Block Shared Mailbox Sign-in To Protect Your Office 365 Environment
In Office 365, mailboxes are used to transmit email messages. As far as it is concerned, protecting those mailboxes is also necessary. A shared mailbox allows multiple users to access the same mailbox. But the real problem exists in shared mailbox security, especially with the auto-generated password when you create a shared mailbox. To Block shared mailbox sign-in is the best way to avoid those troublesome situations. Let’s check how!
What Is a Shared Mailbox Used For?
A shared mailbox is a mailbox that is shared by a group of delegated users in Office 365 for sending and receiving emails based on the permission they hold. When you create a shared mailbox in Exchange Online, a password is generated for the mailbox at the back end. This password with the shared mailbox email address can be used as credentials for logging in by any user, leaving it open to severe outbreaks.
For instance, if admins reset the password for a shared mailbox and provide it to one of the users for any reason. That user, after leaving the organization may use the password to attack the organization’s resources. This risk underscores the importance of implementing security measures, such as regularly auditing shared mailbox activities.
Why Should We Block Shared Mailbox Sign-ins?
In the era of account compromises, phishing attacks, and other password attacks, shared mailbox compromise is no exception. The automatically created password can be dangerous if reset by admins or stolen by hackers. Prettily, you can prevent this by blocking sign-ins in two different ways.
- Block shared mailbox sign-in using Microsoft 365 Admin Center
- Block shared mailbox sign-in using PowerShell
It’s a doddle to block shared mailbox sign-ins using Microsoft 365 Admin Center. All you have to do is to follow the steps given below.
Step 1: Log into the Microsoft 365 Admin Center.
Step 2: Under ‘Users’ select ‘Active Users’.
Step 3: Reach out to the shared mailbox for which you want to block the sign-in.
Step 4: Click on ‘Block sign-in’ from the flyout page that pops up.
Step 5: Then, check the box ✅ for ‘Block users from signing in’ and Save changes.
You can block shared mailbox sign-in using PowerShell in the following way.
Important: Before jumping into the cmdlets, ensure that you are not using the x86 version of Windows PowerShell to execute these steps without any error.
Step 1: Install the latest MSOnline module.
Install-Module MSOnline
Step 2: Install the MSOnline public preview module to manage users from Azure Active Directory.
Install-Module AzureADPreview
Step 3: Connect to MS Online and give credentials.
Connect-MsolService
Cmdlets to Disable Shared Mailbox Logins Using PowerShell
- Check all the shared mailbox sign-in status.
- Check specific shared mailbox sign-in status.
- Block signing into a specific shared mailbox.
- Block shared mailbox sign-ins using CSV.
- Block all shared mailbox sign-ins.
- Block only sign-in enabled shared mailboxes in Office 365.
It is important to find the shared mailboxes and their current sign-in status, so first connect to Exchange Online PowerShell and run the following cmdlet.
Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential
By entering the user principal name of the specific shared mailbox in the following cmdlet, you can check its sign-in status.
Get-MsolUser -UserPrincipalName <UPN of the shared mailbox> |fl *block*
If the result returns ‘false’, sign-in is not blocked for that mailbox.
Use the following cmdlet to prevent users from signing into a specific shared mailbox.
Set-MsolUser –UserPrincipalName <UPN of the shared mailbox> -BlockCredential $true
To block sign-in for shared mailboxes for multiple users at a time, create a CSV file and then run the following script. Make sure to have the column name as ‘UserPrincipalName’ in the CSV file to run without any errors.
Connect-MsolService $UserPrincipalName = Import-Csv C:\sharedmailboxes.csv foreach($userprincipalname in $userprincipalname){ Write-Progress -Activity "Blocking sign-in access to SMB -$user..." Set-MsolUser -UserPrincipalName $UserPrincipalName.UserPrincipalName -BlockCredential $true If($?) { Write-Host Blocked Successfully to $UserPrincipalName.userprincipalname -ForegroundColor Green } Else { Write-Host Error occurred while blocking to $UserPrincipalName.userprincipalname -ForegroundColor Red } }
You can use the following cmdlet to easily block sign-in for all mailboxes in your organization.
Get-Mailbox -RecipientTypeDetails "SharedMailbox" | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $false}
The following cmdlet gets all the mailboxes with BlockCredential – ‘False’ and sets the value to ‘True’.
Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential | Where {$_.BlockCredential -eq $False} | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}
Get Shared Mailbox Permissions Report
Apart from these, it is also recommended to keep control over the shared mailbox permissions such as FullAccess, SendAs, and SendOnBehalf to ensure that the right people hold the right permissions on your resources. Some of the keynotes of the shared mailbox permission report using the PowerShell script are listed below.
- Filter outputs using permissions like SendAs, SendOnBehalf, FullAccess.
- Export permissions for specific or all mailboxes.
- Displays only explicitly assigned permissions.
- Schedule shared mailbox permission report.
- Export shared mailbox members to CSV.
Admins can get the Exchange Online shared mailbox sign-in status through Microsoft 365 admin center. However, it is a time-consuming process where they have to locate each shared mailbox and its details to check or verify the sign-in status of the shared mailboxes.
To get the shared mailbox sign-in status with ease, the AdminDroid Exchange Online reporter steps in!
AdminDroid’s “Shared Mailboxes” report helps you to easily capture the required sign in status of the shared mailboxes, preventing your environment from risky threats.
Added to the above, make a strong layer of protection over your shared mailboxes by managing mailbox permissions with Admindroid’s Exchange Online reporter.
Below are Shared mailbox permission reports by Admindroid’s Exchange Online reporter.
Mailbox Permission Summary: Get a summary of all shared mailboxes and their associated users with granted permissions like full access, send as, and send on behalf.
Shared Mailbox Permissions Detail: Retrieve all Microsoft 365 shared mailboxes in detail along with the users who have access to those mailboxes in your organization.
Also, you can build a security posture for your Exchange Online by governing the mailbox settings, mailbox usage, and permissions with AdminDroid Microsoft 365 management solution.
Added to the above, you can gain 65+ extensive auditing reports on O365 mailbox activities, access permissions, and configuration changes for effective Exchange Online auditing.
Furthermore, from AdminDroid’s Exchange Online dashboard, you can easily keep track of all your mailbox details such as mailbox utilization, mailbox storage, and mailbox audit settings from a single console.
AdminDroid: Explore Crystal Clear Statistics on Microsoft 365 Mailboxes for Efficient Exchange Online Management!
Give a try to AdminDroid now and experience supervision of the Shared mailboxes sign-in status from a single console.
I hope this blog will help you understand the concepts of blocking shared mailbox sign-in in Office 365.
Got any doubts? Feel free to reach us in the comments!