Exchange Online Shared Mailboxes are now disabled
Hi All,
Did you notice that the EntraID User Accounts are now disabled when you create Shared Mailboxes in Exchange Online?
In April this of Year i saw, that Shared Mailboxes in Exchange Online had disabled Entra Accounts. But it was not consistent in diffrent Tenants and disappeared after a few days.
Now i have retested this, and the Entra ID Accounts of Shared Mailboxes are now disabled. I can’t tell when this change was implemented and i didn’t see any Documentation or Information in the Message Center - but it’s possible i’ve overseen that. Anybody has more Information?
Shared Mailbox
Create a Shared Mailbox in Exchange Online (Cloud Only)
Connect-ExchangeOnline -ShowBanner:$false
New-Mailbox -Name DemoOnline -Shared
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnline | Get-User | fl AccountDisabled
Entra Admin Center
Let’s check it with Microsoft.Graph PowerShell
Connect-MgGraph -Scopes User.Read.All -NoWelcome
Get-MgUser -UserId DemoOnline@icewolfch.onmicrosoft.com -Property AccountEnabled | fl *enab*
Room Mailbox
Create a Room Mailbox in Exchange Online (Cloud Only)
New-Mailbox -Name DemoOnlineRoom -Room
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnlineRoom | Get-User | fl AccountDisabled
Entra Admin Center
Room Mailboxes need to be enabled when used for Teams Rooms and Panels. But for all other Types the Rooms Account should also be disabled in my Opinion.
New-Mailbox -MicrosoftOnlineServicesID <Office365 ID> -Name <String> -Alias <string> -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force)
Equipment Mailbox
Create a Equipment Mailbox in Exchange Online (Cloud Only)
New-Mailbox -Name DemoOnlineEquipment -Equipment
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnlineEquipment | Get-User | fl AccountDisabled
Entra Admin Center
I don’t know any Use Case where Equipment Mailboxes require an Enabled Entra ID Account
Synced Shared Mailbox
I’ve checked also the Remote Shared Mailbox created on the Exchange Server SE
New-RemoteMailbox -Name DemoOnPrem -RemoteRoutingAddress DemoOnPrem@icewolfch.mail.onmicrosoft.com -Shared
Get the Active Directory User
Get-ADUser -Identity DemoOnPrem
I am using Entra Connect Sync 2.5.79
Let’s start the Entra ID Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnPrem | Get-User | fl AccountDisabled
Entra Admin Center
Get-MgUser -UserId DemoOnPrem@icewolf.ch -Property AccountEnabled | fl *enab*
Synced Room Mailbox
I’ve checked also the Remote Room Mailbox created on the Exchange Server SE
$OU = "OU=Icewolf Users,DC=corp,DC=icewolf,DC=ch"
New-RemoteMailbox -Name DemoOnPremRoom -RemoteRoutingAddress DemoOnPremRoom@icewolfch.mail.onmicrosoft.com -Room -OnPremisesOrganizationalUnit $OU
Get the Active Directory User
Get-ADUser -Identity DemoOnPremRoom
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnPremRoom | Get-User | fl AccountDisabled
Entra Admin Center
Synced Equipment Mailbox
I’ve checked also the Remote Equipment Mailbox created on the Exchange Server SE
New-RemoteMailbox -Name DemoOnPremEquipment -RemoteRoutingAddress DemoOnPremEquipment@icewolfch.mail.onmicrosoft.com -Equipment -OnPremisesOrganizationalUnit $OU
Get the Active Directory User
Get-ADUser -Identity DemoOnPremEquipment
Get the AccountDisabled Property of Get-User in Exchange Online
Get-Mailbox -Identity DemoOnPremRoom | Get-User | fl AccountDisabled
Entra Admin Center
List Shared Mailboxes and AccountEnabled
I’ve written a little Script to check if SharedMailboxes are Enabled in Exchange Online
#List Shared Mailboxes in Exchange Online
$Mailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox
Foreach ($Mailbox in $Mailboxes)
{
$ObjectId = $Mailbox.ExternalDirectoryObjectId
$PrimarySMTPAddress = $Mailbox.PrimarySMTPAddress
$User = Get-User -Identity $ObjectID
$AccountDisabled = $User.AccountDisabled
Write-Host "$PrimarySMTPAddress > $AccountDisabled"
}
Summary
It’s best Practice that Exchange Online Shared Mailboxes have disabled Entra ID Accounts. Good to see this. There are some specialities for Room Mailboxes, when it comes to Teams Rooms, but default should be also a disabled Entra ID Account. For Equiment Mailboxes i don’t see any reason for an enabled Entra ID Account.
Regards
Andres Bohren
Exchange Logo PowerShell Logo Security Logo
