By default, allow all Global Administrators to "Open another mailbox..."
Occasionally, I (as a Global Administrator) will need to access a users mailbox. Currently, I have to add myself under their permissions to open their mailbox within OWA. I would like MS to turn this access on by default. If you're a Global Administrator, you should have access to everything by default, even users mailboxes and OneDrive.
with 365 how can you open someone's mailbox if the admin account doesnt have an exchange license?
This would be a nice feature to have for anyone that doesn't assign an Exchange license to global admins. We use dedicated admin accounts for small business we set up (1-5 users) and those admin accounts don't get a mailbox. In those cases it's difficult to help with support requests if we need access to a user's mailbox and it typically devolves into a conversation where people want to give us their password to get things done and they resist enabling 2FA because it prevents us from logging in to their mailbox when they need help.
I know that's not an ideal scenario, but that's the way it is for us. Small business don't want to pay for a license for a dedicated admin user, but they tend to be the type of users where a dedicated admin makes sense because they're not technical users which means a higher risk of bad practices and vulnerability to things like phishing. Right now we end up adding a dedicated admin user that doesn't have any licenses assigned and live with the shortcomings caused by doing so.
My ideal scenario would be for any admin, including an option to allow it for delegated partner admins, with 2FA enabled to be able to open a user's mailbox even if the admin doesn't have a mailbox of their own. IMO, the way to deal with inappropriate access is via audit logs and company policy. Audit logs should be permanently enabled with an option to hide or show them to users. When accessing a mailbox the admin should have an option to add a note to the audit log which could be used to justfy the access.
Dimas Ahmad Eka Putra commented
I disagree with this idea. Admins have the responsibility and capability so big that people must trust us to be able to perform our job properly. It must not a default option for all tenants. You should just use powershell if your company really need this.
I disagree about the confidential and court order. When a person is a representative of a company and acting on their behalf - I disagree. Its company communication - not personal. If they want to discuss something personal - do it in your own personal mailbox.
Also in troubleshooting, setup configuration, security, and protection of mail an administrator process requires access. However, it should be held with discretion and respect. Some companies require a logging of the access based on request or project process and this access was audited.
It’s pretty simple guys..
Allow admins to do it but alert the user first and allow them to accept or reject the request..
You can have principles all day long, but if im an administrator and I want to see your email, I can do that. Process and procedure, rules and ethics are one thing, but you can't let "law" fool you into believing your information is private when it's not. laws are meant to be broken, and if they can, i'd rather know about that then believe because it shouldn't happen it wont. If i tell my executives, nope, can't see your email, i'd be lying to them. isn't that a cause for concern in of itself?
Gary Huber commented
My point was that only the owner of the mail box or the courts should authorize access to that mailbox. No admin should be able to access mail with out the owner or courts permission. Period. Of course George Orwell had other ideas.
Gary Huber commented
I disagree, member emails should be confidential and only accessed by court order.
this was the way our network was setup for years by default, and by default i mean - no one knew it worked like that until i started working and used the feature in owa. needless to say my boss was shocked, (though he tried to hide his disbelief).
i switched us over recently to a office 365 hybrid environment and the featured has stopped working, though in the online outlook it still gives you the option to try and open another users mailbox.
the way we handle it and can afford to is that i come out and tell all the directors and executives what we are capable of. they know that they have to trust us, and they know as admins we have to be responsible.
surely there could be abuses, but i wouldn't be a successful IT director if I wasn't straight forward with them. Just because I have to do it individually, or with powershell commands, and it's not as easy as it used to be, doesn't mean I can fool myself into thinking that I as a global administrator, overlord of all of the IT systems, couldn't do something that was unethical if I wanted to. I have to be trustworthy.
If you're an admin, and there is general distrust from your higher ups, the best you can do it continue to be straight forward with them about the limits of control.
This is a terrible idea. For those of you advocating for it, just run a script and give yourself access to every mailbox. Run it as a scheduled task and there you have it.
Theon Wier commented
I disagree, no admin should by default be allow to view another users email without either their consent or at the direction of HR.
There are times that I have been asked to either review or because of privacy issues, give access to the HR director someones mailbox. This access should NOT be a default setting, there needs to be an audit log of an Admin giving access rights to anyone else other then the user.
Atiq Malik commented
Interesting comments. Those saying this should not be added have never worked in admin capacity I assume because in IT world there is always someone having access to whatever you can think of.
As far as legal implications go it is quite opposite: Having access to a user's mailbox -> policy enforcement = compliance.
Being an admin is not what many think. Think outside the box. Admins have ability to delete your account and blowup your mailbox, delete corporate user accounts, delete backups, etc. Yes; it is much bigger than what you might think.
Admins are always responsible going through lot of training, certifications, background checks and scrutiny. End users have no idea what it takes to be an admin and stress level. I can quote famous case: Some admin somewhere had access to Hillary's mailbox. Remember?
So keep in mind there is always an admin able to access your mailboxes, bank accounts, etc :-)
Yes; I have access but it is too cumbersome. Please make it easy to troubleshoot user issues within minutes not hours. Thanks
Peter Wormald commented
You can change default permissions for new mailboxes with the powershell command Get-MailboxPlan/Set-MailboxPlan
I have no problem with the requirement for explicitely setting permissions, doing so is a good thing that enhances tracking and accountability, and even helps avoid mistakes and legal issues.
However there needs to be an expedited or pre-staged capability for setting Global Administrators with access when needed so that troubleshooting is not interrupted for lengthy periods while waiting for updated permissions to take effect.
Please do not add this. If it must done, make it non-default and per account option. This has huge potential legal and auditing implications. ( i hope your GAs are using 2FA!)
Silke Roth commented
No, please not. The fact that an admin does not have access to user data is a very good feature. If asked you can always state that you don't have access.
Depending of the issue you have a lot of ways to troubleshoot e.g. using powershell. Or you guide the user through the mailbox.
If you really need access to user's mailbox. You can assign yourself the privileges, following the process you have in place (ask user for permission, add access right and remove access right, ...). Auditing tracks your activity and you have the evidence for the time frame you had access to user data.
No Name commented
billing and password changes shouldn't be sent to all global administrators... need to be able to specify which emails the notifications go to
As an admin for a small business it is huge administrative burned to not have ability to access other users mailboxes. This is the easiest way to troubleshoot problems.
Betsy Sauther commented
As a global admin, I would support having an audit or testing item on the admin menu that allows me to open a user mailbox and documents why I have to access a user's mailbox. I have to do it all the time for a few reasons, testing and implementing email scenarios being a couple. With the lag in permissions/rights to a user's mailbox, it is very frustrating to have to wait for the delegation to "go through" the O365 system, because they are always changing things I suspect!...no reason why the access couldn't be documented for legal purposes. I wouldn't mind having to put a quick comment as to why the access was necessary. Just seems so lame to have to go to exchange admin, put the required permissions in for myself, then trundle over to OWA as myself, then "open another users mailbox"
John O'Reilly commented
Come on folks. We are in a position of trust. We know accessing the users mailbox directly is by far the quickest way to resolve an issue, we are trusted NOT to snoop and why would we?
We can give ourselves the required permissions so whats the issue with having said permissions as a default? I also perform retrievals from an archiving system - do I read every email I retrieve? of course I dont. whos has got the time apart from anything else ;-)