Table of Contents
If a Tenant Has Microsoft Defender for Office 365, Its Shared Mailboxes Need Licenses
When discussing the need to license Exchange Online shared mailboxes, the usual answer is that Exchange Online Plan 2 licenses are needed when shared mailboxes have an extended quota (100 GB instead of 50 GB), an archive mailbox, or are on litigation hold. In other areas of functionality, like Microsoft 365 retention policies, Microsoft makes it clear that no licenses are needed unless premium features like auto-label policies or adaptive scopes are used.
The usual line taken by Microsoft for licensing shared mailboxes is anchored on the features available in Exchange Server. For example, basic retention processing doesn’t require licenses because Exchange Server includes similar retention policies. But Exchange Server doesn’t support adaptive scopes, so use of that feature creates the need for licenses.
Microsoft Defender for Office 365 Plan 1 and Plan 2
This brings me neatly to the question of licensing shared mailboxes for Microsoft 365 Defender for Office 365 (MDO), an advanced version of Exchange Online Protection (EOP) that offers significantly better protection against threats communicated in email. MDO is available in two plans: MDO Plan 1 for small to medium businesses and included in SKUs like Microsoft 365 Business Premium, and MDO Plan 2, which is targeted at enterprises but can be bought and deployed by SME tenants.
From an enterprise perspective, the thing to remember is that MDO Plan 2 is only included in E5 SKUs like Microsoft 365 E5 (see this chart for more information). Figure 1 shows the Threat Analytics feature licensed by MDO Plan 2.
The MDO service description says that shared mailboxes in MDO Plan 1 tenants must have licenses if the mailboxes “benefit from Defender for Office 365 protections.” No further guidance is given to define how shared mailboxes benefit from MDO but given that MDO includes features like Safe Attachments and Safe Links, you could say that any shared mailbox that receives email from external senders benefits from malware scanning and threat protection performed by MDO. And because any shared mailbox can send and receive email, Microsoft considers that all shared mailboxes need MDO licenses.
The situation is simpler for enterprise tenants because the guidance here is that MDO licenses are required for “All shared mailboxes on the tenant.” In effect, this means that any Microsoft 365 tenant that implements the features licensed by Microsoft Defender for Office 365 Plan 2 (see the service description) because they have acquired some E5 licenses must license all shared mailboxes for MDO. In fact, the text of the Microsoft Defender for Office 365 service description goes on to say that user accounts that don’t have E5 licenses must also be licensed for MDO. The text says that licenses must be acquired for “All Exchange Online users on the tenant. This is because Plan 2 features and capabilities protect all users in the tenant.”
The Sudden Realization that Shared Licenses Need MDO Licenses
I’m not sure that many tenants with MDO understand the need to license shared mailboxes. The MDO Plan 2 license costs $5/month with a 12-month commitment, or $60 per shared mailbox annually. Some organizations make heavy use of shared mailboxes, including as a method to preserve mailboxes for ex-employees (inactive mailboxes are the recommended approach). A thousand shared mailboxes will therefore rack up an unexpected $60,000 bill, and that amount doesn’t include any additional licenses that might be needed to bring non-E5 mailboxes into compliance.
I haven’t heard of any Microsoft campaign to make tenants aware of how MDO licensing works for shared mailboxes, nor is there a code check in Outlook to detect and advise when MDO licenses are necessary. The Exchange Admin Center (EAC) includes an option to switch a user mailbox to a shared mailbox, and that option doesn’t warn administrators about potential licensing requirements.
To be honest, I was unaware of the need until I read the service description after being asked if shared mailboxes needed MDO licenses because a customer had been unexpectedly told that the licenses were required. I suspect that many others are in the same state of blissful licensing ignorance.
Unexpected Painful Costs
Any unexpected cost is bad news. Suddenly discovering that a tenant has a batch of unlicensed shared mailboxes is firmly in that category. Discovering that some user accounts that don’t have E5 licenses might need MDO licenses is also painful. There’s nothing good to report here.
Hello, this is only true if the shared mailbox is not accessed by users with MDO licenses. A user with E5, for example, is protected when they access the Shared Mailbox. The user will always get the benefits of MDO, even if they access a shared mailbox. But if you need the mailbox to have specific advanced features (e.g. >50 GB storage), you need to license it.
you are talking about the shared mailbox itself. Yes, most usecases of shared mailboxes are free of license requirements focusing at the mailbox/exchange functionalities. BUT this article is about MDO. You Users’ M365E5 licenses do NOT cover the MDO plan 2(!) you need for your shared mailboxes
Nope. The service description and Microsoft’s interpretation of same is that shared mailboxes receive the benefit of MDO for inbound and outbound mail processing. There’s no way to disable MDO for a shared mailbox, so once MDO is in a tenant, all shared mailboxes must be licensed. The instances you cite (archive mailbox, 100 GB quota) are Exchange Online features that require an Exchange Online Plan 2 license, not MDO.
Do you have a source for making such a statement?
We’ll just agree to disagree. Users with MDO (or through E5) will be protected with safe links & attachments sent to a shared mailbox. But that’s okay, you can disagree. Also, I said “you need to license it” at the end, I didn’t say MDO.
It is pretty clear in here https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description
Tony wrote: “so once MDO is in a tenant”.
We have a 3rd-party security gateway in front of Exchange Online. The MX record points to this email gateway. We completely disabled all MDO features (SCL = -1, disabling all features in anti-phish, anti-spam, Safe links … polices).
Tony, would you say that we are a tenant WITH or WITHOUT MDO?
It’s not for me to say. The Microsoft licensing people might say that MDO is active in the tenant. A practical assessment of the situation is that MDO is not used, so I wouldn’t worry too much.
I also confuse with this….
In addition, if MDO Plan 1 or 2 is in use in the tenant, the shared mailboxes also require an additional license in addition to the MDO Plan 1/2 license. This can be found in the Product Terms:
https://www.microsoft.com/licensing/terms/en-US/productoffering/ExchangeOnline/MCA
License:
Microsoft Defender for Office 365 Plan 1/Plan 2
License Prerequisites:
Any Microsoft 365, Office 365, Exchange Online, SharePoint Online or OneDrive for Business plan license
Good thought, but I am not sure. The requirement for shared mailboxes to have Exchange licenses is set out in the Exchange service description (100 GB quota, archive mailbox, etc.). I think the requierment set out here is for user mailboxes, which should have this requirement covered through their Microsoft 365 license. But I will ask the nice people in the MDO team…
Hi Tony, any news here?
Nope. I’ll ask again.
what about excluding the shared mailboxes via policies so that they aren’t getting the protections such as Set-ATPPolicyForO365 -Identity “Default” -ExcludedRecipients “sharedmailbox@domain.com” and Set-SafeAttachmentPolicy -Identity “Default” -ExcludedRecipients “sharedmailbox@domain.com” , etc? basically we want to license and provide protection for each licensed user but not any shared mailboxes or secondary/send-as mailboxes for our licensed users access otherwise that could increase our license count massively
Unhappily, that’s not the way the licensing policy is written. Once MDO is active in a tenant, every mailbox that receives email must be licensed.
But you could have a great time arguing the toss with a Microsoft representative by advancing those arguments…
how would that work in a hybrid setup where emails comes into first 365 but a mailbox is onprem like do the onprem mailboxes also need to be licensed since 365 may do some filtering? what is the method to completely turn off MDO for a tenant so that there are no compliance issues? like do we need to get rid of all licenses that may include Defender or can we just change one setting on the tenant?
Good question. The documents are not specific on this point. Microsoft is considering the issue with MDO licensing and has promised to get back soon. I’ll add this to the list.
AFAIK, there’s no way to turn off MDO completely.
What about other recipients such as Group Mailboxes or Room types?
I did speak with Microsoft, and they did confirm that the merits of the article are accurate, MDO is needed for any shared mailbox that would be benefiting from having MDO enabled in the tenant.
https://office365itpros.com/2025/08/18/microsoft-defender-for-office-365-2/
I’ve been chatting with Microsoft about MDO licensing and we should have a definitive statement about what they plan to do soon.
Hi Tony
Thanks for your efforts to get clarity on this.
Do you have any ETA for the Microsoft definitive statement on this?
Still waiting for white smoke to emerge…
According to the “Blue security podcast” it is not necessary to license shared mailboxes. As these are 2 MS employees from Sales – they should know 🙂
https://podcasts.apple.com/us/podcast/microsoft-licensing-overview-part-3-niche-situations/id1532959726?i=1000724551719
Given the confusion that persists within Microsoft employees about shared mailbox licensing, I think I shall wait for the definitive advice from the product group.
Just checking in.
Any update or ETA?
We have big customers waiting for a proposal and we’re worried about making them buy MDO P2 licenses for shared mailboxes and later finding out they don’t need them
Thank you!
I had email from the Microsoft team that is driving the issue to say that they still needed a few weeks to resolve matters. That is the situation as of last Monday.