AzureAD
      Back to home
      1. Knowledge Base
      2. Security
      3. AzureAD

      Can I license a MS365 Admin Account for Email

      We are often asked whether an admin account can be licensed for email. Should you do it?

      TL;DR=NO

      Do Admin Accounts Need an Email License? 

      In most cases, admin accounts do not need an email license, as their primary function is for administrative tasks. However, there are scenarios where enabling an email license might be beneficial:
      • If you use the admin account to receive and manage alerts or reports directly.
      • If the admin account is being used interactively, such as logging in to apps that require email functionality.

      For security reasons, it’s typically better to have dedicated, licensed user accounts for daily activities and keep the admin accounts isolated and used solely for administration. For Cyber Essentials, account separation (removing daily tasks from administrative accounts, and therefore associated risks, with things such as email) is essential.

      Can Admin Alerts Be Delivered Without a Mailbox?

      Yes, admin alerts and notifications can still be delivered without the admin account having a licensed mailbox.

      Here's how:
      Alternate Email Address for Notifications:

      You can configure an alternate email address for each admin in Entra ID (Azure Active Directory). This alternate email address will receive important notifications such as password resets, alerts, and critical updates.
      To configure it:
      • Navigate to the Azure AD admin centre.
      • Go to Users > Select the admin account > Contact Info.
      • Add an alternate email address where notifications should be sent.

      Group or Shared Mailboxes:

      Instead of assigning a mailbox license to an admin account, you can route alerts to a shared mailbox or distribution group. This is useful for collaborative teams and doesn't require an additional license.

      Dedicated Notification System:

      Set up a licensed generic account (e.g., adminalerts@yourdomain.com) to receive all admin-related notifications and configure admin alerts to be forwarded here.

      Security Best Practices for Admin Accounts

      It’s generally recommended to:
      • Avoid Assigning Licenses to Admin Accounts:
        • This minimizes exposure of these accounts in applications or environments beyond administrative purposes.
      • Use Privileged Identity Management (PIM):
        • PIM in Azure AD allows you to manage just-in-time access to admin roles, reducing the time an account has elevated privileges. (but not to elevate a day-to-day user account – use this to elevate an admin-user who has no access until elevated)
      • Enable Multi-Factor Authentication (MFA):
        • Ensure that all admin accounts (all accounts, but we are talking about admin here) are protected with MFA, especially if email is enabled.
      • Audit and Monitor:

        • Use Microsoft Sentinel or other monitoring tools to track unusual activity tied to admin accounts.

      Conclusion

      It’s generally unnecessary to assign an email license to admin accounts in Entra ID/Office 365. Admin alerts and notifications can be routed to alternate or shared email addresses, keeping admin accounts focused solely on administrative duties while maintaining security and efficiency.