Table of Contents
If a Tenant Has Microsoft Defender for Office 365, Its Shared Mailboxes Need Licenses
When discussing the need to license Exchange Online shared mailboxes, the usual answer is that Exchange Online Plan 2 licenses are needed when shared mailboxes have an extended quota (100 GB instead of 50 GB), an archive mailbox, or are on litigation hold. In other areas of functionality, like Microsoft 365 retention policies, Microsoft makes it clear that no licenses are needed unless premium features like auto-label policies or adaptive scopes are used.
The usual line taken by Microsoft for licensing shared mailboxes is anchored on the features available in Exchange Server. For example, basic retention processing doesn’t require licenses because Exchange Server includes similar retention policies. But Exchange Server doesn’t support adaptive scopes, so use of that feature creates the need for licenses.
Microsoft Defender for Office 365 Plan 1 and Plan 2
This brings me neatly to the question of licensing shared mailboxes for Microsoft 365 Defender for Office 365 (MDO), an advanced version of Exchange Online Protection (EOP) that offers significantly better protection against threats communicated in email. MDO is available in two plans: MDO Plan 1 for small to medium businesses and included in SKUs like Microsoft 365 Business Premium, and MDO Plan 2, which is targeted at enterprises but can be bought and deployed by SME tenants.
From an enterprise perspective, the thing to remember is that MDO Plan 2 is only included in E5 SKUs like Microsoft 365 E5 (see this chart for more information). Figure 1 shows the Threat Analytics feature licensed by MDO Plan 2.
The MDO service description says that shared mailboxes in MDO Plan 1 tenants must have licenses if the mailboxes “benefit from Defender for Office 365 protections.” No further guidance is given to define how shared mailboxes benefit from MDO but given that MDO includes features like Safe Attachments and Safe Links, you could say that any shared mailbox that receives email from external senders benefits from malware scanning and threat protection performed by MDO. And because any shared mailbox can send and receive email, Microsoft considers that all shared mailboxes need MDO licenses.
The situation is simpler for enterprise tenants because the guidance here is that MDO licenses are required for “All shared mailboxes on the tenant.” In effect, this means that any Microsoft 365 tenant that implements the features licensed by Microsoft Defender for Office 365 Plan 2 (see the service description) because they have acquired some E5 licenses must license all shared mailboxes for MDO. In fact, the text of the Microsoft Defender for Office 365 service description goes on to say that user accounts that don’t have E5 licenses must also be licensed for MDO. The text says that licenses must be acquired for “All Exchange Online users on the tenant. This is because Plan 2 features and capabilities protect all users in the tenant.”
The Sudden Realization that Shared Licenses Need MDO Licenses
I’m not sure that many tenants with MDO understand the need to license shared mailboxes. The MDO Plan 2 license costs $5/month with a 12-month commitment, or $60 per shared mailbox annually. Some organizations make heavy use of shared mailboxes, including as a method to preserve mailboxes for ex-employees (inactive mailboxes are the recommended approach). A thousand shared mailboxes will therefore rack up an unexpected $60,000 bill, and that amount doesn’t include any additional licenses that might be needed to bring non-E5 mailboxes into compliance.
I haven’t heard of any Microsoft campaign to make tenants aware of how MDO licensing works for shared mailboxes, nor is there a code check in Outlook to detect and advise when MDO licenses are necessary. The Exchange Admin Center (EAC) includes an option to switch a user mailbox to a shared mailbox, and that option doesn’t warn administrators about potential licensing requirements.
To be honest, I was unaware of the need until I read the service description after being asked if shared mailboxes needed MDO licenses because a customer had been unexpectedly told that the licenses were required. I suspect that many others are in the same state of blissful licensing ignorance.
Unexpected Painful Costs
Any unexpected cost is bad news. Suddenly discovering that a tenant has a batch of unlicensed shared mailboxes is firmly in that category. Discovering that some user accounts that don’t have E5 licenses might need MDO licenses is also painful. There’s nothing good to report here.