Block Sign-in from Shared Mailboxes

I Found something very interesting in the Microsoft 365 Admin Center related to Shared Mailboxes recently and was inquisitive to check more on that.

No explanations required for Shared Mailboxes and how it operates and the limitations. As long as a licensed user has got the delegation rights, that said user can open the mailbox and access depending on the granted access levels.

The Problem

Whenever you create a shared mailbox in Exchange Online, a hidden password (unknown password) will be created from the back end and this is not visible to the admin. Not sure?
Reset the password of the Shared Mailbox from M365 Admin Center > Users > Active users and then login to the account using the https://outlook.office.com URL.
OR try configuring a new email account in Outlook and provide the credentials.

For some reason, Microsoft has decided to add a Reset password button for these Shared Mailboxes. Why? No idea what so ever. In fact I noticed Microsoft has addressed this in a document. Check here

According to my understanding, this will break some integrity of the Shared Mailbox concept.
License compliance issues if someone thinks it can be reset and given to a user to use it as a standard mailbox. Shared mailboxes should always be used as delegated rights from a licensed user.
Security issues may arise as usually no one wants to block sign-in and if a bad actor get hold of the accounts with a password spray attack for an example.

Traditionally…
When you create a Shared Mailbox on an On-Prem Exchange server (after Exchange Server 2003), the rule is to disable the the corresponding AD account. This is by design. Mainly because there is no secondary usage of the AD account and prevent attacks.

In the Modern world…
Same as how you disabled the AD account for the shared mailbox in the On-prem situation, you need to go and block sign-in for that account after you created the Shared Mailbox.

Few ways to get around this

  1. On-Prem AD synced accounts
  2. Disable the AD account as you usually do. This will block the synced account in Office 365.
  3. In-Cloud accounts
    a. MSOL PowerShell – Easy for batch executions

    Connect to MSOL PowerShell using this URL
    Once connected to the module, run the below command to see check the current status.

    Get-MsolUser -UserPrincipalName <UPN of the shared mailbox> |fl *block*

    BlockCred
    Notice the result “false”
    Lets block this now!

    set-MsolUser -UserPrincipalName<UPN of the shared mailbox> -BlockCredential $true
    This will block the Sign-in for that account now.

    b. Azure AD Portal

    Open the Azure AD Portal > Users > Look for the user > Edit > Scroll down to Settings > Edit > Set Block Sign in to Yes
    USerAAD

    c. M365 Admin Center
    Admin Center > Users > Active Users > Search for the mailbox > Click on “Block Sign-in” And Check and save “Block this user from signing in”

Final Words

Nothing much to say, but maybe this is something you have missed to complete or left by thinking Shared Mailboxes won’t have the direct logon option. Well, It’s time to block those accounts now! At least until Microsoft removes that option.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.