CIS.M365.1.2.2 - (L1) Ensure sign-in to shared mailboxes is blocked
Overviewā
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people. Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk." Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation. The recommended state is Sign in blocked for Shared mailboxes.
Rationaleā
The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox
Remediation action:ā
Block sign-in to shared mailboxes in the UI:
- Navigate to Microsoft 365 admin center https://admin.microsoft.com.
- Click to expand Teams & groups and select Shared mailboxes.
- Take note of all shared mailboxes.
- Click to expand Users and select Active users.
- Select a shared mailbox account to open its properties pane and then select Block sign-in.
- Check the box for Block this user from signing in.
- Repeat for any additional shared mailboxes.
PowerShellā
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "User.ReadWrite.All" - Connect to Exchange Online using
Connect-ExchangeOnline. - To disable sign-in for a single account:
$MBX = Get-EXOMailbox -Identity TestUser@example.com
Update-MgUser -UserId $MBX.ExternalDirectoryObjectId -AccountEnabled:$false
- The following will block sign-in to all Shared Mailboxes.
$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
$MBX | ForEach-Object { Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false }
Related linksā
- Microsoft 365 Admin Center
- About shared mailboxes in Microsoft 365
- Create a shared mailbox
- Block Microsoft 365 user accounts with PowerShell
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 39
Test Metadataā
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.2.2 |
| Severity | High |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisSharedMailboxSignIn |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.1.2.2, L1 |
Sourceā
- Pester test:
tests/cis/Test-MtCisSharedMailboxSignIn.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSharedMailboxSignIn.ps1