Forum Discussion
Improving security for shared mailboxes or generic user accounts
Hi,
Our organisation uses generic accounts for each location for example, location@company.com
Recently we have seen an increase in attempts to login to these generic accounts and I'm trying to find a better way to do this.
Just want to get some feedback on these options that I have in mind and see if there are any other suggestions out there?
1. Use a shared mailbox - but maybe put some conditional access policies on it to improve security. I think going with this option will mean that I can't use multi-factor authentication (MFA)
2. Use a generic account - but forward the emails to an individual within the organisation and block sign-ins to the generic account. Still apply the requirement for MFA on the generic account (Can I still receive emails if I block sign-ins from Azure)
3. Can't really think of another way..
- Do you need to send messages directly as these addresses? If not, simply recreate them as DLs or Office 365 Groups (you can still use Send As permissions to send messages if needed).
You can safely block the account and it will continue receiving messages. You can also disable POP/IMAP/SMTP protocols, which are usually the target for brute-force attempts. And having a tenant-wide policy that block basic auth isn't a bad thing either 🙂
4 Replies
- Do you need to send messages directly as these addresses? If not, simply recreate them as DLs or Office 365 Groups (you can still use Send As permissions to send messages if needed).
You can safely block the account and it will continue receiving messages. You can also disable POP/IMAP/SMTP protocols, which are usually the target for brute-force attempts. And having a tenant-wide policy that block basic auth isn't a bad thing either 🙂- Thanks! Using Office 365 groups fits the bill exactly!
- Its easy to manage. However I noticed the groups that were created in Teams did not automatically appear within Outlook. So if anyone is having similar issues, I found this article
https://techcommunity.microsoft.com/t5/microsoft-365-groups/office-365-groups-not-visible-in-outlook-client/m-p/275611
You have to change the value in Exchange Powershell:
Set-UnifiedGroup -Identity "group name" -HiddenFromExchangeClientsEnabled:$false
I only had to do it for one group so that made it easy.
