On August 9th we received the following email from the university's central office of IT:
Here is a list of mailboxes currently scheduled to be upgraded to Exchange Online on August 22, 2019. I plan to send an email to the affected users on Friday afternoon of the week before to alert them to the change, so we need to work together to finalize the list before noon on August 16, 2019.
For the upgrade, please let us know the following as soon as possible:
- Did we identify the mailboxes using the correct group(s)?
- Have we missed any that should be upgraded at the same time?
- Are there any other resource mailboxes (rooms or equipment), or shared mailboxes that you own?
- Have we identified the correct CSR?
- Will the CSR and support staff be available on the upgrade date?
- Would you like to have your mailbox migrated ahead of time as a pilot?
- Do you have any other questions or concerns?
Note: Generic mailboxes (accounts accessed by password rather than by Net ID credentials) cannot move to Exchange Online because of the requirement for Duo Multi-Factor Authentication. We would appreciate your help in identifying generic mailboxes and the users of those mailboxes so that they can be converted before August 16, 2019, ahead of the upgrade. Adam Cable will be your main point of contact for converting the generic mailboxes.
Conversion of Generic Mailbox to Shared Mailbox
The main problem with generic mailboxes is lack of accountability. Not only is the mailbox not associated with a particular Net ID, but there may be multiple individuals (including former employees) who know the password. To be secure, best-practice (and Exchange Online) requires Multi-Factor Authentication. With multiple users, possibly from multiple locations, it would be difficult or impossible for each user to respond to a personalized Duo challenge.
Generic mailboxes can be converted to a Shared mailbox associated with the department, and the users would use their own credentials to access the Shared mailbox. (The transition will be much smoother if done before the user mailboxes are migrated to the cloud.)
If a particular generic mailbox is assigned to an individual, in the individual's name, it can be converted into a standard or student employee mailbox connected to their Net ID.
Conversion can be done in two steps:
- The users will be given Full Access permissions to the mailbox so that they can transition to accessing it with their own credentials.
- When all users are no longer using the generic account's password, the mailbox will be converted to an Exchange Shared mailbox. This will disable the account for direct logons.
We can give permissions based on user accounts or groups:
- If individual users are assigned, an Exchange administrator would need to make future adjustments.
- If a group, such as a Gro group, is assigned, then the owner of the group can make the adjustments. (Using a group is preferred.) Note that group membership can take up to an hour and a half to be synced to the cloud, so changes will not be reflected immediately.
Every user will need their own credentials, so mailboxes may need to be created for student employees. These will need to be associated with a department account ID, but will initially be charged to the Email Hardening Pilot. Note that student employee email addresses will have the student's first name plus a 4-digit number selected randomly.
How Shared Mailboxes Behave Differently from Generic Mailboxes
- After a generic mailbox is converted to a shared mailbox, the old account will be disabled, and no one will be able to log on as that user. If you are using this account to sign into computers or for other purposes, that will stop working when the account is converted. For accountability, we recommend having users sign in to computers as themselves.
- Setting up calendar and folder sharing with a shared mailbox will not work the same way. The users are no longer logging in as the generic mailbox user, rather they are logging in with their Net ID credentials. In order to share the calendar or folder properly, the folder will need to be shared with those who are accessing the shared mailbox, not the shared mailbox itself.
- Configuring mobile devices to access a shared mailbox is not currently available and webmail would need to be used.
Mailboxes will be migrated in batches on a weekly basis, in order to move users who work together at the same time.