Secure Your Church’s M365 Shared Mailbox in Just 5 Minutes

I recently read about yet another church losing a large amount of money to hackers. This particular church lost over $600,000 USD and is a reminder of why hackers love to go after churches: huge bank accounts with lax protection. In the past we’ve talked about the importance of using both individual and shared email accounts in your church. Specifically, you should always use people’s names for login accounts and if you need role-based emails then you need aliases and shared mailboxes. Today I want to walk you through the basics of keeping those shared mailboxes secure: blocking sign-in so only assigned login enabled accounts can ever access the mailbox.

You shouldn't have any password assigned to a shared mailbox!

What does ‘Blocking Sign-In’ for a shared mailbox do?

‘Blocking sign-in’ means preventing the shared mailbox from being signed into directly. You aren’t supposed to be able to sign into a Microsoft 365 shared mailbox directly, but it’s possible to do it so the consensus is to outright block sign in, in fact, Microsoft has this to say about blocking sign-in for shared mailboxes:

“A shared mailbox is not intended for direct sign-in by its associated user account. You should always block sign-in for the shared mailbox account and keep it blocked.”

Via https://learn.microsoft.com

Once you have blocked sign-in, only the people you assign to the shared mailbox get access to it.

How to Block Sign-In for a shared mailbox

To block sign-in for a shared mailbox, follow these steps:

  1. Go to the Microsoft 365 admin center.
  2. Navigate to Active users under Users.
  3. Find and select the shared mailbox.
  4. Click the link at the top that toggles blocking/unblocking sign-in.
  5. Save your changes.

blocking sign-in to a shared mailbox

By following these steps, you can ensure that the shared mailbox can only be accessed by people logging in with their own accounts that have been granted access to the mailbox.

Granting Appropriate Access to a shared mailbox

Once sign-in is blocked, you should ensure that the right individuals have the appropriate access permissions to the shared mailbox. You can audit access by:

  1. Go to the Microsoft 365 admin center.
  2. Navigate to Shared mailboxes under Teams & Groups.
  3. Find and select the shared mailbox.
  4. Under “Members” add the users you want to grant access to the mailbox.
  5. Under Manage mailbox permissions, change the “Read and manage permissions” and “send as permissions” add users that you want to be able to send as though they are that mailbox instead of their individual mailbox.

Regularly Review and Update Permissions to shared mailboxes

Periodically review your shared mailboxes, especially when roles within your team change. Since shared mailboxes represent roles, make sure you review them when people in your team change roles.

Tip: Train Your Team to Report Spam and Phishing

If you are using the new Outlook client or the Outlook web-based client, then your team can and should use the “Report” button when they receive spam or phishing emails. This helps prevent future spam and phishing emails from landing in the shared mailbox and helps to train M365 to protect churches worldwide.

reporting phishing and spam in a shared mailbox

Closing Thoughts

Blocking shared mailboxes is a simple and important baseline security step for your church. Make sure you always block shared mailboxes from having sign-in ability and be sure to audit who you assign to shared mailboxes. From there, it becomes an issue of making sure you secure user access to their individual accounts by enabling MFA, disabling API authorizations, making sure they don’t have admin privileges, etc.

isaac

Other articles you might like…