Block Shared Mailbox Sign-in To Protect Your Office 365 Environment

December 8, 2022 Aima Comments 0 Comment

In Office 365, mailboxes are used to transmit email messages. As far as it is concerned, protecting those mailboxes is also necessary. A shared mailbox allows multiple users to access the same mailbox. But the real problem exists in shared mailbox security, especially with the auto-generated password when you create a shared mailbox. To Block shared mailbox sign-in is the best way to avoid those troublesome situations. Let’s check how!

What Is a Shared Mailbox Used For?

A shared mailbox is a mailbox that is shared by a group of delegated users in Office 365 for sending and receiving emails based on the permission they hold. When you create a shared mailbox in Exchange Online, a password is generated for the mailbox at the back end. This password with the shared mailbox email address can be used as credentials for logging in by any user, leaving it open to severe outbreaks.

For instance, if admins reset the password for a shared mailbox and provide it to one of the users for any reason. That user, after leaving the organization may use the password to attack the organization’s resources.

Why Should We Block Shared Mailbox Sign-ins?

In the era of account compromises, phishing attacks, and other password attacks, shared mailbox compromise is no exception. The automatically created password can be dangerous if reset by admins or stolen by hackers. Prettily, you can prevent this by blocking sign-ins in two different ways.

Block shared mailbox sign-in using Microsoft 365 Admin Center
Block shared mailbox sign-in using PowerShell

It’s a doddle to block shared mailbox sign-ins using Microsoft 365 Admin Center. All you have to do is to follow the steps given below.

Step 1: Log into the Microsoft 365 Admin Center.
Step 2: Under ‘Users’ select ‘Active Users’.
Step 3: Reach out to the shared mailbox for which you want to block the sign-in.

Step 4: Click on ‘Block sign-in’ from the flyout page that pops up.
Step 5: Then, check the box ✅ for ‘Block users from signing in’ and Save changes.

You can block shared mailbox sign-in using PowerShell in the following way.

Important: Before jumping into the cmdlets, ensure that you are not using the x86 version of Windows PowerShell to execute these steps without any error.

Step 1: Install the latest MSOnline module.

           Install-Module MSOnline

Step 2: Install the MSOnline public preview module to manage users from Azure Active Directory.

          Install-Module AzureADPreview

Step 3: Connect to MS Online and give credentials.

        Connect-MsolService

Cmdlets to Disable Shared Mailbox Logins Using PowerShell

Check all the shared mailbox sign-in status.
Check specific shared mailbox sign-in status.
Block signing into a specific shared mailbox.
Block shared mailbox sign-ins using CSV.
Block all shared mailbox sign-ins.
Block only sign-in enabled shared mailboxes in Office 365.

It is important to find the shared mailboxes and their current sign-in status, so first connect to Exchange Online PowerShell and run the following cmdlet.

Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential

By entering the user principal name of the specific shared mailbox in the following cmdlet, you can check its sign-in status.

Get-MsolUser -UserPrincipalName <UPN of the shared mailbox> |fl *block*

If the result returns ‘false’, sign-in is not blocked for that mailbox.

Block Signing into a Specific Shared Mailbox

Use the following cmdlet to prevent users from signing into a specific shared mailbox.

Set-MsolUser –UserPrincipalName <UPN of the shared mailbox> -BlockCredential $true

Block Shared Mailbox Sign-ins Using CSV

To block sign-in for shared mailboxes for multiple users at a time, create a CSV file and then run the following script. Make sure to have the column name as ‘UserPrincipalName’ in the CSV file to run without any errors.

Connect-MsolService  
$UserPrincipalName = Import-Csv C:\sharedmailboxes.csv  
foreach($userprincipalname in $userprincipalname){  
Write-Progress -Activity "Blocking sign-in access to SMB -$user..."  
Set-MsolUser -UserPrincipalName $UserPrincipalName.UserPrincipalName -BlockCredential $true 
If($?)  
{  
Write-Host Blocked Successfully to $UserPrincipalName.userprincipalname -ForegroundColor Green  
}  
Else  
{  
Write-Host Error occurred while blocking to $UserPrincipalName.userprincipalname -ForegroundColor Red  
}  
}

Block All Shared Mailbox Sign-ins

You can use the following cmdlet to easily block sign-in for all mailboxes in your organization.

Get-Mailbox -RecipientTypeDetails "SharedMailbox" | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $false}

The following cmdlet gets all the mailboxes with BlockCredential – ‘False’ and sets the value to ‘True’.

Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential | Where {$_.BlockCredential -eq $False} | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}

Get Shared Mailbox Permissions Report

Apart from these, it is also recommended to keep control over the shared mailbox permissions such as FullAccess, SendAs, and SendOnBehalf to ensure that the right people hold the right permissions on your resources. Some of the keynotes of the shared mailbox permission report using the PowerShell script are listed below.

Filter outputs using permissions like SendAs, SendOnBehalf, FullAccess.
Export permissions for specific or all mailboxes.
Displays only explicitly assigned permissions.
Schedule shared mailbox permission report.
Export shared mailbox members to CSV.

I hope this blog will help you understand the concepts of blocking shared mailbox sign-in in Office 365.

Got any doubts? Feel free to reach us in the comments!

Microsoft 365 Scripts

Microsoft 365 scripts repository