Shared mailbox user objects
By default a shared mailbox creates a user object in Azure AD that is active. It is possible to reset the password for this user object and login directly into a shared mailbox. This is a potential security issue because they will not get Azure MFA or will be hit by any conditional access rule. To prevent this, disable the shared mailbox user objects.
In my case I run the script below as an Azure Runbook with Automation Accounts. To do this, follow the steps below.
- Create a Automation Account without the need of a Azure Run As Account.
- Go to your Automation Account and select Modules. Browse gallery and add AzureAD and ExchangeOnlineManagement modules.
- Go to credentials, Add a credential, Name it AutomationCreds and enter a user name and password for the account with sufficient permissions.
- Create the runbook via select account, Runbooks, Create a runbook. Enter a name, Runbook type is PowerShell and runtime version 5.1.
- Copy the content from the script below in your runbook and select Test pane. Check the output to verify if you have sufficient permissions.
- Go to Schedules, Add a schedule and create a new one. This schedule will be attached to the runbook you just created.
You now have a schedule inplace that will check for active shared mailbox user objects and disable them.