Azure AD Admin & PIM Account Email Forwarding
Administrative accounts without mailbox and still receive notifications in Primary Mailbox - How does it work?
Best practice is to create and use dedicated administrative accounts to manage Azure and Microsoft 365. These accounts should be authorized by an RBAC concept and PIM (Privileged Identity Management) and should not have a mailbox (Exchange Online) license to minimize the attack surface.
However, there is a requirement that the notification e.g. PIM or other alerts must be sent to the user.
To implement this, you can use the Exchange format “+” (plus addresses) to implement this requirement.
The following example shows the functionality and configuration of the feature.
Start situation / Example scenario
Our IT employee Alex Wilber “AlexW@M365x57.OnMicrosoft.com“ has a user account in the company with a corresponding Microsoft 365 license and a mailbox.
Furthermore our IT employee Alex Wilber has another Azure AD Admin Account “adm.AlexW@m365x57487439.onmicrosoft.com“.
This admin user “adm.AlexW@m365x57487439” has no licenses assigned as described, so no mailbox is provided. Also, in this example, the “Global Administrator” role was assigned to the user via PIM.
Configuration Notification forwarding - Plus addresses
To forward the notification from our admin account “adm.AlexW@m365x57487439.onmicrosoft.com“ to our user primary mailbox “AlexW@M365x57487439.OnMicrosoft.com“, we configure the admin account in Azure AD as below.
Open the user administration in Azure AD and edit the corresponding admin user. If you try to add the email address of your default user (“AlexW@M365x57.OnMicrosoft.com“), you will get an error message (“Update would cause the user to have a proxy address already present on another directory object.”).
At this point the email format plus addresses is used. Extend your email address to which the mails will be forwarded with for example “+ADM”.
Email Admin Account: “AlexW+ADM@M365x57487439.OnMicrosoft.com“
Exchange Online resolves the email address “AlexW+ADM@M365x57487439.OnMicrosoft.com“ without the “+” and associated tag (“+ADM”) so that the notification is sent to AlexW@M365x57487439.OnMicrosoft.com.
If we then enable the PIM role Global Administrator of the admin account “adm.AlexW@m365x57487439.onmicrosoft.com“, we will receive the notification in our user mailbox.
In the past, it was possible for email addresses to contain “+” characters. But Microsoft has enabled plus addressing by default in all Exchange Online organization at the beginning of 2022.
This configuration can be checked using PowerShell and customized as described below.