Anyone working for a Microsoft Cloud Solution Provider (short CSP) knows the hassle of managing multiple personal and impersonated accounts across various customer tenant directories. When you want to utilize Microsoft Entra’s notification features that require an email address, it can be tempting to assign licenses to admin accounts, but this approach carries unnecessary security risks. Instead of opening up these accounts to additional attack vectors, there’s a better way to receive those crucial notifications.
In this blog post, I’ll show you how to configure your administrator user account to receive email notifications without assigning a license. I’ll also explain how to differentiate these emails for specific customers using a method called plus addressing, making it easier to manage your communications efficient.
Understanding Plus Addressing in Exchange Online
Plus addressing, also known as subaddressing, allows users to create unique email addresses by appending a “+” sign and a tag to their existing email address. For example, an address like [email protected] can be utilized to streamline and filter incoming emails. This feature simplifies managing and organizing messages from various sources, making it easier to track administrative notifications.
Fortunately, plus addressing is enabled by default in Exchange Online. To verify its activation in your organization, follow these steps:
- Activate the Entra ID role Exchange Administrator (least privilege)
- Log in to the Exchange Admin Center.
- Select Settings → Mail Flow.
- Check the “Turn off plus addressing for your organization” checkbox, and click Save.
You can also check the status of plus addressing using PowerShell. Connect to Exchange Online PowerShell and run the following command:
Get-OrganizationConfig | Select-Object -Property DisablePlusAddressInRecipientsIf the output is False, then plus addressing is enabled for your organization.
How Plus Addressing Works
The beauty of plus addressing lies in its ability to create unique email addresses for administrative purposes without needing a separate licensed mailbox. When you generate a plus address for an account, Exchange treats it as a distinct email address while still linking it to the primary mailbox.
For instance, let’s say I’m an admin for two companies: “Duo Infernale” and “Handel Falken.” My primary email address, [email protected], resides in the “Duo Infernale” tenant, and I have an admin account for each company. To differentiate incoming emails for admin-related notifications, I can assign the email address [email protected] in the “Duo Infernale” tenant. Similarly, in the “Handel Falken” tenant, I can assign the email address [email protected] to my admin account there.
This way, I can effectively manage notifications from both companies without the need for separate licensed mailboxes, allowing for better organization and security.
Assigning a Plus Address to Your Admin Account
You can easily configure a plus address for your unlicensed admin account by following these steps:
- Activate the Entra ID role User Administrator (least privilege)
- Log in to the Microsoft Entra Admin Center.
- Navigate to Identity → Users → All Users.
- Select your admin user, then click Properties > Edit Contact Information.
- Add your plus address to the Email Contact field and click Save.
Alternatively, if you have Microsoft Graph PowerShell installed, you can achieve this with the following command:
Connect-MgGraph -Scope User.ReadWrite.All
Update-MgUser -UserId [email protected] -Mail [email protected]
Once this process is complete, your admin user should display the new plus address in the email field.
Examples for Email Notifications & Testing Email Notifications
With plus addressing, you have multiple options for utilizing your dedicated email addresses across various administrative functions to get notifications.
For example:
- In the portal settings, you can configure notifications for tenant events
- User at risk detection alers
- Multi-Factor Authentication (MFA) fraud alerts
- Enterprise Application consents
- Privileged Identity Management (PIM) role activations
- And many more
When you directly assign a user to receive notifications, the system automatically captures the associated email address, ensuring that notifications are sent to the designated plus address. If you need to manually enter an email address, simply use the relevant plus address you configured earlier.
After setting up the plus address, it’s crucial to test the email flow to confirm that notifications are being received as expected. For example, in my environment, all admins are automatically notified when an administrator’s Entra ID role is activated (eligible). I didn’t configure additional recipients for this type of notification on the Entra ID roles, but thanks to the plus addressing feature, I still receive alerts for role activations.
In this instance, when the AI Administrator role was activated within the “Duo Infernale” tenant, the notification was sent to my primary mailbox but was addressed to the plus address. This makes it easy to differentiate the source of notifications in my inbox, helping me manage and organize notifications effectively.
The Benefits of Plus Addressing for CSPs and Multi-Admin Environments
This method is especially beneficial for Microsoft CSPs managing multiple personalized admin users across various customer tenants. By utilizing plus addressing, CSPs can ensure that communications are organized and easily identifiable, without exposing privileged accounts to potential security risks when assigning a mailbox. Each admin can receive notifications while retaining the security and management benefits of not assigning productivity licences unnecessarily.
Conclusion
Receiving Entra admin notifications without a licensed mailbox is not only possible but also a smart practice. By utilizing plus addressing, organizations can maintain proper security measures for their privileged accounts while ensuring that important communications are received in a manageable manner. Embrace this method for a safer and more efficient administrative experience!
Sources: