Disable Shared Mailbox Sign-Ins
As part of the exchange online hardening process, one must disable the sign-in ability of shared mailboxes. This process is simple. You will need to exchange Online and the MS Online modules. First, we will grab all the shared mailboxes using the exchange online. Then using the user principal name, we grab the user info from MS Online module. From there we search for each MS user who isn’t blocked and set them to be blocked. Finally, we report back on the shared mailboxes that are blocked. Now we have the concept, let us break it down a little more. FYI, this can be done in a single line, but that would make it confusing. So, we will make it into a more functional script. Let us start up our VS code and get started.
First, connect to our need services with connect-exchangeonline and connect-msolservice. We live in the world of MFA, so I will assume you will complete the MFA process for these two commands.
Next, we will grab all the shared mailboxes by filtering the get-mailbox command. We are looking for the Recipient Type Details to be equal to the shared mailbox.
$SharedMailboxes = Get-Mailbox -Filter { recipienttypedetails -eq "SharedMailbox" }
Then we will grab the MS user information from each Shared Mailbox. Once we get the MS user information we only want the user principal name and the block credential.
$Accounts = $SharedMailbox | Get-MsolUser | Select-Object userprincipalname, blockcredential
Now loop through the accounts checking each account to see if the credentials are blocked. If it isn’t, aka false, then we set the block credentials to true with set-MsolUser.
if ($Account.blockcredential -eq $False) {
Set-MsolUser -UserPrincipalName $Account.Userprincipalname -BlockCredential $true
}
Next, we confirm every shared mailbox is set to true for blocking credentials. We are basically repeating the above command again as a single line. We use Get-Mailbox with the filter for the recipient type details to be equal shared mailbox. Pipe that into Get-MsolUser and then select the user principal name and block credentials.
Get-Mailbox -Filter { recipienttypedetails -eq "SharedMailbox" } | Get-MsolUser | Select-Object userprincipalname, blockcredential
Finally, we use our disconnects to disconnect from exchange and MS online. Let’s combine it all together and see how the script unfolds.
The Script
Connect-ExchangeOnline
Connect-MsolService
$SharedMailboxes = Get-Mailbox -Filter { recipienttypedetails -eq "SharedMailbox" }
Foreach ($SharedMailbox in $SharedMailboxes) {
$Accounts = $SharedMailbox | Get-MsolUser | Select-Object userprincipalname, blockcredential
foreach ($Account in $Accounts) {
if ($Account.blockcredential -eq $False) {
Write-Host "Blocking $($Account.Userprincipalname)"
Set-MsolUser -UserPrincipalName $Account.Userprincipalname -BlockCredential $true
}
}
}
Get-Mailbox -Filter { recipienttypedetails -eq "SharedMailbox" } | Get-MsolUser | Select-Object userprincipalname, blockcredential
Disconnect-ExchangeOnline
Get-PSSession | Remove-PSSession -Confirm:$false