How to Use Microsoft 365 Priority Accounts for Access Checks

Underwhelming Reaction to Microsoft 365 Priority Accounts

In a recent article, I review how to create Microsoft 365 priority accounts and how Microsoft sees these accounts being used. Essentially, Microsoft plans to roll out features which apply to priority accounts. The first two features are premium mail flow monitoring and account protection (alerts for which are shown in Figure 1).

Priority accounts show up in Microsoft 365 alerts
Figure 1: Priority accounts show up in Microsoft 365 alerts

The reaction from readers wasn’t positive. Not really negative, but more of a “hummh… how uninteresting.” Some said that they already knew their priority accounts and already managed the service delivered to these accounts, some were underwhelmed by the features Microsoft have available to leverage priority accounts (more are planned in the future).

These are valid reactions. Depending on available resources, it can be easier to manage services in a small organization and larger organizations often invest in third-party monitoring or mail hygiene services to provide additional protection. Few will be convinced to drop these services to depend solely on Microsoft.

We’ll have to see what Microsoft delivers in the future to underline the value of priority accounts, but as any Microsoft 365 tenant can nominate priority accounts, they can be used to identify a set of accounts for your own purposes.

Checking Accounts

It’s common to mark certain accounts for specific processing or to allow access to an application or other resource. Out-of-the-box methods to store a set of accounts include:

  • An email distribution list.
  • A Microsoft 365 group.
  • A security group.
  • A custom mailbox attribute.

For instance, to check if someone is a member of a distribution list, we pass their mailbox alias to the Get-DistributionGroupMember cmdlet to see if a match exists:

$UserAlias = (Get-ExoMailbox -Identity
If ((Get-DistributionGroupMember -Identity VIPUsers) -Match $UserAlias) {Write-Host "User is authorized"}

The same kind of check works against the membership of a Microsoft 365 Group:

If ((Get-UnifiedGroupLinks -Identity "Privacy Advocates" -LinkType Member) -Match $UserAlias) {Write-Host "User is authorized"}

While a check against a custom mailbox attribute could be something like:

If ((Get-ExoMailbox -Identity $UserAlias -Properties CustomAttribute1).CustomAttribute1 -eq "IT") {Write-Host "User is authorized"}

Given that priority users are marked with an (invisible) attribute returned by the Get-User cmdlet, we can perform a similar access check with:

If ((Get-User -IsVIP) -Match $UserAlias) {Write-Host "User is authorized"}

Using groups or custom attributes allows more flexibility in marking accounts than adding them to the priority list does. However, I can see the value in using priority accounts as a form of access check if an organization already uses them for other purposes. Where there’s a will, there’s a way… or in the case of Office 365, where you need to do something, there’s probably multiple ways to do it.

Office 365 is the gift that keeps on giving to writers. Keep focused and up to date with the most important developments by subscribing to the Office 365 for IT Pros eBook. The not-so-important stuff that doesn’t get into the book ends up here!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.