Anchor users on Shared mailbox can still access the mailbox

Hi

We have a hybrid envionment. We have a large transient employee base, freelancers come and go on short to mid contracts. When a staff member leaves, we convert their mailbox to a shared mailbox for several reasons.

1. Prevent the user from accessing the mailbox

2. Enable current select staff to have delegate access for both auditing and following up on new emails

I recently discovered that a freelancer whom had left the company and subsequently later returned was able to access/read/send emails from their mailbox, which had been converted to a Shared Mailbox(when they left) and was still a shared mailbox.

I had tested this process before and it wasn't possible for the user to sign into the shared mailbox. So I raised a case with Microsoft. They sent me links for current doco on converting a user mailbox to a shared mailbox. One of the items listed in the "Important things to remember", is to "Change the password on the account" to prevent the user from accessing the mailbox.
https://learn.microsoft.com/en-us/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide

So I tested this. I setup a user account and converted it to a sharedmailbox. Set the MFA info and was able to successfully perform the following tests :

1. I could sign in with the anchor username/password on the account and access the shared mailbox.

2. "Pretended" I didn't know the password for the anchor account and clicked through the "Password – Reset it now” or “Forgotten my Password"(both options in separate tests) and I was able to complete MFA and successfully change the password on the account and regain access to the Shared mailbox. Only took a couple of minutes. Ms's instructions aren't correct.

The only way you can really stop an anchor account from signing in is to click "Block Sign-In"on the user account in Admin Centre. I wasn't sure how long it would take for the "Block Sign-In" to take effect, the notification within the Admin centre says a couple of minutes, however the doco says upto 24hrs. It applied after a couple of minutes for me..but I guess this will be subjective.

It seems like Microsoft has broken the cardinal rule that the anchor account on a shared mailbox(regardless if it started as a user mailbox) can't be used to sign in. Having a disabled anchor account was the defining attribute of a shared mailbox, it was brilliant. You could create shared mailboxes for specific purposes and not increase the risk to the company with users having to take on more passwords which for the most part they don't manage particularly well. Changes of these types of rules represent a major security issue, in my opinion, as most Tech's won't know that this is the case. To complicate matters the MS doco has inconsistent/incorrect information about what you need to do to stop the anchor account from signing in. I think MS should have left the shared mailbox as it was, if they wanted a new type of mailbox just defined a new one in Exchange ie like they did with the M365 group mailboxes.

In the Microsoft case, their response was : Please refer the below article for Block sign-in for shared mailbox.
https://learn.microsoft.com/en-us/microsoft-365/lighthouse/m365-lighthouse-block-signin-shared-mailboxes?view=o365-worldwide

I think just blocking the user from signing in from the M365 Admin Centre is a better solution, than setting up M365 Lighthouse for my single tenant. Lighthouse looks ok if you are a service provider managing multiple tenants.

Has anyone else noticed this issue with Shared Mailboxes and Anchor accounts?