shared mailboxes with Outlook groups. There are a couple of reasons for this, that I think we should cover.
Reason #1: They aren’t really thinking about a shared mailbox, they are thinking of a real mailbox
Some implementations of shared mailboxes aren’t really shared mailboxes at all. They may be designated as shared, but in reality they are real mailboxes that happen to be shared. An example of this is any line of business application that needs to sign in and interact with the contents of a mailbox. Sorry, but if you need that kind of functionality, then it should really be a user mailbox, not a shared mailbox.
User mailboxes can still be delegated with full access, send as, send on behalf and all that–but since you need to have it licensed anyways it is actually a full user mailbox–it is just being mis-categorized as shared. So if you can remember to only designate “shared mailboxes” as those which do not require any kind of interactive login, then you’re on the right path, and can consider whether it makes sense to convert them to groups.
Reason #2: They are more familiar with Outlook Groups as a replacement for Distribution Lists
Some people moved their distribution lists to Outlook Groups since Microsoft was pushing that feature. Even now, if you go into the groups area in the Exchange admin center, there is a big button inviting you to upgrade your DL’s.
When it comes to distribution of information, nowadays you may even consider upgrading your group further to a team in Microsoft Teams–and that may be a better fit for broadcasting certain information to an audience of people (of course it all depends on the use case).
But the big benefits of a group when compared to a distribution list, of course, are that new members can see past emails in the group, not just new ones, and also, they can choose their preferred level of engagement. It is possible to turn off notifications in your own inbox, for example.
Personally, I tend to frown on distribution lists. They just aren’t that great, and having them around means more inbox clutter. I’d rather just be able to go check out the notifications in my group or team than have to get more “bulk” email from DL’s in my inbox. Then I end up with these silly rules in Outlook which filters mail out into other folders and… it’s just yuk.
Migrations to Groups
But I would argue that Groups is an even better replacement for Shared Mailboxes than Distribution Lists. The problem is, while Microsoft provides an easy upgrade path to move from DL’s to groups, no such tool exists for SM’s yet. However, you can go vote for this feature here (and please do).
As of today, migrating from Shared Mailboxes to Outlook Groups is completely a manual process. You would need to rename and eventually delete the old Shared Mailbox, while creating a new Outlook Group to replace it. If you wanted to bring mailbox items over from the old world, they would need to be manually copied (e.g. drag-n-drop) as well.
And, you will notice, it is not possible to have “sub folders” in the Outlook group. Don’t panic, just stop being a dumb-dumb and trying to organize things into sub-folders like it “matters.” The organize mentality belongs to pre-millennial driven software. Don’t you know that the cool way is to use search instead of folders? Besides, who doesn’t just end up using search anyways to find old items–even if they are buried in some other folder? I use search more than any other feature in Outlook. Or probably any software, really.
For a more balanced and classic consultant “it depends” sort of answer, see this article. Looks like you can also vote for the sub-folder feature. One more note: there is no “sent items” folder for a group, so any items sent on behalf or sent as will be in the sent items of the actual user who did the sending. But it is a “conversation” view by default, so normally you can see the conversation threads and tell who has responded to what and when.
And… yes… it depends
It’s easy to jump on the Outlook groups bandwagon and say that it is the hammer solution to every nail out there–move everything to Outlook groups! It is tempting, trust me–I feel the pull daily. But no. Let’s review where things are at:
- If you require interactive login to a mailbox (as is sometimes necessary with LOB apps), then you should have a real user mailbox, with a license attached, even if you choose to mislabel it in Exchange Online as a shared mailbox. Treat it as seriously as you would any other security principal in your environment.
- A shared mailbox has sub-folders, shared contacts, and some other features that an Outlook group does not (as of today), and it allows people who have permissions to look at the contents of the mailbox via Outlook or Outlook on the web only, but not via the mobile app (again–as of today)… and note that you still need to license it for certain features like larger mailbox sizes, litigation hold and so on… and note again that there are those pesky security risks to consider.
- An Outlook group has a shared inbox space (without sub-folders) and calendar, as well as the ability to send as/send on behalf, etc., just like shared mailboxes; it also has a ton of modern features that make it more attractive in some cases than either shared mailboxes or distribution lists (for instance the ability to subscribe to notifications or not, and to work with the group natively via the Outlook app for iOS and Android).
- The distribution list is an annoying technology that is as old as dust, and essentially just allows you to notify groups of people, and bother them right where they are sure to notice it: their inbox. Sometimes this fits the bill perfectly and an Outlook Group is overkill.
So there you have it. In my book, it pays to take a real hard look at your environment and decide if you really need all those shared mailboxes or not. And if you have some that do require interactive login, then treat it appropriately with the right licensing and the right security controls. Can you at least disable basic auth and legacy protocols like IMAP and POP? MFA would be even better although in many cases it is not possible (so look to Conditional access in that case).
*The mobile app access to shared mailboxes is on the roadmap, however. So at least it won’t be necessary to assign licenses just to interact with them on iOS and Android devices. You could at that time disable sign-in for those shared accounts and the actual user accounts would be the entry-point. Which is the preferred methodology. Still, Outlook Groups are available on Outlook for iOS and Android already today!