This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 28.999999999999996%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Hi
I would like to know what would the consecuences of disabling the associeted AAD user account of a shared mailbox.
and what would be then the best practice if this is not possible
Block Sing in ??
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Alain Diaz Quesada ,
Just checking to see how things are going with this thread. If any of the replies has been helpful, you can consider accepting it as answer for others' referencing. If you still have further questions or concerns, feel free to comment down below.
Hi Yuki
yeah thanks I had done that previously thanks a lot for your help.
By definition, a shared mailbox has a disabled AD account.
You should always disable the AD account for it
Hi @Andy David - MVP I check the accounts of a couple of our shared mailboxes on our AAD and they were not disabled is this something that happens automatic if you create the shared mailbox from scratch in exchange or di i have to make the shared mailbox then go and disable it in AAD
Either someone re-enabled them in Azure or somehow they were not created correctly.
In a hybrid environment, if you create the AD account on prem, disable the AD account as well before creating the user or remote shared mailbox.
Any shared mailboxes with active accounts in Exchange Online should have their AD accounts disabled as well to be compliant
Hi @Alain Diaz Quesada ,
For Exchange Online, It's the expected behavior that when a shared mailbox is created in Exchange Online, an active user account is also created with a system-generated (unknown) password. However, this account is not supposed to be used to log in to the shared mailbox.
I didn't see official article about if it's okay to disable the account, but according to the documentation below, the best and recommended practice is to block sign-in for it:
Block sign-in for the shared mailbox account
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you @Yuki Sun-MSFT and @Andy David - MVP i have indeed seen both of your approaches on the internet but i'm left with the interrogation then.
when creating or converting to a shared mailbox i need to disable the AAD account AND Block Sign in ? to be safe or blocking sign-in is a plus for safety reasons?
thanks a lot.
Hi @Alain Diaz Quesada ,
For Exchange on-prem, as mentioned above by Andy and the article he shared (which applies to Exchaneg 2019), it's by default that a shared mailbox has a disabled AD account.
But from your description, seems like you are using Exchange Online, right? For Exchange Online, you don't need to disable the AAD account for the shared mailbox, just need to block sign-in as aforementioned to prevent attack.
Below is a blog for reference:
Block Sign-in from Shared Mailboxes
(Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 32%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
I'm using a simple Azure Logic App to disable these accounts on a recurrence basis. Check out my blog: https://prof-it.services/blog/disable-shared-mailbox-user-accounts-with-graph-api-leveraging-azure-logic-app/