May 20 2020 03:21 AM
Hi All
Could anyone advise me on how I can run powershell against Exchange Online to list all shared mailboxes with sigin enabled and then how to block signin using powershell?
Would be a great help if somene could advise.
Kind regards
May 20 2020 07:51 AM
I'm sure there is a better way to do it but this is the best my brain can come up with at the moment:
two steps - first connect to powershell and get a list of shared mailboxes and pump them to get-msol user so you get the UserPrincipalName, and pump this to a txt file.
Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname > c:\support\sharedmailboxes.txt
Tidy up the text file - remove the header and make sure each UPN is on it's own line with no spaces. Then run the below to disable the accounts, referencing the amended txt file
Get-Content "C:\support\sharedmailboxes_disable.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }
This will run through the list you have disable. Change the flag to $true if you want to enable them en-masse again.
Confirm this has worked with
Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential
Like I said I'm sure that there is a more elegant one-liner out there, but I'm not brilliant at Powershell.
Hope this helps,
Mark
May 20 2020 09:37 AM
The above should work, but what's the end goal here? Shared mailboxes are accessed via delegate permissions, you're not supposed to login to them directly by using the username/password corresponding to the shared mailbox account, so it doesn't make that big of a difference if the account is enabled or not. Technically, they are all enabled by default, and technically you can indeed login to them, although it's against the license terms.
May 20 2020 10:10 AM
May 21 2020 12:56 AM
May 21 2020 12:58 AM
@Vasil Michev Its basically for security. Just closes another potential hole.
Aug 13 2021 06:45 AM
Here's that fancy one-liner for anyone looking:
Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential | Where {$_.BlockCredential -eq $False} | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}
It'll require that you connect to exchange online and msolservice first.
By replacing your "FT" (Format-Table) with a select (Select-Object), it keeps the results in something powershell can read and work with.
If you want to audit first to see if there are any, and then be offered the decision to block signin, here is a code block that gives you the choice:
Function O365-DisableSharedMailboxSignin {
#Needs ExchangeOnline and MSOLService
$SharedMailboxes = Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential
$SignInEnabledSharedMailboxes = $SharedMailboxes | Where {$_.BlockCredential -eq $False}
If ($SignInEnabledSharedMailboxes) {
Write-Host "[BAD] $($SignInEnabledSharedMailboxes.Count) shared mailboxes were found with signin enabled."
Do {
$Answer = Read-Host -Prompt 'Do you want to disable signin for all shared mailboxes? (y/n)'
If (!($Answer -match 'y' -or $Answer -match 'n')) {Write-Host 'Please answer "y" for Yes or "n" for No.'}
}
Until ($Answer -match 'y' -or $Answer -match 'n')
If ($Answer -match 'y') {
Write-Host "[GOOD] Disabling signin for all shared mailboxes."
$SignInEnabledSharedMailboxes.UserPrincipalName | ForEach-Object { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true}
} Else {
Write-Host "[INFORM] If you wish to manually disable signin for shared mailboxes, check out this link:"
Write-Host ' https://techcommunity.microsoft.com/t5/exchange/list-shared-mailboxes-with-signin-enabled-and-then-block-signin/m-p/1405264'
}
} Else {
Write-Host "[GOOD] No shared mailboxes were found with signin enabled."
}
}
Will result in something like this:
PS> O365-DisableSharedMailboxSignin
[BAD] 22 shared mailboxes were found with signin enabled.
Do you want to disable signin for all shared mailboxes? (y/n): y
[GOOD] Disabling signin for all shared mailboxes.
PS> O365-DisableSharedMailboxSignin
[GOOD] No shared mailboxes were found with signin enabled.