Forum Discussion
Anchor users on Shared mailbox can still access the mailbox
Hi We have a hybrid envionment. We have a large transient employee base, freelancers come and go on short to mid contracts. When a staff member leaves, we convert their mailbox to a shared mailbox...
Sorry, I spoke too soon. Blocking the anchor account from signing only took effect until the next Dirsync replication. As the on-premise account isn't disabled, it re-enabled the account, hence removing the block.
Unfortunately converting a user mailbox to shared mailbox with M365 hybrid doesn't disable the on-premise account. We had manually disabled the account previously, but then we had issues with M365 deleting the mailboxed even thought they are shared mailboxes. We had to many recoveries. So now don't disable the on-prem AD account, we just set an expiration on the account and remove it from AD groups.
So what will work??
- I could try disabling the on-prem account again and see if MS attempts to delete the shared mailbox again
- Hmm I am thinking I could set a Conditional Access policy to prevent access.
Unfortunately converting a user mailbox to shared mailbox with M365 hybrid doesn't disable the on-premise account. We had manually disabled the account previously, but then we had issues with M365 deleting the mailboxed even thought they are shared mailboxes. We had to many recoveries. So now don't disable the on-prem AD account, we just set an expiration on the account and remove it from AD groups.
So what will work??
- I could try disabling the on-prem account again and see if MS attempts to delete the shared mailbox again
- Hmm I am thinking I could set a Conditional Access policy to prevent access.