atwork.blog

news and infos about microsoft, technology, cloud and more

Working with Exchange Mailboxes and Groups as members

When working with Office 365 and Exchange services, it can be helpful to work with groups instead of users, for example, for allowing a group to have full access to a shared mailbox. In this case, there are some things to consider. See the working result in this documentation.

The scenario

First of all, I need to clarify, I'm not an Exchange guy. So, perhaps I'm describing a scenario that's fully clear for Exchange Admins but I think, this could be helpful for other Office 365 Admins. This sample is my summary to show the solution for that specific request: How to set full access permissions to a shared mailbox, a resource or a distribution list for a group (and therefore to all members of that group).

To test it in a demo tenant, I created two shared mailboxes in the Office 365 Admin Portal...

image

...and some mail-enabled security groups. Distribution groups and Office 365 groups already existed in my tenant. So, this screenshot from the Exchange Portal shows the various group types existing here:

image

As playground I used:

  • Distribution Groups: Executives
  • Office 365 Group: HR
  • Email-enabled Security groups: MailEnabledSecurityGroup1 to 3
  • Shared Mailboxes: SharedMailbox1 and 2

First discovery

To make it short: In the Office 365 Admin Portal:

  • You can add only users and email-enabled security groups to a shared mailbox.
  • Distribution groups and Office 365 groups cannot be member of a shared mailbox.

The screenshot shows an example. I could add MailEnabledSecurityGroup1 as member SharedMailbox1.

image

Just as warning: Since email-enabled security groups are Exchange objects, it might take a while after creation (usually some minutes) to be visible in the portal and in the  For seeing new Exchange groups in an email client, the portal says: "It might take up to 60 minutes for the change to be effective in Outlook and OWA."

The same can be accomplished with Remote Exchange PowerShell (see here how to connect):

Add-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User mailenabledsecuritygroup1@M365x389015.onmicrosoft.com

Mail-enabled security groups are handled in the same way as users.

Other group types

Just to prove it: Distribution groups and Office 365 groups cannot be added.

For Distribution Group Executives:

Add-MailboxPermission -Identity sharedmailbox2@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User Executives@M365x389015.onmicrosoft.com

An error follows: User or group "Executives@M365x389015.onmicrosoft.com" wasn't found.

For Office 365 Group HR:

Add-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User hr@M365x389015.onmicrosoft.com

The same error follows: User or group "hr@M365x389015.onmicrosoft.com" wasn't found.

We see, just users and email-enabled security groups can be used as members of a Shared Mailbox.

Existing assignments

The Office 365 Portal shows the assigned MailEnabledSecurityGroup1 as member of SharedMailbox1 (remember, this can take some time).

image

So does the Exchange Portal:

image

And PowerShell:

Get-MailboxPermission -Identity sharedmailbox2@M365x389015.onmicrosoft.com

image

Remove permissions

To remove existing permissions, we can use the Exchange Portal or PowerShell:

Remove-MailboxPermission -Identity sharedmailbox1@M365x389015.onmicrosoft.com
-AccessRights fullaccess -User mailenabledsecuritygroup1@M365x389015.onmicrosoft.com -Confirm:$false

Distribution groups and members

The same goes for distribution groups: Mail-enabled Security Groups can be a member.

image

Resource mailboxes and members

The same goes for resource mailboxes: Mail-enabled Security Groups can get permissions to a room or equipment mailbox.

Office 365 groups and members

As far as I see, currently only users can be member of an Office 365 group and no other group types.

Summary

So, this scenario is easy. You just need to know that you must organize your environment to use Mail-enabled Security Groups for the purpose of using groups within other groups.

Loading