Introduction #
By default, every shared mailbox has a corresponding user account. The account has a password, but it’s system-generated (unknown). You aren’t supposed to use the account to log in to the shared mailbox.
But what if an admin simply resets the password of the shared mailbox user account? Or what if an attacker gains access to the shared mailbox account credentials? This would allow the user account to log in to the shared mailbox and access or send email. To prevent this, we recommend you block sign-in to shared mailboxes.
User Impact #
Low
Microsoft licensing terms restricts directly sign-in to shared mailboxes. Users and admins should not be signing into shared mailboxes user accounts.
There should be no impact.
Admin Portal Reference #
In the Microsoft 365 Admin Center;
- Go to the Users > Active users page
- In the list of user accounts, find all the accounts for the shared mailboxes (for example, change the filter to Unlicensed users).
- Select the user to open their properties pane, and then select the Block this user icon Screen shot of the Block this user icon
- In the Block this user? pane, select Block the user from signing in, and then select Save changes.
- You will need to repeat this process for any new shared mailboxes created.


If Action is set to Notify #
We report the setting is compliant if all user accounts for shared mailboxes have had their sign-in blocked.
We report the setting is non-compliant if any of the user account for shared mailboxes doesn’t have the sign in blocked.
If Action is set to Enforce #
We report the setting is compliant if all user accounts for shared mailboxes have had their sign-in blocked.
We report the setting is compliant-fixed if MSPMagic change the setting to block the sign-in for any of the user account for shared mailboxes.