cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

List Shared mailboxes with signin enabled and then block signin using powershell

%3CLINGO-SUB%20id%3D%22lingo-sub-1405264%22%20slang%3D%22en-US%22%3EList%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405264%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20anyone%20advise%20me%20on%20how%20I%20can%20run%20powershell%20against%20Exchange%20Online%20to%20list%20all%20shared%20mailboxes%20with%20sigin%20enabled%20and%20then%20how%20to%20block%20signin%20using%20powershell%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20be%20a%20great%20help%20if%20somene%20could%20advise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1405264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405902%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405902%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F468279%22%20target%3D%22_blank%22%3E%40ByDesign1977%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20sure%20there%20is%20a%20better%20way%20to%20do%20it%20but%20this%20is%20the%20best%20my%20brain%20can%20come%20up%20with%20at%20the%20moment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etwo%20steps%20-%20first%20connect%20to%20powershell%20and%20get%20a%20list%20of%20shared%20mailboxes%20and%20pump%20them%20to%20get-msol%20user%20so%20you%20get%20the%20UserPrincipalName%2C%20and%20pump%20this%20to%20a%20txt%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Mailbox%20-Filter%20%7Brecipienttypedetails%20-eq%20%22SharedMailbox%22%7D%20%7C%20get-MsolUser%20%7C%20ft%20userprincipalname%20%26gt%3B%20c%3A%5Csupport%5Csharedmailboxes.txt%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETidy%20up%20the%20text%20file%20-%20remove%20the%20header%20and%20make%20sure%20each%20UPN%20is%20on%20it's%20own%20line%20with%20no%20spaces.%20Then%20run%20the%20below%20to%20disable%20the%20accounts%2C%20referencing%20the%20amended%20txt%20file%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Content%20%22C%3A%5Csupport%5Csharedmailboxes_disable.txt%22%20%7C%20ForEach%20%7B%20Set-MsolUser%20-UserPrincipalName%20%24_%20-BlockCredential%20%24true%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20run%20through%20the%20list%20you%20have%20disable.%20Change%20the%20flag%20to%20%24true%20if%20you%20want%20to%20enable%20them%20en-masse%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfirm%20this%20has%20worked%20with%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Mailbox%20-Filter%20%7Brecipienttypedetails%20-eq%20%22SharedMailbox%22%7D%20%7C%20get-MsolUser%20%7C%20ft%20userprincipalname%2Cblockcredential%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELike%20I%20said%20I'm%20sure%20that%20there%20is%20a%20more%20elegant%20one-liner%20out%20there%2C%20but%20I'm%20not%20brilliant%20at%20Powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406263%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406263%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20above%20should%20work%2C%20but%20what's%20the%20end%20goal%20here%3F%20Shared%20mailboxes%20are%20accessed%20via%20delegate%20permissions%2C%20you're%20not%20supposed%20to%20login%20to%20them%20directly%20by%20using%20the%20username%2Fpassword%20corresponding%20to%20the%20shared%20mailbox%20account%2C%20so%20it%20doesn't%20make%20that%20big%20of%20a%20difference%20if%20the%20account%20is%20enabled%20or%20not.%20Technically%2C%20they%20are%20all%20enabled%20by%20default%2C%20and%20technically%20you%20can%20indeed%20login%20to%20them%2C%20although%20it's%20against%20the%20license%20terms.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406340%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406340%22%20slang%3D%22en-US%22%3ENot%20that%20I%20disagree%2C%20but%20Microsoft%20make%20a%20point%20of%20recommend%20disabling%20the%20sign%20in%20for%20shares%20mailboxes%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407808%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407808%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20this%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407815%22%20slang%3D%22en-US%22%3ERe%3A%20List%20Shared%20mailboxes%20with%20signin%20enabled%20and%20then%20block%20signin%20using%20powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407815%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BIts%20basically%20for%20security.%26nbsp%3B%20Just%20closes%20another%20potential%20hole.%3C%2FP%3E%3C%2FLINGO-BODY%3E
ByDesign1977
Occasional Contributor

‎May 20 2020 03:21 AM

‎May 20 2020 03:21 AM

List Shared mailboxes with signin enabled and then block signin using powershell

Hi All

 

Could anyone advise me on how I can run powershell against Exchange Online to list all shared mailboxes with sigin enabled and then how to block signin using powershell?

 

Would be a great help if somene could advise.

 

Kind regards

Labels:
2,282 Views
0 Likes
6 Replies
Reply
6 Replies
HidMov

‎May 20 2020 07:51 AM

‎May 20 2020 07:51 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

Hi @ByDesign1977 

 

I'm sure there is a better way to do it but this is the best my brain can come up with at the moment:

 

two steps - first connect to powershell and get a list of shared mailboxes and pump them to get-msol user so you get the UserPrincipalName, and pump this to a txt file.

 

Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname > c:\support\sharedmailboxes.txt

 

Tidy up the text file - remove the header and make sure each UPN is on it's own line with no spaces. Then run the below to disable the accounts, referencing the amended txt file

 

Get-Content "C:\support\sharedmailboxes_disable.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }

 

This will run through the list you have disable. Change the flag to $true if you want to enable them en-masse again.

 

Confirm this has worked with 

 

Get-Mailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | ft userprincipalname,blockcredential

 

Like I said I'm sure that there is a more elegant one-liner out there, but I'm not brilliant at Powershell.

 

Hope this helps,

Mark

0 Likes
Reply
Vasil Michev

‎May 20 2020 09:37 AM

‎May 20 2020 09:37 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

The above should work, but what's the end goal here? Shared mailboxes are accessed via delegate permissions, you're not supposed to login to them directly by using the username/password corresponding to the shared mailbox account, so it doesn't make that big of a difference if the account is enabled or not. Technically, they are all enabled by default, and technically you can indeed login to them, although it's against the license terms.

0 Likes
Reply
HidMov

‎May 20 2020 10:10 AM

‎May 20 2020 10:10 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

Not that I disagree, but Microsoft make a point of recommend disabling the sign in for shares mailboxes

https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox

0 Likes
Reply
ByDesign1977

‎May 21 2020 12:56 AM

‎May 21 2020 12:56 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

@HidMov 

 

Many thanks for this :smile:

0 Likes
Reply
ByDesign1977

‎May 21 2020 12:58 AM

‎May 21 2020 12:58 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

@Vasil Michev Its basically for security.  Just closes another potential hole.

0 Likes
Reply
rcshoemaker

‎Aug 13 2021 06:45 AM

‎Aug 13 2021 06:45 AM

Re: List Shared mailboxes with signin enabled and then block signin using powershell

@HidMov 

 

Here's that fancy one-liner for anyone looking:

Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential | Where {$_.BlockCredential -eq $False} | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}

It'll require that you connect to exchange online  and msolservice first.

By replacing your "FT" (Format-Table) with a select (Select-Object), it keeps the results in something powershell can read and work with.

If you want to audit first to see if there are any, and then be offered the decision to block signin, here is a code block that gives you the choice:

Function O365-DisableSharedMailboxSignin {
	#Needs ExchangeOnline and MSOLService
	$SharedMailboxes = Get-EXOMailbox -Filter {recipienttypedetails -eq "SharedMailbox"} | get-MsolUser | Select-Object UserPrincipalName,blockcredential
	$SignInEnabledSharedMailboxes = $SharedMailboxes | Where {$_.BlockCredential -eq $False}
	If ($SignInEnabledSharedMailboxes) {
		Write-Host "[BAD] $($SignInEnabledSharedMailboxes.Count) shared mailboxes were found with signin enabled."
		Do {
			$Answer = Read-Host -Prompt 'Do you want to disable signin for all shared mailboxes? (y/n)'
			If (!($Answer -match 'y' -or $Answer -match 'n')) {Write-Host 'Please answer "y" for Yes or "n" for No.'}
		}
		Until ($Answer -match 'y' -or $Answer -match 'n')
		If ($Answer -match 'y') {
			Write-Host "[GOOD] Disabling signin for all shared mailboxes."
			$SignInEnabledSharedMailboxes.UserPrincipalName | ForEach-Object { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true}
		} Else {
			Write-Host "[INFORM] If you wish to manually disable signin for shared mailboxes, check out this link:"
			Write-Host '          https://techcommunity.microsoft.com/t5/exchange/list-shared-mailboxes-with-signin-enabled-and-then-block-signin/m-p/1405264'
		}
	} Else {
		Write-Host "[GOOD] No shared mailboxes were found with signin enabled."
	}
}

Will result in something like this:


PS> O365-DisableSharedMailboxSignin
[BAD] 22 shared mailboxes were found with signin enabled.
Do you want to disable signin for all shared mailboxes? (y/n): y
[GOOD] Disabling signin for all shared mailboxes.


PS> O365-DisableSharedMailboxSignin
[GOOD] No shared mailboxes were found with signin enabled.

0 Likes
Reply