Skip to main content

When you create a new Shared Mailbox in Exchange Online, an account is automatically generated in Azure AD with a randomly assigned password. Although the initial password is unknown, it can be easily reset to a known value, enabling normal login to the account. However, since there is no real need to keep the account enabled for regular shared mailbox functionality, it’s recommended to disable the accounts to prevent any potential misuse.

You should always block sign-in from the shared mailbox account and keep it blocked. In this article, you will learn how to block shared mailboxes sign-in to protect your Microsoft tenant.

Introduction

Good to know is that when you block sign-in from the shared mailboxes, you can still access them from other mailboxes.

So these mailbox permissions settings still work:

  1. Send on behalf permissions
  2. Send as permissions
  3. Full access permissions

Sign in with shared mailbox credentials

In our example, we have 3 shared mailboxes, and they are newly created:

  • SharedMailbox1@exoip.com
  • SharedMailbox2@exoip.com
  • SharedMailbox3@exoip.com
Block sign-in from shared mailboxes Microsoft 365 admin center

After setting a password for SharedMailbox1@exoip.com, we can sign in to the Azure portal successfully.

Sign in to Azure portal

This is not something you want, and you have to prevent that by blocking the sign-in from all the shared mailboxes.

Block sign-in from shared mailbox in Microsoft 365 admin center

Go through the steps below to block sign-in from a single shared mailbox or multiple shared mailboxes in Microsoft 365 admin center.

Block sign-in from single shared mailbox

  1. Select the shared mailbox in the Active users list.
  2. Click on Block sign-in.
Block sign-in from shared mailboxes single user
  1. Check the checkbox Block this user from signing in.
  2. Click on Save changes.
Block this user from signing in
  1. Go back and check that it shows Sign-in blocked for the shared mailbox.
Block sign-in from shared mailboxes sign-in blocked

Block sign-in from multiple shared mailboxes

  1. Select the shared mailboxes in the Active users list.
  2. Click the more button in the toolbar.
  3. Click Edit sign-in status.
Block sign-in from shared mailboxes multiple users
  1. Select Block users from signing in and click on Save.
Block users from signing in

The shared mailboxes are successfully blocked from signing in.

The problem within the Microsoft 365 admin center is that you can’t filter on shared mailboxes, and if you have a lot of shared mailboxes, it will take a lot of time to select them.

An excellent way to block all shared mailboxes from signing in is with PowerShell. Let’s look at that in the next step.

Block sign-in from shared mailbox with PowerShell

Run PowerShell as administrator and install the latest  Exchange Online PowerShell and Microsoft Graph PowerShell .

Note: If you don’t have the latest modules installed, click on both the links and install these modules.

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Let’s run both commands to initiate a connection.

Connect-ExchangeOnline
Connect-MgGraph -Scopes "User.ReadWrite.All"

Once connected, we can call the Exchange Online mailboxes and the Microsoft Graph API. Let’s go to the next step.

Block sign-in from single shared mailbox

Get the Exchange Online shared mailbox external directory object ID and store it in the $UserID variable.

$UserID = (Get-EXOMailbox "SharedMailbox1@exoip.com").ExternalDirectoryObjectId

Block the shared mailbox sign-in.

Update-Mguser -UserId $UserID -AccountEnabled:$false

Verify that the shared mailbox sign-in account is disabled with the Get-MgUser  cmdlet.

Get-MgUser -UserId $UserID -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabled

The below output appears.

DisplayName    Mail                     AccountEnabled
-----------    ----                     --------------
SharedMailbox1 sharedmailbox1@exoip.com          False

Block sign-in from all shared mailboxes

Get the Exchange Online shared mailboxes external directory object ID and block the sign-in.

Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

Get all the shared mailboxes sign-in status.

Get-EXOMailbox -RecipientTypeDetails "SharedMailbox","RoomMailbox","EquipmentMailbox" | ForEach {Get-MgUser -UserId $_.ExternalDirectoryObjectId -Property AccountEnabled,DisplayName,Mail | Select DisplayName,Mail,AccountEnabled}

This is how the output looks like.

DisplayName    Mail                     AccountEnabled
-----------    ----                     --------------
SharedMailbox1 sharedmailbox1@exoip.com          False
SharedMailbox2 sharedmailbox2@exoip.com          False
SharedMailbox3 sharedmailbox3@exoip.com          False

Verify shared mailbox sign-in blocked status

Sign in to the Azure portal with the shared mailbox and verify that it shows:

Your account has been locked. Contact your support person to unlock it, then try again.

Block sign-in from shared mailboxes account has been locked

That’s it!

Leave a Reply