Hey everyone! I'm looking to switch from user-based to group-based permissions for shared mailboxes in Exchange Online. I'm currently using security groups for other permissions and thought it would be best to extend that to Exchange. However, I realized that to do this, I need to mail-enable the security groups, which creates an email address for each group. This seems a bit cumbersome just to manage permissions. How do you guys handle this in your setups?
4 Answers
Can't you create a mail-enabled security group directly in Exchange Online? I work in a hybrid setup, which complicates things a bit. The easiest command to use is New-DistributionGroup -Name "YourGroupName" -Type "Security". Might save you some hassle!
While I fully support using security groups for various permissions, I find them a bit cumbersome for shared mailboxes. In my experience, shared mailboxes are usually just assigned to a few specific individuals, not a whole team. We have around 100 shared mailboxes in our business, and I find it's less complex to assign permissions directly to those mailboxes instead of creating groups.
Just a heads-up, when you grant permissions to shared mailboxes through a group, they won't automap in Outlook. This often confuses users, who might wonder why the mailbox isn't showing up automatically. I've seen a lot of helpdesk tickets about this!
Yeah, that's definitely the major drawback. If you set it up this way, users won't get that automatic visibility, which can lead to confusion.
That's the right approach, but if needed, you can hide these groups from the address book. Just keep in mind that, like someone else pointed out, they won't automap to Outlook.
Thanks for that tip! So just to clarify, do you create security groups for shared mailboxes and mail-enable them too? How do you handle the email addresses for those groups? My idea was to have one security group for 'send as' and another for 'Full Access' per mailbox.