fix(m365): address PR review feedback for shared mailbox check

- Update remediation steps to use Entra admin center path - Remove CIS reference from metadata Notes field - Add check to CIS 4.0 and 6.0 M365 compliance frameworks (req 1.2.2) - Move changelog entry to unreleased v5.18.0 section
2026-01-25 02:08:11 +00:00 · 2026-01-23 13:11:33 +01:00
parent 31db991e8c
commit a6946f3195
5 changed files with 10 additions and 6 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 - `compute_instance_suspended_without_persistent_disks` check for GCP provider [(#9747)](https://github.com/prowler-cloud/prowler/pull/9747)
 - `codebuild_project_webhook_filters_use_anchored_patterns` check for AWS provider to detect CodeBreach vulnerability [(#9840)](https://github.com/prowler-cloud/prowler/pull/9840)
+- `exchange_shared_mailbox_sign_in_disabled` check for M365 provider [(#9828)](https://github.com/prowler-cloud/prowler/pull/9828)

 ### Changed

@@ -43,7 +44,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - CIS 6.0 for M365 provider [(#9779)](https://github.com/prowler-cloud/prowler/pull/9779)
 - CIS 5.0 compliance framework for the Azure provider [(#9777)](https://github.com/prowler-cloud/prowler/pull/9777)
 - `Cloudflare` Bot protection, WAF, Privacy, Anti-Scraping and Zone configuration checks [(#9425)](https://github.com/prowler-cloud/prowler/pull/9425)
- `exchange_shared_mailbox_sign_in_disabled` check for M365 provider [(#9828)](https://github.com/prowler-cloud/prowler/pull/9828)

 ### Changed

--- a/prowler/compliance/m365/cis_4.0_m365.json
+++ b/prowler/compliance/m365/cis_4.0_m365.json
@@ -121,7 +121,9 @@
    {
      "Id": "1.2.2",
      "Description": "Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from \"Contoso Support\" or \"Building A Reception Desk.\"Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation.The recommended state is `Sign in blocked` for `Shared mailboxes`.",
-      "Checks": [],
+      "Checks": [
+        "exchange_shared_mailbox_sign_in_disabled"
+      ],
      "Attributes": [
        {
          "Section": "1 Microsoft 365 admin center",
--- a/prowler/compliance/m365/cis_6.0_m365.json
+++ b/prowler/compliance/m365/cis_6.0_m365.json
@@ -121,7 +121,9 @@
    {
      "Id": "1.2.2",
      "Description": "Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people. Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation. The recommended state is Sign in blocked for Shared mailboxes.",
-      "Checks": [],
+      "Checks": [
+        "exchange_shared_mailbox_sign_in_disabled"
+      ],
      "Attributes": [
        {
          "Section": "1 Microsoft 365 admin center",
--- a/prowler/providers/m365/lib/powershell/m365_powershell.py
+++ b/prowler/providers/m365/lib/powershell/m365_powershell.py
@@ -859,7 +859,7 @@ class M365PowerShell(PowerShellSession):
            dict: User account status settings in JSON format.
        """
        return self.execute(
-            "$dict=@{}; Get-User -ResultSize Unlimited | ForEach-Object { $dict[$_.Id] = @{ AccountDisabled = $_.AccountDisabled } }; $dict | ConvertTo-Json -Depth 10",
+            "$dict=@{}; Get-User -ResultSize Unlimited | ForEach-Object { $dict[$_.ExternalDirectoryObjectId] = @{ AccountDisabled = $_.AccountDisabled } }; $dict | ConvertTo-Json -Depth 10",
            json_parse=True,
        )

--- a/prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.metadata.json
+++ b/prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.metadata.json
@@ -20,7 +20,7 @@
    "Code": {
      "CLI": "Get-EXOMailbox -RecipientTypeDetails SharedMailbox | ForEach-Object { Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false }",
      "NativeIaC": "",
-      "Other": "1. Sign in to the Microsoft 365 admin center\n2. Navigate to Users > Active users\n3. Search for the shared mailbox\n4. Select the shared mailbox and click Block sign-in\n5. Confirm the action",
+      "Other": "1. Navigate to Entra admin center (https://entra.microsoft.com/)\n2. Expand Identity > Users and select All users\n3. Search for and select the shared mailbox user account\n4. In the properties pane, go to Account status\n5. Uncheck 'Account enabled' and click Save\n6. Repeat for all shared mailbox accounts",
      "Terraform": ""
    },
    "Recommendation": {
@@ -33,5 +33,5 @@
  ],
  "DependsOn": [],
  "RelatedTo": [],
-  "Notes": "Based on CIS Microsoft 365 Foundations Benchmark v5.0.0 - Requirement 1.2.2"
+  "Notes": ""
 }