Automate processes in MDO/EOP and Entra ID.

Disable Shared Mailbox identities with Azure Automation

When you create a new shared mailbox in Exchange Online or with PowerShell, an identity in Entra ID is automatically created and, unfortunately, enabled by default. The identity in Entra ID of a shared mailbox is the same as a normal user, but a shared mailbox doesn't need to be enabled to work.

Disabling shared mailbox identities is recommended to prevent potential abuse by cybercriminals because these accounts aren't protected with MFA.

If you let your IT administrators disable the Shared Mailbox identities they created, it would be simple to forget. The key is to delegate this task to Azure Automation, using a system assigned managed identity.

Automate DKIM Key Rotation with Azure Automation

DKIM keys, which act as digital signatures for email integrity, must be rotated periodically to minimize the risk of compromise. The recommended frequency is every six months, with the rotation interval tied to the key length - shorter intervals for shorter key lengths. This practice helps defend against potential attacks that target publicly released DKIM keys.

• Importance of Automated DKIM Key Rotation on dmarcian
• Rotate DKIM keys on Microsoft Learn

Setting up an Automation Account with the necessary permissions

1. Establish a new Automation Account (System assigned)

2. Navigate to Shared Resource > Modules > Add a module > Browse from gallery > add the list below > Runtime version 7.2

   • ExchangeOnlineManagement
   • Microsoft.Graph.Authentication
   • Microsoft.Graph.Users

3. Launch PowerShell on your system and establish a connection with Microsoft Graph using the following scopes by executing.

Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

4. After establishing the connection, it's necessary to allocate Exchange Online application permissions to your automation account. Execute the following command.

$managedIdentityId = (Get-MgServicePrincipal -Filter "displayName eq 'YOUR-AUTOMATION-ACCOUNT'").Id
$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'" #AppId of Office 365 Exchange Online in all Enterprise Applications, always the same in each tenant.
$appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq "Exchange.ManageAsApp"}
New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedIdentityId -ServicePrincipalId $managedIdentityId -ResourceId $graphApp.Id -AppRoleId $appRole.Id

5. Once the Exchange Online permissions have been added, proceed to assign Microsoft Graph application permissions to your automation account by running.

$managedIdentityId = (Get-MgServicePrincipal -Filter "displayName eq 'YOUR-AUTOMATION-ACCOUNT'").id
$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" #AppId of Microsoft Graph in all Enterprise Applications, always the same in each tenant.
$appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq "User.ReadWrite.All"}
New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedIdentityId -ServicePrincipalId $managedIdentityId -ResourceId $graphApp.Id -AppRoleId $appRole.Id

6. Directly assign the Entra ID role "Exchange Administrator" to your Automation Account.

C-DISABLE-SMB.ps1

This runbook enables you to disable Shared Mailbox identities in Entra ID. To configure this in your Automation account, follow the steps below.

1. Create a new Runbook with the following configurations.

   • Name: C-DISABLE-SMB (C stands for tenant shorter)
   • Type: PowerShell
   • Runtime: 7.2

2. You can utilize the runbook to disable all your Shared Mailboxes and assign them a JobTitle by clicking 'Start' in the runbook.

3. Automate the runbook by assigning it a schedule. In your Automation Account, navigate to Shared Resources > Schedules and click 'Add a schedule'.

4. Choose a preferred time, time zone, and set the recurrence to recurring.

   • Example: Daily recurring on 3:00 AM

5. After creating the schedule, open the runbook and navigate to Resources > Schedules.

6. Click on 'Add a schedule,' link the schedule to your runbook, and select the desired schedule.

C-ROTATE-DKIM-KEYS.ps1

This runbook rotates the DKIM key(s) that are listed in the Email authentication settings in MDO. To configure this in your Automation account, follow the steps below.

1. Create a new Runbook with the following configurations.

   • Name: C-ROTATE-DKIM-KEYS (C stands for tenant shorter)
   • Type: PowerShell
   • Runtime: 7.2

2. You can use the runbook to rotate the DKIM key(s) by clicking 'Start' in the runbook.

3. Automate the runbook by assigning it a schedule. In your Automation Account, navigate to Shared Resources > Schedules and click 'Add a schedule'.

4. Choose a preferred time, time zone, and set the recurrence to recurring.

   • Recurring every 3 months - Rotating the DKIM keys every 3 months ensures a complete rotation of both selectors every 6 months.

5. After creating the schedule, open the runbook and navigate to Resources > Schedules.

6. Click on 'Add a schedule,' link the schedule to your runbook, and select the desired schedule.