We all know that Shared mailboxes in Microsoft 365 are a powerful feature that allows multiple users to access and manage a common mailbox. This setup is typically used for group email addresses like support@company.com or sales@company.com, where different team members need to collaborate in real-time.
However, as beneficial as shared mailboxes are, they also have significant security risk factors if mismanaged. And one among the risk of shared mailboxes is, letting users sign-in to the shared mailboxes with the auto-generated passwords!
So, in this blog, I helped you on how to block shared mailbox sign-ins in Microsoft 365- an essential security practice that’s often underestimated! I have given step-by-step guides to block these sign-ins both via the Microsoft 365 Admin Center and PowerShell.
Why to Block Shared Mailbox Sign-ins in Microsoft 365?
First things first, everyone should understand that shared mailboxes are designed for collaboration purpose rather than direct sign-ins! Allowing users to log in directly to shared mailboxes opens your environment to various security and compliance risks. Here are a few risks that might show up:
- Unauthorized Access: By allowing users to directly sign in to shared mailboxes, you expose your organization to potential threats. Weak passwords or compromised credentials could allow malicious actors to gain unauthorized access.
- Security Breaches: When users log into shared mailboxes, they could unintentionally or maliciously delete emails, modify settings, or share confidential data externally.
- Compromised Credentials: If a user’s credentials are compromised, an attacker could gain access to the shared mailbox and potentially sensitive data.
- Loss of Accountability: When multiple users share a mailbox, actions performed within it cannot be directly attributed to an individual. This makes it challenging to pinpoint responsibility for specific activities.
Given these risks, it’s imperative to block direct sign-ins to shared mailboxes and enforce more stricter access controls.
How to Block Sign-ins into Shared Mailboxes?
By now, you’ve probably realized why blocking sign-ins into shared mailboxes is so crucial. So, to block such sign-ins there are two primary ways: via the Microsoft 365 Admin Center or using PowerShell.
I’ll walk you through both methods, so you’ll have a complete toolkit to secure your Office 365 environment.
Block Shared Mailbox Sign-ins via Microsoft 365 Admin Center
This is by far the easiest method to block shared mailbox sign-ins, and it’s all done through the Microsoft 365 Admin Center. Here’s how you can do it:
- Sign in to your Microsoft 365 admin center.
- Navigate to: Users → Active Users from the left navigation pane.
- Select the shared mailbox from your user list, and a flyout pane will appear.
- In that pane, click Block sign-in. Another flyout will pop up asking for confirmation. Just select the checkbox and hit Save.
While this method is super simple, it can be a bit tedious if you need to block sign-ins for multiple shared mailboxes. So, I have included simple PowerShell scripts that handles different cases and block shared mailbox sign-ins.
Block Shared Mailbox Sign-ins via PowerShell
Here comes my favorite method of all! I am more of a ‘PowerShell it’ person, because it gives me more granular control and saves me from manually doing everything. It’s also perfect for blocking sign-ins on a larger scale.
Here’s a list of PowerShell commands to block sign-ins using Microsoft Graph and Exchange Online modules (avoid using Azure AD and MSOL cmdlets, even if their timeline is extended).
Find Sign-in Status of All Shared Mailbox:
Before you block sign-ins, you can check the current status for all your shared mailboxes.
Get-Mailbox -Filter {RecipientTypeDetails -eq "SharedMailbox"} |
Select-Object -ExpandProperty UserPrincipalName |
ForEach-Object {
$user = Get-MgUser -Filter "userPrincipalName eq '$_'" -Select "DisplayName,AccountEnabled" -ConsistencyLevel eventual
if ($user) { [PSCustomObject]@{DisplayName = $user.DisplayName; AccountEnabled = $user.AccountEnabled; UserPrincipalName = $_} }
} | Format-Table -AutoSizeIf you want to check the sign-in status for a specific shared mailbox, use this cmdlet:
Get-MgUser -UserId <SMBUPN> -Property AccountEnabled,DisplayName | Select DisplayName,AccountEnabled Block Sign-in for a Specific Shared Mailbox:
Now this is the main part, we’re talking about so far. If you want to block sign-in for a specific shared mailbox, here’s the command you need:
Update-MgUser -UserId "char@qqhk.onmicrosoft.com" -AccountEnabled:$false Block Sign-ins For Multiple Shared Mailboxes:
Sure, you can block sign-ins via the UI, but what if you need to block multiple shared mailboxes at once? This PowerShell script is perfect for that! Just make sure you store a CSV file with the user’s UPN (User Principal Name) and point to the file path.
Import-Csv "D:\blocksignins.csv" | ForEach-Object {
$UserId = $_.UserId
Write-Host "Disabling sign-in for: $UserId"
Update-MgUser -UserId $UserId -AccountEnabled:$false
}Block Sign-ins For All Shared Mailboxes in Microsoft 365:
If you’re looking for an even more efficient method to block sign-ins for all shared mailboxes at once, this PS script is for you! It fetches all shared mailboxes and blocks their sign-ins in one go:
$sharedMailboxes = Get-Mailbox -RecipientTypeDetails "SharedMailbox" | Select-Object UserPrincipalName, ExternalDirectoryObjectId
$sharedMailboxes | ForEach-Object {
Write-Host "Processing Shared Mailbox: $($_.UserPrincipalName)"
Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false
}
Write-Host "Completed disabling sign-in for all shared mailboxes."Recommendation – Remove Licenses for Shared Mailboxes:
While blocking sign-ins is a great step, I also recommend reviewing your shared mailboxes’ licenses. Typically, shared mailboxes typically don’t need licenses unless they exceed 50 GB of storage or require specific features like archiving or compliance tools. Removing unnecessary licenses helps cut down on costs and ensures access is strictly controlled—only those with delegated permissions can get in.
So, I worked on a simple yet effective PowerShell script that does the below work for you:
- Identifies accounts with sign-ins already disabled.
- Checks if those accounts are shared mailboxes.
- Removes any licenses tied to those shared mailboxes.
$disabledUsers = Get-MgUser -Filter "accountEnabled eq false" -All
foreach ($user in $disabledUsers) {
$mailbox = Get-Mailbox -Identity $user.UserPrincipalName -ErrorAction SilentlyContinue
if ($mailbox -ne $null -and $mailbox.RecipientTypeDetails -eq 'SharedMailbox') {
Write-Host "Processing shared mailbox: $($user.UserPrincipalName)"
$licenses = Get-MgUserLicenseDetail -UserId $user.Id
if ($licenses.Count -gt 0) {
# Collect the SKUs of the licenses to be removed
$licenseSkuIds = $licenses.SkuId
Write-Host "Removing licenses: $licenseSkuIds for $($user.UserPrincipalName)"
Set-MgUserLicense -UserId $user.Id -AddLicenses @() -RemoveLicenses $licenseSkuIds
} else {
Write-Host "No licenses found for $($user.UserPrincipalName)"
}
} else {
Write-Host "Leaving disabled user account without changes: $($user.UserPrincipalName)"
}
}Wrapping things up!
Shared mailboxes are an essential one in many organizations, but they come with a set of security challenges that cannot be ignored. Whether you prefer using the GUI or the flexibility of PowerShell, the methods outlined in this blog will help you keep unauthorized access out of your organization.
If you have any requirements for this case, let me know in the comments, I will work on it and keep it here!
