Exclude shared mailboxes from a dynamic group
Would you like to automatically exclude shared mailboxes from a dynamic group? They are essential for collaboration in teams and departments, providing an easy way to centrally manage emails accessible to multiple people.
However, shared mailboxes can also pose challenges for the IT department, as they might unintentionally become members of dynamic groups. Dynamic groups are often created based on attributes and rules, and shared mailboxes may be included if the filtering criteria aren’t precise enough. With our DynamicGroup solution, you define rules to reliably exclude shared mailboxes.
Index
Why do shared mailboxes end up as unwanted members of dynamic groups?
Shared mailboxes are treated like user objects in Active Directory (AD). This means they have similar attributes to regular user accounts.
Dynamic groups are based on rules defined by attributes. If these rules aren’t specific enough, shared mailboxes can automatically be included in these groups, even though they are not intended to access certain resources.
For example, a rule that includes all objects with an attribute like “Department=Sales” could also include shared mailboxes if they share this attribute.
What are the consequences?
Shared mailboxes being added to the wrong dynamic groups can lead to unwanted effects, such as:
- Licensing and resource consumption: Shared mailboxes often don’t require licenses, but if they’re included in dynamic groups with regular users, it could lead to licensing issues or unnecessary resource consumption.
- Permissions and security: Shared mailboxes usually have different permissions than personal mailboxes. If they’re included in a group set up for specific access rights, the wrong people might gain access.
- Automation errors: Automated processes using dynamic groups (e.g., for emails or permissions) could be disrupted by the inclusion of shared mailboxes.
Case study: Avoiding incorrect mailbox assignments in dynamic groups
A company with around 500 employees, including a sales department of 50 users, regularly faced the issue of shared mailboxes being incorrectly added to dynamic groups. This was particularly critical in the sales department, where dynamic groups were used to control access to confidential customer information in SharePoint and Microsoft Teams.
The problem occurred because the dynamic group was initially defined based on the attribute “Department=Sales” without additional restrictions. This resulted in not only employee mailboxes, but also shared mailboxes like “Sales@company.com” and “CustomerSupport@company.com” being added to the group.
Manual solution with PowerShell
Before implementing DynamicGroup, the IT department had to regularly intervene by using PowerShell to periodically search for shared mailboxes and manually exclude them from dynamic groups.
Script workflow:
1. Retrieve all users from the group.
2. For each user, check if they have a shared mailbox in Exchange.
3. If a shared mailbox is found, remove the user from the dynamic group.
4. Users with a user mailbox remain in the group.
With DynamicGroup, this process is now automated, saving time and reducing the risk of errors during manual maintenance.
Solution with DynamicGroup
With the introduction of DynamicGroup, a precise rule was added to automatically exclude shared mailboxes based on an unused attribute.
Step 1 – Identify the relevant attributes: First define a unique attribute for shared mailboxes. This could, for example, be an attribute that you do not use. In our case, it would be “FaCustom1=shared”, which identifies all shared mailboxes to exclude. For shared mailboxes, the attribute is maintained with “Shared”.
Step 2 – Adjust the DynamicGroup rules: In DynamicGroup, you can configure rules so that shared mailboxes that have the attribute “FaCustom1=Shared” are automatically excluded from group membership.
Thanks to this adjustment, only regular users in the sales department are now added to dynamic groups, while shared mailboxes are reliably excluded. The IT department was able to ensure that only authorized individuals had access to sensitive customer data.
Conclusion
With DynamicGroup, companies can efficiently manage dynamic groups while specifically excluding shared mailboxes. This streamlines IT administration, reduces security risks, and creates a leaner structure that can be quickly adjusted to changing needs. By precisely controlling group memberships, administrators save valuable time and ensure that only the right users have access to the appropriate resources.
About FirstAttribute AG
FirstAttribute is an independent cloud service and software company specializing in Identity & Access Management (IAM) for AD and M365/Entra ID. Learn more about our team at Company.
DynamicGroup has been a popular tool for AD administrators for many years to coordinate and securely manage group memberships in AD. The application is used worldwide by companies in various industries. Continuous updates ensure that the application meets growing IT demands and does exactly what it promises.
DynamicSync is automation software for cloud groups. As a pure cloud service (SaaS), DynamicSync specializes in dynamic and automatic group synchronizations in Entra ID.