Set Up Plus Addressing for Unlicensed Admin Notifications in Exchange Online

In recent years, many organizations have chosen to keep their Microsoft 365 administrative accounts unlicensed as a security best practice for administrators. While this reduces the attack surface for privileged accounts, it also means these accounts cannot receive emails, including alerts and system reports. To stay informed, it’s important to set up alternate ways for admin accounts to receive emails. One practical solution is Plus Addressing in Exchange Online, a simple and reliable method that ensures admins never miss important notifications.

Now, let’s explore what Plus Addressing is and how you can set it up for unlicensed admin notifications.

Plus addressing, also called subaddressing, is a built-in feature in Exchange Online that lets users create dynamic and disposable email addresses without any extra setup.

• At its core, a standard email address follows this format:
  <local-part@domain> — for example, <frank@contoso.com>.
• With plus addressing, you can extend this format by adding a tag after a plus sign (+):
  <local-part+tag@domain> — for example, <frank+alerts@contoso.com>.

The part before the “+” must correspond to a valid mailbox, while the tag after the “+” can be any string that follows standard email character rules. When an email is sent to a plus address (for example, frank+alerts@contoso.com), Exchange first attempts to match the entire address. If no mailbox is found with that exact name, Exchange then strips the “+” and the tag, and delivers the message to the mailbox (frank@contoso.com). You can then use mailbox rules to automatically organize or filter messages based on the tag.

Important points to note:

• Receive-Only: Users cannot send emails from plus addresses; they can only receive emails sent to them.
• Not Aliases: Plus addresses are not mailbox aliases, so they don’t automatically resolve to a user’s display name in Outlook. They appear as plain email addresses in To/CC fields.

Assigning mailbox licenses to administrative accounts may seem convenient, but it introduces increased attack surface and cost inefficiency.

Licensing an admin account typically means enabling email functionality. This makes the account:

• More visible and accessible to external threats.
• A prime target for phishing and social engineering attacks, since attackers often seek out high-privilege accounts to compromise.
• Vulnerable to credential harvesting through malicious emails or spoofed communications.
• Admin accounts are often used for system management, not communication. Assigning licenses to them wastes resources.

Therefore, it’s essential to explore alternative methods, such as plus addressing, to receive notifications for unlicensed admin accounts in Microsoft 365 safely and efficiently.

Here’s how you can set up plus addressing in Microsoft 365 to manage unlicensed admin account notifications effectively.

1. Enable plus addressing in Exchange Online
2. Configure plus address for admin notifications in Entra ID

In most Microsoft 365 tenants, plus addressing is enabled by default. To avoid configuration issues, verify that the feature is active by following the steps below.

To verify that plus addressing is enabled in your Microsoft 365 tenant using the Exchange admin center, do the following:

1. Sign in to the Exchange admin center (EAC).
2. Navigate to Settings –> Mail Flow.
3. Make sure the option “Turn off plus addressing for your organization” is not selected.

If the box remains unchecked, it means plus addressing is already active in your organization. Users can start using plus signs (+) in their email addresses to automatically organize incoming mail.

For administrators who prefer scripting, need to automate configuration, or manage settings across multiple tenants, can download the script to enable plus addressing using PowerShell. Alternatively, you can use the method below.

Connect to the Exchange Online PowerShell module and run the below cmdlet to enable plus addressing.

By setting the parameter to $false, you activate Plus Addressing so users can receive emails sent to their tagged addresses.

Note: You can disable plus addressing via the Exchange admin center by checking “Turn off plus addressing for your organization”, or via PowerShell using –DisablePlusAddressInRecipients $true.

After enabling plus addressing, configure the unlicensed admin account’s contact email to use a plus address linked to a licensed mailbox.

This setup ensures that important notifications, alerts, and system messages intended for the unlicensed admin account are routed correctly to the designated mailbox using the tagged (+) format.

Here’s how to update it:

1. Sign in with an unlicensed admin account to the Microsoft Entra admin center.
2. Navigate to Users > All Users, then select the administrator account.
3. Click on the Edit properties and slide to the Contact Information tab.
4. In the Email field, enter the primary user’s email address associated with the admin account, followed by the desired plus (+) tag, for example, frank+alerts@contoso.com.
5. Click Save to apply the change.

You can configure the same using PowerShell as well. Firstly, connect to the Microsoft Graph PowerShell with the scope User.ReadWrite.All.

To configure plus addressing for unlicensed admin notifications using PowerShell, run the below:

Replace <admin@yourdomain.com> with the actual admin account and <user+tag@domain.com> with the plus-address you want to use for notifications.

Once configured, any Entra ID role assignment alerts or system notifications for the unlicensed admin will now appear in the specified plus address inbox (e.g., frank+alerts@contoso.com).

Once the plus address is configured, all unlicensed admin notifications are delivered to the user’s licensed mailbox. However, this can cause admin alerts to mix with regular user emails, making it harder to track important updates. To avoid this, you can create a mailbox rule that automatically moves admin-related emails to a dedicated folder. Follow the steps below to redirect emails to unlicensed admins via mail flow rules.

1. Sign in to the email account added above using the preferred Outlook client.
2. Click the Settings gear icon.
3. Go to Mail > Rules and click +Add new rule to create a custom rule for your plus address notifications.
4. Enter a descriptive name for the rule, such as “Plus Address Alerts,” to make it easy to identify.
5. Under Add a condition, choose To and enter your plus address (e.g., frank+alerts@contoso.com) so the rule applies only to emails sent to that address.
6. Under Add an action, select Move to and choose or create a folder (e.g., “Admin Alerts” where these messages will be organized.
7. Click Save to configure the mailbox rule.

Once the rule is created, all incoming messages addressed to your plus address will be automatically routed to the Admin Alerts folder. This setup ensures that all system-generated notifications related to unlicensed admin activities are separated from regular correspondence, allowing quick visibility and better tracking of Entra ID alerts.

• Naming Convention: Use consistent plus tags to organize emails by system (admin+azure-alerts@domain.com), priority (admin+critical@domain.com), or department (admin+it-alerts@domain.com).
• Security: Treat plus addresses as semi-public, never use them for login authentication, and be cautious when sharing with vendors.
• Monitoring & Maintenance: Regularly audit rules, remove or update unused ones, and maintain a list of active plus addresses with their purposes.

With plus addressing in Exchange Online, you can efficiently route and manage unlicensed admin notifications without adding extra mailboxes. By creating tagged email addresses, you can cleverly route alerts, security messages, and system notifications without the need for multiple mailboxes. If you have any queries, please feel free to reach out to us through the comments section.