Forum Discussion
Solved
Shared Mailbox can have a password and login enabled without license
I'm very much aware of the license requirements for Shared Mailboxes in Exchange Online and for all Shared Mailboxes we always give licensed users access to them. If we need to login to the actual sh...
This "feature" has been around for years, but despite probing Microsoft numerous times about it, we haven't received a clear answer. Until we do so, assume that it's unsupported, and that it breaks the license agreement.
Applications should still be able to access the mailbox via delegate/impersonation permissions.
Just tested, at default the userobject of a Shared Mailbox is still enabled and can be used for interactive login. Why does Microsoft do this and then recommend that it is better to disable this userobject? (https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account).
Surely it makes much more sense to automatically disable the corresponding userobject when creating a Shared Mailbox? Sometimes Microsoft's choices are incomprehensible...
Surely it makes much more sense to automatically disable the corresponding userobject when creating a Shared Mailbox? Sometimes Microsoft's choices are incomprehensible...
Exchange Online uses a separate identity provider as Entra ID. When you get the shared mailbox, you will see that the identity of the shared mailbox is disabled in the IDP used by Exchange Online.
(Get-mailbox email address removed for privacy reasons | Get-user).AccountDisabled = True
However the Entra ID account is enabled, and the identity in the IDP for Exchange is synced from Entra ID, however the account state isn't.
(Get-MGBetaUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled = True
Even more confusing, using Microsoft.graph (1.0) does not return any value:
(Get-MGUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled =
However Entra ID shows that the account is enabled.
(Get-mailbox email address removed for privacy reasons | Get-user).AccountDisabled = True
However the Entra ID account is enabled, and the identity in the IDP for Exchange is synced from Entra ID, however the account state isn't.
(Get-MGBetaUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled = True
Even more confusing, using Microsoft.graph (1.0) does not return any value:
(Get-MGUser -filter "UserprincipalName eq 'email address removed for privacy reasons'").AccountEnabled =
However Entra ID shows that the account is enabled.
