Forum Discussion
List Shared mailboxes with signin enabled and then block signin using powershell
Hi ByDesign1977
I'm sure there is a better way to do it but this is the best my brain can come up with at the moment:
two steps - first connect to powershell and get a list of shared mailboxes and pump them to get-msol user so you get the UserPrincipalName, and pump this to a txt file.
Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname > c:\support\sharedmailboxes.txt
Tidy up the text file - remove the header and make sure each UPN is on it's own line with no spaces. Then run the below to disable the accounts, referencing the amended txt file
Get-Content "C:\support\sharedmailboxes_disable.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }
This will run through the list you have disable. Change the flag to $true if you want to enable them en-masse again.
Confirm this has worked with
Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential
Like I said I'm sure that there is a more elegant one-liner out there, but I'm not brilliant at Powershell.
Hope this helps,
Mark
Here's that fancy one-liner for anyone looking:
Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential | Where {$_.BlockCredential -eq $False} | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}It'll require that you connect to https://docs.microsoft.com/en-us/powershell/module/exchange/connect-exchangeonline?view=exchange-ps and https://docs.microsoft.com/en-us/powershell/module/msonline/connect-msolservice?view=azureadps-1.0 first.
By replacing your "FT" (Format-Table) with a select (Select-Object), it keeps the results in something powershell can read and work with.
If you want to audit first to see if there are any, and then be offered the decision to block signin, here is a code block that gives you the choice:
Function O365-DisableSharedMailboxSignin {
#Needs ExchangeOnline and MSOLService
$SharedMailboxes = Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential
$SignInEnabledSharedMailboxes = $SharedMailboxes | Where {$_.BlockCredential -eq $False}
If ($SignInEnabledSharedMailboxes) {
Write-Host "[BAD] $($SignInEnabledSharedMailboxes.Count) shared mailboxes were found with signin enabled."
Do {
$Answer = Read-Host -Prompt 'Do you want to disable signin for all shared mailboxes? (y/n)'
If (!($Answer -match 'y' -or $Answer -match 'n')) {Write-Host 'Please answer "y" for Yes or "n" for No.'}
}
Until ($Answer -match 'y' -or $Answer -match 'n')
If ($Answer -match 'y') {
Write-Host "[GOOD] Disabling signin for all shared mailboxes."
$SignInEnabledSharedMailboxes.UserPrincipalName | ForEach-Object { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true}
} Else {
Write-Host "[INFORM] If you wish to manually disable signin for shared mailboxes, check out this link:"
Write-Host ' https://techcommunity.microsoft.com/t5/exchange/list-shared-mailboxes-with-signin-enabled-and-then-block-signin/m-p/1405264'
}
} Else {
Write-Host "[GOOD] No shared mailboxes were found with signin enabled."
}
}Will result in something like this:
PS> O365-DisableSharedMailboxSignin
[BAD] 22 shared mailboxes were found with signin enabled.
Do you want to disable signin for all shared mailboxes? (y/n): y
[GOOD] Disabling signin for all shared mailboxes.
PS> O365-DisableSharedMailboxSignin
[GOOD] No shared mailboxes were found with signin enabled.