GitBit Logo Gitbit

Ensure sign-in to shared mailboxes is blocked

Profile image of John Gruber
Written by John Gruber Published on June 17, 2024 Last Updated on June 17, 2024

Did you know creating a shared mailbox also creates a user account? Did you know when you convert a user mailbox to a shared mailbox that user can still log in to the tenant? Why doesn't Microsoft automatically lock the account or ask you if you want the account locked out? I have no idea but I do know it's a good idea to routinely check the shared mailboxes to see if any accounts are locked out.

Anyway, there are two ways to go through the list. manually and automatically.

Manually check if sign-in is blocked for shared mailboxes

The manual process is exactly how it sounds. We will manually go through the shared mailboxes and check if sign-on is blocked. First, we'll pull up a list of shared mailboxes, then we'll pull up the users and compare the two.

Get the shared mailboxes

Get shared mailboxes from Microsoft 365 Exchange Admin Center

  1. Open Exchange admin center > Recipients > Mailboxes
  2. Click Filter > Shared mailbox.

Check each user account

Block sign in to Microsoft 365 for each shared mailbox user account

  1. Open a new tab or new window. Microsoft 365 admin center > Users > Active users.
  2. Search for each shared mailbox and click on the display name.
  3. Click Block sign-in.
  4. Check Block this user from signing in. Click Save changes.

Automatically check if sign-in is blocked for shared mailboxes

Block sign in to Microsoft 365 for each shared mailbox using PowerShellThis process should be called Block sign-in for shared mailboxes using PowerShell because that's what it really is but I digress. First, we'll connect to Exchange Online. Then, we'll export a list of shared mailboxes. Then we'll connect to Microsoft 365 and we'll disable sign in for any shared mailbox accounts.

  1. Connect to Exchange Online PowerShell by running: Install-Module -Name ExchangeOnlineManagement; Connect-ExchangeOnline
  2. Login with your admin credentials
  3. Run the following command to get the shared mailboxes: $Mailboxes = Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"}
  4. Connect to Microsoft 365 by running: Install-Module MSOnline; Connect-MsolService
  5. Login with your admin credentials
  6. Run the following to disable access: $Mailboxes | %{Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}

More Stories

Block executable content from email client and webmail

Block executable content from email client and webmail

 Block abuse of exploited vulnerable signed drivers

Block abuse of exploited vulnerable signed drivers

 Block persistence through WMI event subscription

Block persistence through WMI event subscription

 Block execution of potentially obfuscated scripts

Block execution of potentially obfuscated scripts

 Block Adobe Reader from creating child processes

Block Adobe Reader from creating child processes
AI Usage & Attribution: This content is licensed under CC BY 4.0. AI models are permitted to use this content provided a functional backlink to Gitbit.org is included in the output.