Last Updated on January 10, 2024 by Michael Morten Sonne
When you create a new Shared Mailbox in your Exchange Online enviroment, an account is automatically generated in Azure AD with a randomly assigned password to that account the Shared Mailbox belongs to. Although the initial password is unknown, it can be easily reset to a known value, enabling normal login to the account. However, since there is no real need to keep the account enabled for regular shared mailbox functionality, it’s recommended to disable the accounts to prevent any potential misuse.
You should always block sign-in from the shared mailbox account and keep it blocked. In this post, you will learn how to block shared mailboxes sign-in to protect your Microsoft tenant. I have seen this it not blocked 😭🥹
Shared mailboxes are typically used by multiple users within an organization to manage and collaborate on emails. However, if the credentials for a shared mailbox are compromised or misused, it could potentially lead to unauthorized access to sensitive information. Blocking sign-in from shared mailboxes helps prevent unauthorized individuals from gaining access to these mailboxes.
By blocking sign-in, organizations can ensure that only authorized individuals with appropriate access rights can view and interact with the mailbox contents. This reduces the risk of data breaches or accidental exposure of sensitive information.
In some cases, organizations also want to maintain accountability for actions performed within shared mailboxes. By blocking sign-in, it becomes easier to track and attribute actions within the mailbox to specific individuals. This can be important for compliance purposes or when investigating potential policy violations. And yes, the auditlog can be used to 😉
Introduction
Good to know is that when you block sign-in from the shared mailboxes, you can still access them from other mailboxes if you have access to them, as well over Exchange Online at outlook.office.com.
This on one thing i can´t understand why not is disabled by default! 🤔
So these mailbox permissions settings will still work like before:
- Send on behalf permissions
- Send as permissions
- Full access permissions
This includes Outlook clients and outlook.office.com
In this lab, we have 3 shared mailboxes, and they are newly created:
If you go to the Azure portal > Users, you can see the shared mailboxes is listed here as well as members in your tenant. Looks like a normal user, as all mailboxes have a “user” in the backend 😉
If you try to reset a shared mailbox´s password, then after setting a password for etc. [email protected], you can sign in to the Azure portal successfully as you can see here.
There is no MFA and so on on the accounts, and the only thing you need was the username (aka email) and the password used for that account! 😅
This is not something we want, and you have to prevent that by blocking the sign-in from all the shared mailboxes! 🔐
Now we go through the steps below to block sign-in from a single shared mailbox or multiple shared mailboxes in the Microsoft 365 admin center (but I prefer PowerShell for speed here 😉)
Now you can see that the status for the “users” have the Sign-in status set to Allowed.
- Select the shared mailbox in the Active users list.
- Click on Block sign-in.
- Check the checkbox Block this user from signing in.
- Click on Save changes.
- Go back and check that it shows Sign-in blocked for the shared mailbox.
They’ll automatically be signed out of all Microsoft services within 60 minutes!
- Select the shared mailboxes in the Active users list.
- Click the more button in the toolbar.
- Click Edit sign-in status.
- Select Block users from signing in and click on Save.
The shared mailbox(es) are now successfully blocked from signing in! 🔐😉
The problem within the Microsoft 365 admin center is that you can’t filter on shared mailboxes, and if you have a lot of shared mailboxes, it will take a lot of time to select them all!
So an excellent way to block all shared mailboxes from signing in is with PowerShell. Let’s look at that now!
Block sign-in from all shared mailboxes with a script
Over the time I got a big collection of PowerShell scripts 🙃
Here is one of mine, where you can automate this task in a secure way. We use an App registation with the right (and minimum permissions needed) and this can etc. run every day or week to secure your shared mailboxes if some new is created (as login is allowed default! 😵💫)
You can find the script here at GitHub too: BlockSharedMailboxSign-in.ps1
More scripts will likely come over time 😎👍
Connect to Exchange Online and Microsoft Graph API
Run PowerShell as administrator and connect to Exchange Online PowerShell and Microsft Graph PowerShell.
PS C:\> Connect-ExchangeOnline
PS C:\> Connect-MgGraph -Scopes "User.ReadWrite.All"
Once connected, we can call the Exchange Online mailboxes and the Microsoft Graph API. Let’s go to the next step.
Get the Exchange Online shared mailbox external directory object ID and store it in the $UserID variable.
PS C:\> $UserID = (Get-EXOMailbox "[email protected]").ExternalDirectoryObjectId
Block the shared mailbox sign-in.
PS C:\> Update-Mguser -UserId $UserID -AccountEnabled:$false
Verify that the shared mailbox sign-in account is disabled.
PS C:\> Get-MgUser -UserId $UserID -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabled
DisplayName Mail AccountEnabled
----------- ---- --------------
SharedMailbox1 [email protected] False
Get the Exchange Online shared mailboxes external directory object ID and block the sign-in.
PS C:\> Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}
Get all the shared mailboxes sign-in status.
PS C:\> Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Get-MgUser -UserId $_.ExternalDirectoryObjectId -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabled}
DisplayName Mail AccountEnabled
----------- ---- --------------
SharedMailbox1 [email protected] False
SharedMailbox2 [email protected] False
SharedMailbox3 [email protected] False
Try tign in to the Azure portal with the shared mailbox and verify that it shows you are locked:
Your account has been locked. Contact your support person to unlock it, then try again.
That’s it – now you have one less thing to worry about!
Conclusion
You learned how to block sign-in from shared mailboxes. If you don’t have a lot of shared mailboxes, disable them through the Microsoft 365 admin center. But, to speed it up, you can use the PowerShell commands or my script to block sign-in from all shared mailboxes automaticly! 🤓
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳