Updated 2 weeks ago

Find Who Sent Email from Shared Mailbox in Office 365 using PowerShell

by Kathy Cooper

5 min read

No Comments

Shared mailbox delegates can send emails from the shared mailbox depending on their permissions, such as ‘Send As’ or ‘Send On Behalf.’

Send As – The recipient will not get any hint about who sent the emails. It appears to be sent from the shared mailbox.

Send On Behalf – The recipient can identify the actual sender by seeing the ‘From’ email address. For example, <EmailSender> on behalf of <SharedMBName>.

But in both methods, sent emails are not saved in the shared mailbox’s sent items folder by default. Instead, it will be stored in the senders’ mailbox. If a shared mailbox is accessed by multiple users, it’s hard to identify who sent what email from the shared mailbox.

Note: You can enable settings to store sent items in the shared mailbox.

How to Track who Sent Email from a Shared Mailbox

Monitoring emails sent from shared mailboxes is an important business requirement. To find the sender of an email, admins can search ‘SendAs’ and ‘SendOnBehalf‘ activities in Office 365 audit log search. It can be done either through Microsoft 365 compliance center or the Search-UnifiedAuditLog PowerShell cmdlet. It will list all the ‘SendAs’ and ‘SendOnBehalf’ activities. But we can’t filter out emails sent from shared mailboxes.

To track emails sent from the shared mailboxes, you need to retrieve all the shared mailboxes and use multiple filters in PowerShell. To make admins’ tasks simpler, we have written a PowerShell script to identify the sender of an email.

Script Highlights:

  • The script retrieves audit log for the last 180 days by default.
  • Helps to generate audit reports for custom periods.
  • Tracks email sent activities from a specific shared mailbox.
  • Allows to audit send as activities separately.
  • Allows to track send on behalf activities separately.
  • Exports report results to CSV file.
  • The script can be executed with an MFA-enabled account too.
  • Supports Certificate-based Authentication too.
  • Automatically installs the EXO Module (if not installed already) upon your confirmation.
  • The script is scheduler-friendly.

Sample Output:

The exported output file contains the following attributes: Mail Sent Time, Sent By, Sent from Shared Mailbox, Email Subject, Operation, Result, and More Detailed Audit Info.

Find who sent email from shared mailbox Powershell

Audit Emails Sent from the Shared Mailbox – Script Execution Steps

You can choose any one of the below methods based on your need.

Method 1: Execute the script with MFA or non-MFA account.

This method will export details on which delegate sent email from the shared mailboxes in the last 180 days.

Method 2: Execute the script by explicitly mentioning credential (scheduler-friendly).

If the admin account has MFA, you need to disable MFA using the CA policy to make this method work.

Method 3: Execute the script using certificate based authentication (scheduler-friendly)

To use certificate based authentication, you must register app in Entra ID which help you connect Exchange Online PowerShell using certificate.

You can either use CA certificate or create a self-signed certificate which is cost effective.

Who Sent What Email? – Unlock the Full Potential of the Script

Our script supports advanced filtering parameters to get the desired result quickly. Supported parameters are listed below,

  • SharedMBIdentity – Identifies users who sent emails from a specific shared mailbox.
  • StartDate and EndDate – Helps to generate audit reports for a custom period
  • SendAsOnly – Identifies the email sender who sent emails from a shared mailbox using ‘SendAs’ delegation
  • SendOnBehalfOnly – Tracks who sent emails using ‘SendOnBehalf ‘permission from the shared mailboxes.
  • UserName and Password – Schedules the PowerShell script without interactive login.

1.Track who Sent Email from the Shared Mailboxes

You can audit all the emails sent from shared mailboxes through SendAs and SendOnBehalf permissionin the last 180 days. To get a detailed report, run the script as follows.

2.Detect who Accessed and Sent Email from a Specific Shared Mailbox

To know who accessed a specific shared mailbox to send emails, you can execute the script using the -SharedMBIdentity parameter.

This example will retrieve all the emails sent from support@contoso.com and its sender details for the last 180 days.

If the shared mailbox handles a large volume of emails, it’s a good practice to monitor shared mailbox size and activities to ensure uninterrupted service and improve security.

3.Generate Audit Report for a Custom Period

By default, the script will retrieve the past 180 days’ email audit data. If you wish to audit the email sender of the shared mailbox for a specific date range, you can use the –StartDate and –EndDate param.

The report will contain all the emails sent from the shared mailboxes between April 25 and May 10.

You can also combine the -SharedMBIdentity parameter to track a particular shared mailbox. For example,

4.Find SendAs Audit Records for the Shared Mailboxes

To audit all the emails sent from a shared mailbox using the SendAs permission, run the script with -SendAsOnly param.

By combining multiple parameters like StartDate, EndDate, and SharedMBIdentity, you can generate a more granular shared mailbox email audit report.

5.Audit All the Emails Sent through Send on Behalf Permission

To retrieve all the shared mailbox emails sent using SendOnBehalf permission, execute the script using the –SendOnBehalfOnly parameter.

It will export all the shared mailbox emails that are sent using SendOnBehalf permission in the last 180 days.

6.Schedule ‘Find Who Sent Email from Shared Mailbox’ Script

Since Search-UnifiedAuditLog can retrieve shared mailboxes’ SendAs and SendOnBehalf activities for the last 180 days, you may require old data for analysis. By automating the script execution, you can keep the audit log for the desired period.

Both Method 2 and 3 can be used for scheduling using the following approach:

Gain Deep Insights on Shared Mailbox Email Activity with AdminDroid

Manually analyzing email traffic and interpreting the data can be time-consuming and challenging. That’s where AdminDroid comes in – an advanced Microsoft 365 email reporting and analytics tool that simplifies the email analytics and provides valuable insights into email usage and management.

Let’s explore how AdminDroid can help organizations better harness shared mailbox management and email analytics by providing an intuitive, user-friendly interface that eases data analysis, streamlines reporting, and delivers actionable insights. Reports include,

  • Shared mailbox email reports: It provides reports on all emails sent from shared mailbox, emails sent to and received from external domains.
  • Shared mailbox email traffic stats: These reports provide email traffic data for hourly/daily/monthly basis.
  • Shared mailbox email summary: Provides sent and received emails count by hour of the day, day by the week, etc
  • Email peak and slack period analysis: Provides email traffic reports on shared mailboxes’ peak/slack hours and days.
  • Shared mailbox active duration analysis: Gives reports on shared mailboxes’ active and inactive analysis report based on emails sent & received, internal emails sent & received, and external emails sent and received.
  • Shared mailbox reports: These reports provide detailed information about shared mailbox permissions, size, mailbox forwarding configurations, and hold details.

Shared mailbox email traffic report by AdminDroid

Email audit report by AdminDroid

In addition to shared mailbox email reports, AdminDroid Microsoft 365 email analytics tool offers 440+ email reports which helps admins track suspicious emails (like spam, malware, and spoofing), identify potential security threats, and monitor email usage and configurations.

Download AdminDroid Microsoft 365 reporting tool to explore 1800+ pre-built reports and 30+ dashboards to maximize security and manage Microsoft 365environment efficiently.

I hope this blog helps you identify the shared mailbox members who have sent emails from it.

Share article