When working with Office 365 and Exchange services, it can be helpful to work with groups instead of users, for example, for allowing a group to have full access to a shared mailbox. In this case, there are some things to consider. See the working result in this documentation.
The scenario
First of all, I need to clarify, I'm not an Exchange guy. So, perhaps I'm describing a scenario that's fully clear for Exchange Admins but I think, this could be helpful for other Office 365 Admins. This sample is my summary to show the solution for that specific request: How to set full access permissions to a shared mailbox, a resource or a distribution list for a group (and therefore to all members of that group).
To test it in a demo tenant, I created two shared mailboxes in the Office 365 Admin Portal...
...and some mail-enabled security groups. Distribution groups and Office 365 groups already existed in my tenant. So, this screenshot from the Exchange Portal shows the various group types existing here:
As playground I used:
- Distribution Groups: Executives
- Office 365 Group: HR
- Email-enabled Security groups: MailEnabledSecurityGroup1 to 3
- Shared Mailboxes: SharedMailbox1 and 2
First discovery
To make it short: In the Office 365 Admin Portal:
- You can add only users and email-enabled security groups to a shared mailbox.
- Distribution groups and Office 365 groups cannot be member of a shared mailbox.
The screenshot shows an example. I could add MailEnabledSecurityGroup1 as member SharedMailbox1.
Just as warning: Since email-enabled security groups are Exchange objects, it might take a while after creation (usually some minutes) to be visible in the portal and in the For seeing new Exchange groups in an email client, the portal says: "It might take up to 60 minutes for the change to be effective in Outlook and OWA."
The same can be accomplished with Remote Exchange PowerShell (see here how to connect):
Add-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User mailenabledsecuritygroup1@M365x389015.onmicrosoft.com
Mail-enabled security groups are handled in the same way as users.
Other group types
Just to prove it: Distribution groups and Office 365 groups cannot be added.
For Distribution Group Executives:
Add-MailboxPermission -Identity sharedmailbox2@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User Executives@M365x389015.onmicrosoft.com
An error follows: User or group "Executives@M365x389015.onmicrosoft.com" wasn't found.
For Office 365 Group HR:
Add-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User hr@M365x389015.onmicrosoft.com
The same error follows: User or group "hr@M365x389015.onmicrosoft.com" wasn't found.
We see, just users and email-enabled security groups can be used as members of a Shared Mailbox.
Existing assignments
The Office 365 Portal shows the assigned MailEnabledSecurityGroup1 as member of SharedMailbox1 (remember, this can take some time).
So does the Exchange Portal:
And PowerShell:
Get-MailboxPermission -Identity sharedmailbox2@M365x389015.onmicrosoft.com
Remove permissions
To remove existing permissions, we can use the Exchange Portal or PowerShell:
Remove-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User mailenabledsecuritygroup1@M365x389015.onmicrosoft.com -Confirm:$false
Distribution groups and members
The same goes for distribution groups: Mail-enabled Security Groups can be a member.
Resource mailboxes and members
The same goes for resource mailboxes: Mail-enabled Security Groups can get permissions to a room or equipment mailbox.
Office 365 groups and members
As far as I see, currently only users can be member of an Office 365 group and no other group types.
Summary
So, this scenario is easy. You just need to know that you must organize your environment to use Mail-enabled Security Groups for the purpose of using groups within other groups.