Best practice per Microsoft is to block sign-ins for shared mailboxes. Maybe configuring escalations for shared mailboxes without sign-ins blocked would be an easy way for partners to ensure proper config here.