Mail-Enabled Security Groups with Full Access to Shared Mailboxes Makes Access to Protected Messages Easier to Control

Microsoft Purview Message Encryption (previously Office 365 message encryption) or OME allows users to apply two pre-defined rights management-based templates called Do Not Forward and Encrypt Only to protect email. Messages sent to other Microsoft 365 tenants can be read inline by Outlook clients while recipients of messages sent to other email services can read the protected content through the OME portal. Protection extends to email attachments.

Unlike the sensitivity labels created for tenants, administrators cannot edit the settings of the OME templates. The same settings apply in all tenants where OME is configured. For instance, when Outlook clients open messages protected by the Do Not Forward template, the clients disable the Forward, Save As, and Print options and don’t allow the recipient to change the recipient list for a reply.

Improving Access to Protected Messages Delivered to Shared Mailboxes

Shared mailboxes are an important part of the Exchange Online messaging landscape. Since the introduction of Azure Information Protection in 2016, Microsoft has steadily improved the ability of users with access to shared mailboxes to process protected messages. A recent important enhancement is described in message center notification MC794814 (21 May 2024, Microsoft 365 roadmap item 385345), which reports that members of a mail-enabled security group with access to a shared mailbox can read and respond to protected messages.

The caveat is that members of the mail-enabled security group can only read protected messages generated after Microsoft deploys the feature to a tenant. Rollout completed in September 2024, so that shouldn’t be a problem now. Older protected email cannot be read because the “protected wrapper” around those messages doesn’t support access via a mail-enabled security group.

Figure 1 shows a message protected with the Do Not Forward template being read in Outlook (classic). In this case, my account is a member of a mail-enabled security group granted Full Access permission for the Complaints mailbox.

No Need for Direct User Assignment

The important point here is that direct user assignment to the shared mailbox with automapping enabled is no longer required. Direct assignment means that an administrator grants Full Access permission for the shared mailbox to a user account. Automapping is a process where Exchange Online adds a shared mailbox to a profile so that the Outlook (classic) client automatically opens the shared mailbox. This method still works, but now you have the option to use a mail-enabled security group to control shared mailbox membership instead.

Although the mail-enabled security group method works very nicely to allow users to open and read protected messages, remember that separate delegation is required to allow people to send email from the shared mailbox. This can be a Send As or Send on Behalf Of permission.

Why mention a feature launched last year when every Microsoft 365 tenant struggles to manage the ongoing flood of new product feature announcements? Well, the new method seems to have passed people by, so I thought it would be good to highlight it and give the mail-enabled security group approach a little boost. In addition, although MC794814 focused on the Do Not Forward and Encrypt Only templates, it seems like users granted access to a shared mailbox via a mail-enabled security group can read email protected by sensitivity labels too, if the rights assigned in those labels allow access.

Support in OWA and the New Outlook

OWA and the New Outlook are usually faster at deploying enhancements for protected messages. These clients work online and fetch the necessary authorization (use licenses) as required. Outlook (classic) can work offline, so getting the use licenses is more complicated.

OWA and the New Outlook also support the ability to work with protected messages when access is granted via a mail-enabled security group. Figure 2 shows OWA being used to read a protected message in a shared mailbox.

Microsoft Purview message encryption is available to all tenants with Office 365 E3 licenses and above. The Do Not Forward and Encrypt Only templates are very useful and the number of tenants using sensitivity labels grows all the time. Easier access to protected messages in shared mailboxes is welcome, even if it’s taken me far too long to acknowledge the update.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.