Forum Discussion

Yasemin's avatar
Yasemin
Brass Contributor
Jun 18, 2025
Solved

Security Best Practices for Bookings Page's Mailbox Objects in Entra ID

Hi,  are there any recommendations / best practices for hardening the user objects that are created in Entra ID when I create a new Microsoft Bookings page?  Unlike regular shared mailboxes, the si...
Access Management
Authentication
Conditional Access
Identity Management
identity protection
MFA
microsoft entra
Password Protection
  • VasilMichev's avatar
    VasilMichev
    Jun 19, 2025

    You can disable the account if you're too worried, it shouldn't affect the Booking functionality.

JonathanCox234's avatar
JonathanCox234
Copper Contributor
Nov 23, 2025

For Bookings mailboxes, the safest approach is to treat them like service accounts. Disable interactive sign-in, block all authentication methods, and allow access only through the Bookings service. If sign-in must remain enabled, apply a strict Conditional Access policy (location/device restrictions), enable sign-in alerts, and monitor inbox-rule creation via Defender. This prevents brute-force attacks and stops bad actors from registering MFA or accessing customer data.

Resources