List Shared mailboxes with signin enabled and then block signin using powershell

%3CLINGO-SUB%20id%3D%22lingo-sub-1405264%22%20slang%3D%22en-US%22%3EList%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405264%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20anyone%20advise%20me%20on%20how%20I%20can%20run%20powershell%20against%20Exchange%20Online%20to%20list%20all%20shared%20mailboxes%20with%20sigin%20enabled%20and%20then%20how%20to%20block%20signin%20using%20powershell%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20be%20a%20great%20help%20if%20somene%20could%20advise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1405264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405902%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405902%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F468279%22%20target%3D%22_blank%22%3E%40ByDesign1977%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20sure%20there%20is%20a%20better%20way%20to%20do%20it%20but%20this%20is%20the%20best%20my%20brain%20can%20come%20up%20with%20at%20the%20moment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etwo%20steps%20-%20first%20connect%20to%20powershell%20and%20get%20a%20list%20of%20shared%20mailboxes%20and%20pump%20them%20to%20get-msol%20user%20so%20you%20get%20the%20UserPrincipalName%2C%20and%20pump%20this%20to%20a%20txt%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Mailbox%20-Filter%20%7Brecipienttypedetails%20-eq%20%22SharedMailbox%22%7D%20%7C%20get-MsolUser%20%7C%20ft%20userprincipalname%20%26gt%3B%20c%3A%5Csupport%5Csharedmailboxes.txt%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETidy%20up%20the%20text%20file%20-%20remove%20the%20header%20and%20make%20sure%20each%20UPN%20is%20on%20it's%20own%20line%20with%20no%20spaces.%20Then%20run%20the%20below%20to%20disable%20the%20accounts%2C%20referencing%20the%20amended%20txt%20file%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Content%20%22C%3A%5Csupport%5Csharedmailboxes_disable.txt%22%20%7C%20ForEach%20%7B%20Set-MsolUser%20-UserPrincipalName%20%24_%20-BlockCredential%20%24true%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20run%20through%20the%20list%20you%20have%20disable.%20Change%20the%20flag%20to%20%24true%20if%20you%20want%20to%20enable%20them%20en-masse%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfirm%20this%20has%20worked%20with%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Mailbox%20-Filter%20%7Brecipienttypedetails%20-eq%20%22SharedMailbox%22%7D%20%7C%20get-MsolUser%20%7C%20ft%20userprincipalname%2Cblockcredential%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELike%20I%20said%20I'm%20sure%20that%20there%20is%20a%20more%20elegant%20one-liner%20out%20there%2C%20but%20I'm%20not%20brilliant%20at%20Powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406263%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406263%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20above%20should%20work%2C%20but%20what's%20the%20end%20goal%20here%3F%20Shared%20mailboxes%20are%20accessed%20via%20delegate%20permissions%2C%20you're%20not%20supposed%20to%20login%20to%20them%20directly%20by%20using%20the%20username%2Fpassword%20corresponding%20to%20the%20shared%20mailbox%20account%2C%20so%20it%20doesn't%20make%20that%20big%20of%20a%20difference%20if%20the%20account%20is%20enabled%20or%20not.%20Technically%2C%20they%20are%20all%20enabled%20by%20default%2C%20and%20technically%20you%20can%20indeed%20login%20to%20them%2C%20although%20it's%20against%20the%20license%20terms.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406340%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406340%22%20slang%3D%22en-US%22%3ENot%20that%20I%20disagree%2C%20but%20Microsoft%20make%20a%20point%20of%20recommend%20disabling%20the%20sign%20in%20for%20shares%20mailboxes%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407808%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407808%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20this%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407815%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407815%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BIts%20basically%20for%20security.%26nbsp%3B%20Just%20closes%20another%20potential%20hole.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All

 

Could anyone advise me on how I can run powershell against Exchange Online to list all shared mailboxes with sigin enabled and then how to block signin using powershell?

 

Would be a great help if somene could advise.

 

Kind regards

5 Replies

Hi @ByDesign1977 

 

I'm sure there is a better way to do it but this is the best my brain can come up with at the moment:

 

two steps - first connect to powershell and get a list of shared mailboxes and pump them to get-msol user so you get the UserPrincipalName, and pump this to a txt file.

 

Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname > c:\support\sharedmailboxes.txt

 

Tidy up the text file - remove the header and make sure each UPN is on it's own line with no spaces. Then run the below to disable the accounts, referencing the amended txt file

 

Get-Content "C:\support\sharedmailboxes_disable.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }

 

This will run through the list you have disable. Change the flag to $true if you want to enable them en-masse again.

 

Confirm this has worked with 

 

Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential

 

Like I said I'm sure that there is a more elegant one-liner out there, but I'm not brilliant at Powershell.

 

Hope this helps,

Mark

The above should work, but what's the end goal here? Shared mailboxes are accessed via delegate permissions, you're not supposed to login to them directly by using the username/password corresponding to the shared mailbox account, so it doesn't make that big of a difference if the account is enabled or not. Technically, they are all enabled by default, and technically you can indeed login to them, although it's against the license terms.

Not that I disagree, but Microsoft make a point of recommend disabling the sign in for shares mailboxes

https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox

@Vasil Michev Its basically for security.  Just closes another potential hole.