Plus Addressing in Exchange Online: Solution for Admin Accounts Without a Mailbox?
One of the cornerstone principles in maintaining a secure Microsoft 365 environment is the segregation of administrative and everyday user accounts. This means categorically avoiding the use of the same accounts for administrative tasks and daily activities, such as browsing the internet or managing emails. Moreover, a key security practice is to ensure that administrative accounts are not equipped with mailboxes to mitigate the risk of phishing attacks. Adhering to these guidelines is not just recommended; it's a critical step towards securing your digital infrastructure. If you haven't segregated your accounts yet, it's imperative to take action without delay.
Upon implementing these security measures, you'll likely encounter a practical challenge: how can admin accounts, now devoid of mailboxes, receive essential notifications for Microsoft 365 environment management? This question becomes particularly pressing in scenarios such as when a user requests admin consent for an app that requires permissions to access organizational data, or when using Entra Privileged Identity Management (PIM), where it's necessary for an admin to be informed about assigned rights directly in their main inbox.
To mitigate the threat of malicious apps misleading users into providing access, user consent should only proceed with admin approval.
Fortunately, this dilemma has a straightforward solution: the Plus Addressing feature in Exchange Online. This functionality elegantly bridges the gap, ensuring that admin accounts can receive critical notifications without compromising on security protocols.
Plus Addressing in Exchange Online allows us to create unique email addresses for mailbox by adding a plus sign ('+') and a keyword to a standard email address.
Starting from May 2022, plus addressing, is activated by default in Exchange Online.
How does it work? We simply need to add the address using the format <local-part>+<tag>@<domain> as follows:
In my example, the email address for my administrative account is configured as AdeleV+365.adm@mydomain.com, ensuring that emails are routed directly to my main mailbox at AdeleV@mydomain.com.
A simple test of both scenarios confirms that the mail is delivered to the main mailbox of the user AdeleV@mydomain.com:
This wraps up the key insight I aimed to share through this post: a seemingly minor yet profoundly impactful tip for the efficient management of Microsoft 365 environments.
so is there any way to make this work on-prem?