Anonymous User in O365 Mailbox Permissions

Solution 1:

Does anyone know what the real purpose of the "Anonymous" user account?

The real purpose is exactly what Microsoft stated. This permission is for granting users outside of your organization access to those folders. This is a standard mailbox permission in Exchange Server.

Also, is it a security risk?

Only if you somehow made that folder available to the public AND you granted the Anonymous user actual permissions to the folder... so, no... this is not a "real" security risk. This is the default setting for every folder in every mailbox for every user in the world who uses Exchange Server.

As you can see in your screenshot, the Anonymous user has no permissions by default. You would have to explicitly grant that entity permissions AND you'd have to make that folder publicly available in order for anyone to actually access that folder.

Solution 2:

It sounds like this "user" is intended to be a placeholder or a way of specifying the large class of people who don't have accounts on your system.

Using this identifier ("user"), you or your staff can say, effectively, that they want to share a calendar or (apparently) portion of their mailbox with someone (effectively anyone) without requiring them to have (or log into) an account on your system.

Often this requires someone sharing the URL with them, so the URL can function as a sort of password, but it is essentially a shared password, and relatively easily shared at that, so, yes, there is a security implication.

It may make sense to share something read-only with this "Anonymous" identifier, but I would tend not to provide write permission.