Note: Starting in March 2017, Microsoft is removing Site Mailboxes in SharePoint Online.
Issue
As organizations move their corporate data to OneDrive for Business, security and compliance officers want to ensure that access and services within OneDrive for Business are limited to folder and file access. A challenge with OneDrive for Business is that it is a SharePoint My Site. Since everyone is the owner of their own OneDrive for Business site, the end-user can add Office 365 apps. One of the more concerning apps is the Site Mailbox app that allows end-users to send email messages from their My Site to external recipients. Many organizations are not aware of this limitation. When they find out, however, security and compliance managers require this feature to be disabled immediately.
Background
Why would we want to prevent Site Mailboxes from being created when Onsite mailboxes are being utilized? A Site Mailbox can be created within a user’s My Site and can be employed to send email messages to internal and external recipients. The email content is not stored within the user’s mailbox but is stored in a special mailbox in Exchange Online called a site mailbox. If you were to run an eDiscovery report against the user’s mailbox, the content stored in the site mailbox would not be returned.
The email below is stored in the Site Mailbox and not the end-user’s mailbox.
We can run a report to see Site Mailboxes that have been created and discern the owner of Site Mailboxes. However, we are unable to block the Site Mailbox app from SharePoint Online or change the owner of a Site Mailbox.
Solution
The creation and management of Site Mailboxes is performed in Exchange Online. It does not matter if the user has a mailbox associated with their account in Exchange Online. To turn off Site Mailboxes for all, or some of the OneDrive for Business users, permissions are updated within Exchange Online.
Exchange Online uses RBAC to provide user-level permissions within their mailbox and ECP. Understanding the user-level RBAC permissions falls outside the scope of this blog, more information can be found here.
The RBAC management role MyTeamMailbox is the role that provides users with access to a Site Mailbox within SharePoint Online. RBAC was introduced in Exchange Server 2010 and the MyTeamMailbox management role was added in Exchange Server 2013 and is carried over to Exchange Online and Exchange Server 2016. The definition of MyTeamMailboxes management role can be found by following this Microsoft link.
Now that we know the management role that needs to be removed, the change needs to be applied within Exchange Online. When a Site Mailbox is created, the default RBAC role assignment policy is implemented to the Site Mailbox. This means that if we want to prevent the use of Site Mailbox, we need to create a new role assessment policy, remove the MyTeamMailbox management role, and mark the new role assessment policy as the default role assignment policy within Exchange Online.
From the RBAC GUI (link), connect to the Office 365 tenant.
Create a new Management role and assign all the management roles in the Default Role Assignment Policy–excluding MyTeamMailboxes management role–to a new role assignment policy.
From Exchange Online, change the default role assessment policy to the newly created role assignment policy.
The end-user can add the Site Mailbox App
However, the user will get the error below when they try to access the Site Mailbox.
