Microsoft 365: Plus-Addressing Hack

Key insights

• Video summary: A YouTube demo shows how to use plus addressing to send OTPs and admin alerts for unlicensed admin accounts to a licensed user mailbox without buying a separate license.
  
• Problem: Privileged admin accounts should not host regular mailboxes because licensing wastes cost and increases attack surface; unlicensed admins normally can’t receive email by default.
  
• How it works: Use the format yourname+label@yourdomain.com; messages to that plus address route to the base mailbox and you can filter them with inbox rules to keep alerts separate and visible.
  
• Quick setup: Enable plus addressing at org level (PowerShell: Set-OrganizationConfig -AllowPlusAddressInRecipients $true), add the plus variant to the admin’s contact info, then create Outlook/Exchange inbox rules to move or flag alerts.
  
• Blocking check: If mail to plus addresses fails, inspect the Exchange Admin Center mail-flow/org-level toggle that can disable plus addressing and adjust it accordingly.
  
• Security notes & caveats: Use this only for alerts and OTPs, avoid publishing plus addresses, keep admin accounts unlicensed to reduce exposure, monitor rules and audit deliveries, and continue using MFA and standard admin hardening.
  

In a recent YouTube video, Dean Ellerby [MVP] demonstrates a practical trick for Microsoft 365 administrators that uses plus addressing to route messages to licensed inboxes without assigning mailboxes to high‑privilege accounts. The video walks viewers through a live setup, a test that shows delivery to a user mailbox, and the single Exchange Admin Center toggle that can disable the behavior. Consequently, the approach offers a way to receive one‑time passwords and alerts for unlicensed admin identities while avoiding the cost and exposure of licensing each account. However, Ellerby also highlights caveats and security considerations that teams must weigh before adopting this pattern.

Overview of the technique

The method relies on plus addressing, where an address like user+admin@domain.com is treated as a variant of user@domain.com and delivered to the same mailbox. In the video, Ellerby explains why many organizations prefer to keep privileged admin accounts unlicensed and devoid of mailboxes to reduce their attack surface. Therefore, using a tagged address lets administrators sign up those privileged identities on third‑party portals and still receive OTPs and notifications without creating or paying for a dedicated mailbox. At the same time, he stresses that this is a routing convenience, not a substitute for proper lifecycle or identity controls.

How plus addressing works in practice

Ellerby demonstrates the exact flow by creating a plus address for an unlicensed admin account and then sending a test email to that address, which arrives in a licensed user's inbox. He notes that the format is simple — yourname+anything@yourdomain.com — and that Outlook and Exchange treat the tagged address as a delivery variant for the base mailbox. Importantly, the video shows that the approach depends on an organization setting in Exchange Online; if administrators have turned off plus addressing at the tenant level, routed messages will not arrive as expected. Thus, successful use requires both correct address configuration and tenant settings that allow sub‑addressing.

Setting it up: key steps and the critical toggle

The setup starts in Microsoft Entra by ensuring the unlicensed admin has the plus email recorded as contact or alternate address that points to a licensed mailbox. Next, Exchange Online must permit plus addressing, typically enabled via PowerShell using the organization configuration cmdlet that sets AllowPlusAddressInRecipients to true. During the demo, Ellerby shows the Exchange Admin Center path and the single toggle that, when disabled, blocks all such tags from routing to base mailboxes, so administrators should check that setting before relying on this pattern. After configuration, he recommends creating inbox rules to move or flag messages sent to the plus variant so admin alerts are easy to find.

Tradeoffs and operational challenges

While this trick saves licensing costs and keeps admin accounts less exposed, it introduces tradeoffs in visibility and auditability because messages intended for an admin identity land in a different user's mailbox. For example, compliance and monitoring teams may need to adjust audit rules to capture admin alerts routed through another mailbox, and incident response workflows should account for the alternate delivery channel. In addition, some third‑party portals may validate mailbox ownership or reject tagged addresses, which can block certain OTP deliveries, so administrators should test each integration before deployment.

Another challenge is organizational policy and consistency: enabling plus addressing tenant‑wide might conflict with policies that require strict aliasing or controlled mail delivery. Although the approach reduces license costs, it can raise questions about separation of duties and who is permitted to access forwarded admin alerts, so teams should balance cost savings with governance controls. Finally, the tenant toggle that disables plus addressing creates a single point of failure, meaning that routine tenant hardening or configuration changes can inadvertently stop alert delivery unless administrators maintain configuration checks.

Security recommendations and practical advice

Ellerby emphasizes several practical measures: use plus addressing only for specific, low‑volume admin notifications, protect the receiving mailbox with strong MFA and monitoring, and document where admin alerts route so teams can respond quickly. Moreover, when possible, pair the plus addressing approach with envelope filtering, dedicated folders, and alert forwarding rules so messages remain visible and segregated from general mail. Consequently, this reduces accidental oversight and helps maintain a clear audit trail for administrative alerts.

In summary, Dean Ellerby’s video offers a clear, reproducible technique to receive OTPs and alerts for unlicensed admin accounts using plus addressing in Microsoft 365, while also warning viewers about tenant settings and governance tradeoffs. Therefore, IT teams should test the pattern in a controlled environment, evaluate the operational and compliance impacts, and document any dependencies such as the Exchange Admin Center toggle that can block the behavior. When used thoughtfully, the method can save licenses and simplify alerting, yet it requires ongoing attention to configuration and security practices to remain reliable and safe.

Keywords

Microsoft 365 plus addressing, plus addressing tutorial, M365 admin trick, Microsoft 365 admin tips, Exchange Online plus addressing, plus address feature M365, M365 mail alias management, Microsoft 365 secret feature