Find Who Sent Email from Shared Mailbox in Office 365 using PowerShell

Shared mailbox delegates can send emails from the shared mailbox based on permissions like ‘Send As’ and ‘Send On Behalf.’

Send As – The recipient will not get any hint about who sent the emails. It appears to be sent from the shared mailbox.

Send On Behalf – The recipient can identify the actual sender by seeing the ‘From’ email address. For example, <EmailSender> on behalf of <SharedMBName>.

But in both methods, sent emails are not saved in the shared mailbox’s sent items folder by default. Instead, it will be stored in the senders’ mailbox. If a shared mailbox is accessed by multiple users, it’s hard to identify who sent what email from the shared mailbox.

Monitoring emails sent from shared mailboxes is an important business requirement. To find the sender of an email, admins can search ‘SendAs’ and ‘SendOnBehalf‘ activities in Office 365 audit log search. It can be done either through Microsoft 365 compliance center or the Search-UnifiedAuditLog PowerShell cmdlet. It will list all the ‘SendAs’ and ‘SendOnBehalf’ activities. But we can’t filter out emails sent from shared mailboxes.

To track emails sent from a shared mailbox, we need to use multiple filters in PowerShell. To make admins’ tasks simpler, we have written a PowerShell script to identify the sender of an email.

Script Download: FindWhoSentEmailFromSharedMailbox.ps1

• The script uses modern authentication to retrieve audit logs.
• The script can be executed with an MFA-enabled account too.
• Exports report results to CSV file.
• Helps to generate audit reports for custom periods.
• Tracks email sent activities from a specific shared mailbox.
• Allows to audit send as activities separately.
• Allows to track send on behalf activities separately.
• Automatically installs the EXO V2 (if not installed already) upon your confirmation.
• The script is scheduler-friendly.i.e., Credentials can be passed as a parameter.

The exported output file contains the following attributes: Mail Sent Time, Sent By, Sent from Shared Mailbox, Email Subject, Operation, Result, and More Detailed Audit Info.

You can choose any one of the below methods based on your need.

Method 1: Execute the script with MFA or non-MFA account.

Method 2: Execute the script by explicitly mentioning credential (Scheduler-friendly).

If the admin account has MFA, you need to disable MFA using the Conditional Access policy to make this method work.

Our script supports advanced filtering parameters to get the desired result quickly. Supported parameters are listed below,

• SharedMBIdentity – Identifies users who sent emails from a specific shared mailbox.
• StartDate and EndDate – Helps to generate audit reports for a custom period
• SendAsOnly – Identifies the email sender who sent emails from a shared mailbox using ‘SendAs’ delegation
• SendOnBehalfOnly – Tracks who sent emails using ‘SendOnBehalf ‘permission from the shared mailboxes.
• UserName and Password – Schedules the PowerShell script without interactive login.

You can audit all the emails sent from shared mailboxes through SendAs and SendOnBehalf permissionin the last 90 days. To get a detailed report, run the script as follows.

To know who accessed a specific shared mailbox to send emails, you can execute the script using the -SharedMBIdentity parameter.

This example will retrieve all the emails sent from support@contoso.com and its sender details for the last 90 days.

By default, the script will retrieve the past 90 days’ email audit data. If you wish to audit the email sender of the shared mailbox for a specific date range, you can use the –StartDate and –EndDate param.

The report will contain all the emails sent from the shared mailboxes between April 25 and May 10.

You can also combine the -SharedMBIdentity parameter to track a particular shared mailbox. For example,

To audit all the emails sent from a shared mailbox using the SendAs permission, run the script with -SendAsOnly param.

By combining multiple parameters like StartDate, EndDate, and SharedMBIdentity, you can generate a more granular shared mailbox email audit report.

To retrieve all the shared mailbox emails sent using SendOnBehalf permission, execute the script using the –SendOnBehalfOnly parameter.

It will export all the shared mailbox emails that are sent using SendOnBehalf permission in the last 90 days.

Since Search-UnifiedAuditLog can retrieve shared mailboxes’ SendAs and SendOnBehalf activities for the last 90 days, you may require old data for analysis. By automating the script execution, you can keep the audit log for the desired period.

To schedule PowerShell script in the Task Scheduler, you can follow the below format.

You can also use any supported parameters to get the granular report. If the admin account has MFA, you cannot directly use it for scheduling. You need to disable MFA through the Conditional Access policy to make it work.

Manually analyzing email traffic and interpreting the data can be time-consuming and challenging. That’s where AdminDroid comes in – an advanced Microsoft 365 email reporting and analytics tool that simplifies the email analytics and provides valuable insights into email usage and management.

Let’s explore how AdminDroid can help organizations better harness shared mailbox management and email analytics by providing an intuitive, user-friendly interface that eases data analysis, streamlines reporting, and delivers actionable insights. Reports include,

• Shared mailbox email reports: It provides reports on all emails sent from shared mailbox, emails sent to and received from external domains.
• Shared mailbox email traffic stats: These reports provide email traffic data for hourly/daily/monthly basis.
• Shared mailbox email summary: Provides sent and received emails count by hour of the day, day by the week, etc
• Email peak and slack period analysis: Provides email traffic reports on shared mailboxes’ peak/slack hours and days.
• Shared mailbox active duration analysis: Gives reports on shared mailboxes’ active and inactive analysis report based on emails sent & received, internal emails sent & received, and external emails sent and received.
• Shared mailbox reports: These reports provide detailed information about shared mailbox permissions, size, mailbox forwarding configurations, and hold details.

In addition to shared mailbox email reports, AdminDroid Microsoft 365 email analytics tool offers 440+ email reports which helps admins track suspicious emails (like spam, malware, and spoofing), identify potential security threats, and monitor email usage and configurations.

Download AdminDroid Microsoft 365 reporting tool to explore 1800+ pre-built reports and 30+ dashboards to maximize security and manage Microsoft 365environment efficiently.

I hope this blog will help you identify the shared mailbox members who sent emails from it.