How to receive emails sent to unlicensed privileged accounts

The issue with unlicensed admin accounts.

When dealing with privileged accounts the best practise is to ensure they are phishing resistant, the best way to accomplish this is by ensure the accounts do not have a mailbox attached. However, this can cause quite a few issues when the admin accounts are also meant to be receiving email notifications.

Typically administrators have at least 2 accounts, known as their privileged accounts and their business account.

Privileged account: This account is only used to access sensitive systems and has permissions to be able to make changes, it will be MFA protected and phishing resistant by ensuring that it does not have a license that would allow it to have a mailbox or communication channels (such as Teams).

Business Account: This is the standard account that all employees have, it will be licensed and have a mailbox and access to various tools such as teams. It will also likely be enabled for Single-Sign on to many applications or used to register for SaaS applications that don't support SSO. This increases the risk factors which is why privileged accounts are separated.

Ok, so how do you receive emails sent to your privileged account?

Exchange online has a little known, but brilliant feature, called plus addressing and odds are you already have it enabled because it's enabled by default in Exchange Online. These addresses are also receive only and is NOT supported by onPrem Exchange.

You can add this feature to any existing email address in your Entra tenant but simply adding the '+' symbol and the desired text (know as a tag). For example:

'Panno+Adm@contoso.com' will automatically deliver emails to 'Panno@contoso.com' which belongs to the standard account.

The best part? You can do this as many times as you need to. Do you need to approve PIM requests? "+Pim", do you need to get risky sign-in alerts? "+riskyAlerts", Do you need to approve PAM requests? "+PamRequest".

What does this look like in Entra? Well it's quite simple, all you need to do is update the Email attribute on the privileged account to the plus address.

The result

Below are 2 emails that were sent to the new plus address, one from the same EntraID tenant, the other came from Gmail to show that this works for external applications as well.

Does it work with everything?

Unfortunately not, plus addressing is not compatible with all email services such as:

• External emails sent to a hybrid exchange server where mail is routed through the OnPrem Servers.

• 3rd party mail filtering services may not support it (Check with your vendor)

If you have issues with plus addressing, you can create contact cards and use mail transport rules to catch and re-direct the email to the admin account, but that will involve a fair bit of administrative overhead depending on how many privileged accounts are in your environment, and how many plus addresses they will need for each application.