I have discovered that if you create an email security policy and apply it to specific users, any users that have access to those mailboxes also get that policy applied, ignoring any explicitly defined ones for that user. I discovered this by having a bypass policy in place for some shared mailboxes that we didn't want anything potentially getting caught in spam. Anyone that had access to those mailboxes started getting the less secure policy applied to them as well. Not sure if this is intended behavior?
This thread was automatically locked due to age.
