1.2.2 Ensure sign-in to shared mailboxes is blocked


Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.

Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from 'Contoso Support' or 'Building A Reception Desk.'

Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation.

The recommended state is Sign in blocked for Shared mailboxes.


The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Block sign-in to shared mailboxes in the UI:

Navigate to Microsoft 365 admin center https://admin.microsoft.com/

Click to expand Teams & groups and select Shared mailboxes.

Take note of all shared mailboxes.

Click to expand Users and select Active users.

Select a shared mailbox account to open it's properties pane and then select Block sign-in.

Check the box for Block this user from signing in.

Repeat for any additional shared mailboxes.

Using PowerShell connect with 2 modules:

Connect using Connect-AzureAD.

To disable sign-in for a single account:

Set-AzureADUser -ObjectId [email protected] -AccountEnabled $false

Or, the following script will block sign-in to all Shared Mailboxes.

Connect using Connect-ExchangeOnline.

$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
$MBX | ForEach {Set-AzureADUser -ObjectId $_.ExternalDirectoryObjectId -AccountEnabled $false}

Default Value:

AccountEnabled: True

See Also


Item Details


References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: 54d262cdd29680eecb24b602a6a4fa98e2fb56f85f55b478d106ce3df99cfa56