Table of Contents
MDO Licensing Required for Shared Mailboxes but Not for Groups
Some Microsoft representatives expressed disappointment after the publication of the article about unexpected costs to license shared mailboxes for Microsoft Defender for Office 365 (MDO). They felt that I didn’t do MDO justice. Let me be clear: MDO covers a wide range of functionality to protect user communications (not just email, but also Teams and the Office apps) from threat. MDO Plan 2 also includes some neat SOC and attack simulation tools. Overall, MDO Plan 2 is a strong package that adds a lot of value to the Office 365 E5 and Microsoft 365 E5 SKUs.
The point of the article was not to discuss MDO capabilities. Instead, it turned a light on the unexpected licensing consequences of MDO becoming active within a tenant. Once MDO protects tenant communications, all user mailboxes and all shared mailboxes must be licensed for MDO Plan 2. That’s an unfair and unexpected consequence of upgrading a tenant from E3 to E5 licenses, something that Microsoft wants customers to do.
Indeed, at the analyst call following quarterly Microsoft results, CFO Amy Hood invariably mentions the success Microsoft has in driving higher Average Revenue Per User (ARPU) due to E5 upgrades and add-on licenses. In the Q4 FY25 call, she noted “ARPU growth again driven by E5 and M365 Copilot.” This kind of management commentary must have an effect on those who make licensing decisions for products.
Microsoft pointed out to me that they have not changed their guidance or documentation on this topic. This is accurate. The same guidance has been in place for several years. The MDO service description covers licensing, and anyone who takes the time to peruse that text will discover just how many MDO licenses their tenant needs. In terms of unexpected licensing consequences, if you don’t read what Microsoft says about a product, you won’t understand the rules of the game and surprises are almost inevitable.
Consequences of Previous Microsoft Decisions
But here’s the thing. The situation around MDO licensing for shared mailboxes is the consequence of two Microsoft decisions taken in the past. The first is that when Exchange Server launched shared mailboxes, Exchange created a user account for each shared mailbox. In an on-premises environment, the extra user accounts made no difference to licensing costs.
Entra ID and Exchange Online took the on-premises model and applied it to the cloud. I’ve often been critical of Entra ID’s inability to identify utility accounts used for purposes like shared and room mailboxes or break glass accounts. Treating these accounts like regular user accounts is nonsense. Failing to disable the accounts created for utility Exchange objects is silly, and allowing people to sign into those accounts (which creates a whole new can of licensing worms) isn’t much better. Exchange Online uses accounts for shared mailboxes like it does on-premises, and that’s the root of the problem created for MDO licensing.
Shared Mailboxes and Group Mailboxes Can Receive and Send Mail
Microsoft says that they require MDO licenses for shared mailboxes because the mailboxes can send and receive email and therefore benefit from the MDO service. Well, the group mailboxes created for Microsoft 365 groups can also send and receive email and those mailboxes support many (but not all) of the features found in shared mailboxes. The fact is that the current implementation of mail-based Microsoft 365 groups (Figure 1) operate very much like shared mailboxes when it comes to sending and receiving mail. Both types of mailbox receive the same level of protection from MDO.
Overall, Microsoft 365 groups are used far more extensively than shared mailboxes, mainly to support Teams, but I can’t find a single reference to an MDO licensing requirement for Microsoft 365 groups in the MDO service description. The reason why MDO ignores licensing for Microsoft 365 groups is simple: Microsoft 365 groups don’t have any form of Entra ID account. They exist as an Entra ID group that just happens to be connected to a set of resources like a plan, team, SharePoint site and group mailbox.
It’s possible to assign licenses to a Microsoft 365 group, but only for the purpose of group-based license assignments managed through the Microsoft 365 admin center (you can also manage group-based license assignments with PowerShell). Because Microsoft 365 groups don’t have user accounts, they don’t follow the normal licensing regime, so MDO cannot be licensed.
Drop the Need for MDO to License Shared Mailboxes
Microsoft has long recommended that customers should replace distribution lists and shared mailboxes by Microsoft 365 groups. Indeed, a great deal of engineering effort went into the addition of capabilities like delegated send for Microsoft 365 groups. After 2019, Microsoft dedicated less attention to the email side of Microsoft 365 groups because of the emphasis on Teams, but the debate about whether to use Groups or shared mailboxes remains active.
Today, far fewer Microsoft 365 groups support email-based communication than those used with Teams. However, the fact remains that a dichotomy exists between how MDO treats the licensing of shared mailboxes and Microsoft 365 groups.
A case could be argued that email-based Microsoft 365 Groups operate by distributing copies of email to group members, and those user accounts should have MDO licenses. That’s true, but group mailboxes receive email processed by MDO, just like shared mailboxes do, so shouldn’t the same rule apply? To solve the conundrum, Microsoft should simplify the situation by dropping the need for MDO licenses for shared mailboxes. I suspect that internal budgets, revenue recognition, and a myriad of other issues will stop this happening, but that’s what should be done.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!
A practical example from our company (the numbers are faked):
MS sold us 9,995 Microsoft 365 E3 licenses. They don’t include Microsoft Defender for Office 365 (neither Plan 1 nor Plan2)
Additionally we bought 5 (!) Microsoft 365 E5 licenses for testing purpose which include Microsoft Defender for Office 365 (both Plan 1 and Plan 2).
According to MS we must now license ALL Exchange online users including shared mailboxes in our tenant:
“For Microsoft Defender for Office 365 Plan 2 tenants, licenses must be acquired for users or mailboxes falling under one or more of the following scenarios:
All Exchange Online users on the tenant. This is because Plan 2 features and capabilities protect all users in the tenant.
All shared mailboxes on the tenant.”
Tony, do you agree?
Yep. As soon as MDO is active in a tenant, all user and shared mailboxes must be licensed because they benefit from MDO protection.
Is there a way to use something like Conditional Access to exclude shared mailboxes from MDO?
Not that I am aware of
I asked a similar question whether you can disable MDO completely in a tenant in the comments’ section here:
https://office365itpros.com/2025/08/11/microsoft-defender-for-office-365/
Are there any means of doing so?
This may or may not be true, but Microsoft isn’t penalizing any company for this. If they were as rabid as you say they are about revenue, they would have begun telling companies they owe them more money a long time ago and we would have heard more about this requirement. It would have made more news and had a big backlash no doubt. What you “discovered” about an old requirement isn’t an issue apparently and it’s not going to become one either.
Peter,
You’re entitled to your opinions. I prefer to focus on facts. Let’s review the pertinent details. First, Microsoft management is very focused on maximizing revenue from add-ons and licensing. CFO Amy Hood makes the point about driving average revenue per user (ARPU) when speaking to market analysts after Microsoft quarterly results. I would never say that Microsoft is “rabid” about revenue, but their management is certainly very focused on driving revenue.
Second, I didn’t discover anything. As I report, Microsoft guidance has not changed in recent times. The information is hidden in plain sight. What happened is that a reader asked me about licensing of shared mailboxes with MDO and I dug into the matter. What I found was a surprise, not only to me but also to members of the Exchange engineering team and Microsoft MVPs, many of whom have very substantial experience with MDO. This proves that Microsoft licensing can be a voyage of discovery at times. I think this issue comes about through a lack of synchronization between different teams working within Microsoft 365.
Third, after I published the original article, I received several notes from customers who have engaged in “true up” exercises with their account teams and have been asked to pay for MDO licenses as a result. Customers are being affected, but it seems like this only happens when the account team is aware of the MDO licensing terms. I hazard a guess that few account teams have read the MDO product description.
Last, I checked the material I published with the MDO product team. I’m not in the habit of making assertions without proof, and I invariably check with the relevant product team before I publish something that could be controversial.
So, no rabid Microsoft chasing extra revenue but a lack of knowledge about product licensing. The inconsistency in the non-licensing of Microsoft 365 groups that receive exactly the same protection from MDO as shared mailboxes do is evidence of that product licensing sometimes throws up more questions than it answers.
Good reporting, but ultimately this is a nothing burger or it would have been an issue a long time ago. Bringing it up now may actually trigger Microsoft to fix their internal communication and cause the very issue you are warning people about. Self-fulfilling. If that is the case, you can own it when suddenly this blows up.
It’s only been a nothing issue because it was festering away under the surface. Putting light on it might make Microsoft go after more customers, but I think the reality is that it’s more likely that the silly licensing requirement for MDO for shared mailboxes will disappear. And I don’t own anything: Microsoft wrote the service description, cutomers accepted that text.
Tony, any movement from MSFT on this? I’m looking at a 1.4 million dollar cost over 5 years if it doesn’t go away.
Not so far. I asked for an update today.
What further exacerbates the issue is the removal of level D pricing come November. I’ll be paying the full $5 a month then.