🚀 Overview
In many enterprise environments, IT administrators utilize security groups to streamline the management of mailbox permissions. While this is an efficient way to grant “Full Access” permissions to a set of users, it introduces a specific limitation regarding the Outlook Automapping feature. Automapping is the mechanism that allows a shared mailbox to automatically appear in a user’s Outlook folder pane without manual configuration.
According to KB 3190323, when Full Access permissions are assigned to a security group rather than to individual users, the Autodiscover process fails to trigger the automapping sequence for the group members. This behavior is observed across multiple versions of the client, including Outlook for Microsoft 365, Outlook 2019, Outlook 2016, and Outlook 2013.
⚙️ Key Technical Details
- The Role of Autodiscover: The Outlook client relies on the Autodiscover service to retrieve XML configurations that define the user’s mail profile. During this process, the service looks for specific attributes to identify which additional mailboxes the user has rights to open.
-
The
msExchDelegateListBLAttribute: This is the critical Active Directory attribute (a “backlink”) used by Exchange to track which users have been granted delegated access to a specific mailbox. Under normal circumstances, when a user is granted individual Full Access, their Distinguished Name (DN) is added to this list, signaling Outlook to automap the mailbox. -
Expansion Limitation: The root cause of the failure is that the Autodiscover engine does not perform a recursive expansion of security group memberships. Because the service does not “look inside” the security group to find individual member DNs, the
msExchDelegateListBLattribute does not effectively communicate the mapping requirement to the Outlook client for those members. - Permission vs. Presentation: It is important to distinguish between access and visibility. The security group membership successfully grants the underlying MAPI permissions required to open the mailbox. However, it fails to provide the instruction to Outlook to display that mailbox automatically.
⚠️ Impact
This behavior impacts administrative workflows and the end-user experience in the following ways:
📅 User Experience: Members of a security group will notice that the shared mailbox does not appear in their Outlook profile automatically. This often leads to helpdesk escalations where users report “missing” mailboxes despite technically having the permissions to view them.
🛠️ Administrative Overhead: To ensure a mailbox is automapped, administrators must explicitly grant Full Access to each user individually. If an administrator chooses to stick with security group-based management, they must provide documentation to users on how to manually add the mailbox via Account Settings > More Settings > Advanced > Open these additional mailboxes.
🌐 Alternative Access: This issue does not affect Outlook on the Web (OWA). Users can still manually add the shared folder in OWA or use the “Open another mailbox” feature, as these methods do not rely on the same Automapping/Autodiscover logic used by the desktop MSI or Click-to-Run clients.
Official Source: Read the full article on Microsoft.com