MSEndpointMgr
Home » Office 365 » 2 for 1 – Mail enable unlicensed admin accounts

2 for 1 – Mail enable unlicensed admin accounts

Are you looking to cut mailbox licensing costs for your Office 365 tenant? Well, look no further, and I will share a few ways for you to save money on Exchange Online licensing fees for your admin accounts that need to exchange e-mails.

So what do I mean by “admin accounts”?

In this case, the admin account (sometimes referred to as an ADM account) is a separate privileged account used by IT staff to perform their privileged duties. These account types are a standard security measure implemented in a lot of companies, and in some cases, they need to be mail-enabled.

Some valid reasons for needing to mail enable an admins account is:

  • To receive Microsoft Notifications.
  • Third-party admin tools that don’t support alternative e-mail addresses.
  • OTP messages sent to the account.
  • Using the account UPN in places that require you to fill in an e-mail.

But mail enabling does not necessarily mean having to purchase a license for Exchange Online!

One way for you to avoid excessive licensing for Exchange Online is to redirected emails using Distribution Lists.

By redirection, I mean mail destined for your admin account goes to your regular non-privileged account instead.

Using Distribution Lists to redirect e-mail has several advantages:

  • Easy to set up with PowerShell or EAC.
  • Redirect without storing a copy.
  • Supports “send as” or “on behalf.”
  • Supports “Hide from Global Address List.”
  • Generates the least amount of system clutter.
  • No license consumption required!

You might be wondering why this single problem had med choose Distribution Lists over other tried-and-true solutions? I explain that and other solutions, at the end of this article. It’s up to you to decide if you think another solution is a better fit for your organization.

Now that most of the admin portals in Microsoft 365 and Azure no longer required admins to have an active license assigned. You should be looking into removing Exchange Online Licensing from your admin accounts and switching to Distribution List redirection or similar solutions.


The solution

I have opted into using PowerShell for this solution, but you could use the Exchange Admin Center instead. This is, however, not explained in this blog post.

The following PowerShell code should get you off to a good start. Use it to build a neat solution in Azure Automation, and have it execute every time you add a new admin account. That is sure to impress the boss!

Automation is king – only your imagination will limit you…

The requirements

  • Azure Subscription (free is sufficient).
  • Exchange Online Administrator Privileges.
  • A basic understanding of PowerShell script variables.

The steps

  1. Log on to Azure Cloud Shell via https://shell.azure.com
  2. Run the command: Connect-exopssession
Azure Cloud Shell using Exchange Online Module

After completing the above steps, you can interact with Exchange Online PowerShell.

Before you go off and execute the script below, you first need to understand the variables that it uses.

$adminMail = "[email protected]" 
$userMail = "[email protected]" 

$name = ($adminMail -replace "@","_").Replace(".","-") 

New-DistributionGroup -Name "Redirect for $name" -Alias "$name_admin" -PrimarySMTPAddress "$($adminMail)" -ManagedBy "$userMail" -CopyOwnerToMember -MemberDepartRestriction "Closed" -MemberJoinRestriction "Closed" 

Set-DistributionGroup "Redirect for $name" -HiddenFromAddressListsEnabled $true -GrantSendOnBehalfTo "$userMail" -RequireSenderAuthenticationEnabled $false  

You will need to modify the variables in the script above, according to your requirements.

  • $adminMail. This variable is the e-mail address you wish to assign to the Distribution Group. This should be the same as the UPN address of the admin account.
  • $userMail. This variable is the non-privileged account e-mail. This account must have an Exchange mailbox and should only belong to the same person owning the admin account. If you like staying compliant.
  • $name. This variable is my way of auto-generating a name for the Distribution List, you can modify it if you like, but you must understand the impact yourself.

Troubleshooting

  • No e-mail coming through from the Internet.
    • Unfortunately, it can take a while for your newly created Distribution Lists cleared for unauthenticated external e-mail. So, give it some time.
  • Admin e-mail address already in use in the organization?
    • If you previously had this e-mail address receiving e-mail, you will need to track down the location of the e-mail attribute and remove it from whatever crevice it resides in – e-mail addresses are unique throughout Exchange Online.
    • Remember to back up any existing mail data, if you already had a license assigned to the admin account.
  • Unable to remove the Exchange Online license from the admin account.

Other solutions – pros/cons

As with all things Microsoft, there are several ways to achieve a solution to a problem, so in the spirit of sharing my thoughts, here are some other possible solutions.

Please keep in mind, that you might be required to adhere to specific compliance requirements, such as accountability, traceability, retention, backup licensing, exit strategies, and separation of privileges.

Security compliance is why I ended up choosing Distribution Lists. Also because they have the smallest footprint vs. usability.

Pros:

  • Requires no license.
  • Easy to implement.

Cons:

  • Can’t use “Send As” and “On behalf of”.
  • Clutter in the rules list. Can you imagine having 99 admin accounts and this problem?
  • You are limited to 300 rules in Exchange Online.

A classic solution to saving on Exchange Online licensing, but it did not support my requirements of not being able to store email – it came close though!

Pros:

  • Requires no license.
  • Can store a hierarchy of mail items in folders.
  • Easy to configure and maintain with PowerShell.
  • The first 2 cons are also a pro depending on how you view it.
  • Can have a very small visual footprint in the admin interface.

Cons:

  • Requires a user account to be present and disabled for mailbox login in the Azure AD users list. This could very well be the admin account, as it will still be able to log into the portal (Thanks to John Walmsley on FB for pointing this out).
  • The admin UPN can only be added as a secondary Alias. And as such, it consumes yet another address. Unless you are simply using the admin account as a shared mailbox.
  • Runs as a separate mailbox in Outlook, unless automapping is disabled and email is forwarded.
  • Your mobile access to these emails will be limited to Outlook for iOS/Android.

Not much to say here. Except that it’s not possible to assign an Alias to a regular user if the alias exists as a “UserPrincipalName” (UPN) on an existing account. Also if you have a Hybrid Exchange environment, you might be tempted to manipulate the user’s proxyAddress attribute directly. This will not work!

Pushed as the ultimate replacement for Distribution Lists, this was the first thing that came to mind but was ditched due to the cons listed below.

Pros:

  • Requires no license.
  • Have all the same features as Distribution Lists.
  • Modern.
  • Has a Calendar.
  • Has a File area.
  • …a ton of things!

Cons:

  • It has way too many features and will appear in several places that I don’t want it to appear.
  • Can ONLY be configured as intended via PowerShell.
  • The admin UPN can only be added as a secondary Alias. As such, it consumes yet another address.
  • Mobile access to these e-mails will be limited to Outlook for iOS/Android. So you might need forwarding enabled.

Final words

In a perfect world of E5 licensing, you could use Azure PIM to consolidate users. And I often recommend this, unless you have strict requirements to separate all administrative access as some services will not yet integrate neatly with your Azure Identity and Conditional Access. So a classic separation of accounts with privileged access can still be required.

As always, I hope you find inspiration in this article. And I welcome any feedback in the comments or on twitter @michael_mardahl.

(1798)

Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He is specializing in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And is now in the IT industry for more than 20 years and has experience from a broad range of IT projects. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare.

Add comment

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.