top of page
Search

Distribution List vs. Shared Mailbox vs. Licensed Mailbox: Which Setup Do You Actually Need?

Not every business email address should be set up the same way. We have a lot of conversations with our customers about what type of emails they need for their setup. From our healthcare customers to our municipal organizations there are a staggering variety of situations and use cases that we have to consider. Below is a breakdown on three important email setups that we commonly deploy depending on the customer's environment.


Microsoft 365 slide comparing Distribution List, Shared Mailbox, and Licensed Mailbox over a meeting scene.

We commonly get a request for an email address like info@, billing@, support@, hr@, or reception@, which may seem simple. But behind that address are important questions:

  • Who receives the messages?

  • Who can send from it?

  • Who can log in?

  • Can we tell who took action?

  • Does it need multi-factor authentication, archiving, litigation hold, or compliance controls?

  • Are there compliance (HIPAA or CMMC) considerations?


In Microsoft 365, the most common options are a distribution list, a shared mailbox, or a licensed mailbox. Each has a place. The mistake is treating them as interchangeable.


Quick Comparison: Which Email Setup Is Licensed?

Setup

Is the address itself licensed?

Can people send from it?

Can people log into it directly?

Best for

Watch-outs

Distribution List

No

Not usually as the list itself

No

Sending one email to multiple people

No shared inbox, no mailbox storage, no central sent history

Shared Mailbox

Usually no, if under standard limits

Yes, with Send As or Send on Behalf permissions

Should not be used for direct login

Team inboxes like support, billing, sales, reception

Requires careful permissions; users accessing it need licensed accounts

Licensed User Mailbox

Yes

Yes

Yes, by that named user

A real employee’s mailbox

Should not be shared by multiple people

Licensed Shared Mailbox

Yes, when needed

Yes, with delegated permissions

Still generally accessed through user delegation

Larger mailboxes (50gb vs 100gb), archiving, litigation hold, compliance needs

Adds cost but may be necessary for retention, hold, or storage

Microsoft describes distribution groups as a way to send email to a group of people without typing each recipient’s name individually, while shared mailboxes are designed for multiple users to read and send email from a common mailbox.


Infographic comparing Distribution List, Shared Mailbox, and Licensed User Mailbox with feature table and Outlook icon.

Distribution Lists: Simple, Unlicensed, and Easy to Misuse

A distribution list is not a mailbox. It is basically a forwarding mechanism.


When someone emails leadership@company.com, the message is delivered to the individual inboxes of everyone on that list. The distribution list itself does not store mail, does not have a central inbox, and does not need its own Microsoft 365 license.


This works well for:

  • allstaff@company.com

  • leadership@company.com

  • accounting-team@company.com

  • building-a@company.com


The main benefit is simplicity. The main weakness is accountability.

If a customer emails a distribution list, everyone receives their own copy. One person may respond, three people may respond, or nobody may respond because everyone assumes someone else handled it. There is no shared sent folder, no shared workflow, and no clean team view of what happened.

A distribution list is best for broadcasting information. It is not ideal for operational inboxes like support, billing, orders, scheduling, or HR.


Shared Mailboxes: Team-Based Email Without a License in Many Cases

A shared mailbox is usually the better fit when multiple people need to work from the same inbox.


Examples include:

  • support@company.com

  • billing@company.com

  • sales@company.com

  • reception@company.com

  • hr@company.com


A shared mailbox gives the team one place to receive, organize, and respond to messages. Users can be given permissions to read and manage the mailbox, send as the mailbox, or send on behalf of the mailbox.


In many cases, a shared mailbox does not need its own license. Microsoft allows shared mailboxes without a separate license under standard limits, but the users accessing the shared mailbox must have their own licensed Microsoft 365 accounts. Microsoft also notes that shared mailboxes require licensing for certain scenarios, such as litigation hold, larger mailbox sizes, or advanced archiving.


This is an important distinction:

The shared mailbox itself may be unlicensed. The people accessing it should be licensed users. The shared mailbox may need a license if compliance or storage requirements increase.

Do Not Share Passwords for Shared Mailboxes

A shared mailbox should not be treated like a generic account where everyone logs in with the same username and password.


That creates security and accountability problems. If five people know the password to billing@company.com, then it becomes much harder to know who actually opened, deleted, forwarded, or sent a message.


Microsoft states that new shared mailboxes have sign-in blocked by default. Users should access the shared mailbox through their own accounts, using delegated permissions.


That matters because each user’s own account can be protected with MFA/2FA, conditional access, password policies, and audit logging. It also means that when something goes wrong, the organization has a better chance of tracing activity back to the actual user.


When a Shared Mailbox Needs a License

A shared mailbox may need a license when the business needs more than basic shared email.


Common reasons include:

Reason

Why it matters

Mailbox size

Unlicensed shared mailboxes are limited under Microsoft’s standard shared mailbox limits. Larger mailboxes may require Exchange Online Plan 2.

Archiving

If the mailbox needs archive storage or auto-expanding archive, licensing may be required.

Litigation hold

Litigation hold requires Exchange Online Plan 2 or Exchange Online Plan 1 with Exchange Online Archiving.

Compliance requirements

Regulated industries may need retention, eDiscovery, DLP, auditing, or other Microsoft Purview features.

Sensitive data

Mailboxes handling HR, healthcare, legal, financial, or customer-sensitive information may need stronger controls.

Microsoft states that increasing a shared mailbox size to 100 GB requires Exchange Online Plan 2, and litigation hold requires Exchange Online Plan 2 or Exchange Online Plan 1 with an Exchange Online Archiving add-on.


This is where licensing should not be seen as just an extra cost. Sometimes the license is what allows the business to retain, protect, search, and defend the mailbox properly.


Licensed User Mailboxes: For Real People, Not Shared Access


A licensed user mailbox is what most employees use every day. It belongs to a specific person, such as:

  • jane@company.com

  • manager@company.com

  • doctor@company.com

This setup is appropriate when one person owns the mailbox and signs in as themselves.


Where businesses get into trouble is when they create a licensed mailbox like frontdesk@company.com and then allow multiple people to share the password. Technically, the mailbox may be licensed, but operationally it creates the same problems: weak accountability, MFA challenges, and unclear user activity.


If multiple people need access, a shared mailbox with delegated permissions is usually the cleaner setup.


Compliance: HIPAA, DLP, Archiving, and Auditability

For regulated businesses, the question is not only “Does this mailbox work?” The better question is, “Can we prove who had access, what happened, and whether sensitive information was protected?” Most compliance frameworks such as HIPAA and CMMC have very specific requirements when it comes to email.


For example, a healthcare organization using a mailbox for patient billing or scheduling may need:


  • MFA for every user.

  • No shared passwords.

  • Delegated mailbox access.

  • DLP policies to reduce accidental sharing of sensitive data.

  • Retention policies for business records.

  • Archiving for long-term access.

  • Litigation hold where required.

  • Audit logs for investigation.


Microsoft Purview includes tools for compliance, data loss prevention, audit, retention, eDiscovery, and information protection, depending on licensing.



Infographic comparing distribution list, shared mailbox, and licensed user mailbox, with icons, people, and email/security labels.

The Bottom Line

A distribution list sends messages to a group. It is simple and unlicensed, but it is not a shared workspace.


A shared mailbox gives a team one place to work. It is often unlicensed, but the users accessing it need licensed accounts, and the mailbox may need its own license for size, archiving, litigation hold, or compliance.

A licensed mailbox belongs to a real user. It should not become a shared password account.


The right setup depends on what the email address is supposed to do. For simple announcements, use a distribution list. For team-based work, use a shared mailbox. For sensitive, regulated, or high-retention needs, licensing may be the safest and most defensible choice.

Disclaimer


The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.

Comments

bottom of page