Forum Discussion

sfabit's avatar
sfabit
Copper Contributor
Aug 20, 2025

Disabling Sign in for Shared accounts

I have been reading that Microsoft recommends disabling Sign ins for shared 365 accounts. As per below:

  • Signing in: A shared mailbox is not intended for direct sign-in by its associated user account. You should always block sign-in for the shared mailbox account and keep it blocked.

Which is lifted from the following link:

https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide

 

This leaves me with a few questions. I have always assumed that as a shared mailbox don't have sign in credentials, that they COULD NOT be signed into, but the above statements suggest otherwise?

If Microsoft recommends that sign ins for shared mailboxes are blocked, the statement "a shared mailbox is not intended for direct sign ins", begs the question... why is there a way to sign in to shared mailboxes that needs blocking? Why aren't shared mailbox acccounts setup with "sign ins" blocked by default? Why would  have to perform another task (blocking sign ins), every single time i create a shared mailbox?

How can people sign into shared mailboxes directly and what access will they have?

 

Thanks for any help

 

1 Reply

Sort By
  • PankajBadoni's avatar
    PankajBadoni
    Iron Contributor
    Aug 20, 2025

    When a new shared mailbox is created, a system-generated password is automatically assigned, but it is not known to anyone. However, an administrator can reset the password and then sign into the mailbox directly if needed.

    Create a shared mailbox - Microsoft 365 admin | Microsoft Learn

    Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You aren't supposed to use the account to log in to the shared mailbox.

    But what if an admin simply resets the password of the shared mailbox user account? Or what if an attacker gains access to the shared mailbox account credentials? This would allow the user account to log in to the shared mailbox and send email. To prevent this, you need to block sign-in for the account that's associated with the shared mailbox.

     

Resources