You want to create mailboxes in Exchange Online and use Office 365. Before you can…
Block sign-in from shared mailboxes
When you create a new Shared Mailbox in Exchange Online, an account is automatically generated in Azure AD with a randomly assigned password. Although the initial password is unknown, it can be easily reset to a known value, enabling normal login to the account. However, since there is no real need to keep the account enabled for regular shared mailbox functionality, it’s recommended to disable the accounts to prevent any potential misuse.
You should always block sign-in from the shared mailbox account and keep it blocked. In this article, you will learn how to block shared mailboxes sign-in to protect your Microsoft tenant.
Table of contents
Introduction
Good to know is that when you block sign-in from the shared mailboxes, you can still access them from other mailboxes.
So these mailbox permissions settings still work:
- Send on behalf permissions
- Send as permissions
- Full access permissions
Sign in with shared mailbox credentials
In our example, we have 3 shared mailboxes, and they are newly created:
- SharedMailbox1@exoip.com
- SharedMailbox2@exoip.com
- SharedMailbox3@exoip.com
After setting a password for SharedMailbox1@exoip.com, we can sign in to the Azure portal successfully.
This is not something you want, and you have to prevent that by blocking the sign-in from all the shared mailboxes.
Block sign-in from shared mailbox in Microsoft 365 admin center
Go through the steps below to block sign-in from a single shared mailbox or multiple shared mailboxes in Microsoft 365 admin center.
Block sign-in from single shared mailbox
- Select the shared mailbox in the Active users list.
- Click on Block sign-in.
- Check the checkbox Block this user from signing in.
- Click on Save changes.
- Go back and check that it shows Sign-in blocked for the shared mailbox.
Block sign-in from multiple shared mailboxes
- Select the shared mailboxes in the Active users list.
- Click the more button in the toolbar.
- Click Edit sign-in status.
- Select Block users from signing in and click on Save.
The shared mailboxes are successfully blocked from signing in.
The problem within the Microsoft 365 admin center is that you can’t filter on shared mailboxes, and if you have a lot of shared mailboxes, it will take a lot of time to select them.
An excellent way to block all shared mailboxes from signing in is with PowerShell. Let’s look at that in the next step.
Block sign-in from shared mailbox with PowerShell
Run PowerShell as administrator and install the latest Exchange Online PowerShell and Microsoft Graph PowerShell.
Note: If you don’t have the latest modules installed, click on both the links and install these modules.
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
Let’s run both commands to initiate a connection.
Connect-ExchangeOnlineConnect-MgGraph -Scopes "User.ReadWrite.All"Once connected, we can call the Exchange Online mailboxes and the Microsoft Graph API. Let’s go to the next step.
Block sign-in from single shared mailbox
Get the Exchange Online shared mailbox external directory object ID and store it in the $UserID variable.
$UserID = (Get-EXOMailbox "SharedMailbox1@exoip.com").ExternalDirectoryObjectIdBlock the shared mailbox sign-in.
Update-Mguser -UserId $UserID -AccountEnabled:$falseVerify that the shared mailbox sign-in account is disabled with the Get-MgUser cmdlet.
Get-MgUser -UserId $UserID -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabledThe below output appears.
DisplayName Mail AccountEnabled
----------- ---- --------------
SharedMailbox1 sharedmailbox1@exoip.com FalseBlock sign-in from all shared mailboxes
Get the Exchange Online shared mailboxes external directory object ID and block the sign-in.
Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}Get all the shared mailboxes sign-in status.
Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Get-MgUser -UserId $_.ExternalDirectoryObjectId -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabled}This is how the output looks like.
DisplayName Mail AccountEnabled
----------- ---- --------------
SharedMailbox1 sharedmailbox1@exoip.com False
SharedMailbox2 sharedmailbox2@exoip.com False
SharedMailbox3 sharedmailbox3@exoip.com FalseVerify shared mailbox sign-in blocked status
Sign in to the Azure portal with the shared mailbox and verify that it shows:
Your account has been locked. Contact your support person to unlock it, then try again.
That’s it!
Read more: Get shared mailbox size in Office 365 with PowerShell »
Conclusion
You learned how to block sign-in from shared mailboxes. If you don’t have a lot of shared mailboxes, disable them through the Microsoft 365 admin center. But, to speed it up, use the PowerShell commands to block sign-in from all shared mailboxes.
Did you enjoy this article? You may also like Convert user mailbox to shared mailbox with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
What method would you use to block sign-in for Shared Mailboxes in a hybrid environment? Would you only need to disable the AD account?
Yes, you would want to disable the AD account.
When you create an Office 365 shared mailbox in Exchange Hybrid, the account is disabled by default.
Great article. Thanks for the piece. It might be worth noting that you’ll need the proper roles to do this in Powershell.