Updated 2 weeks ago

Audit Shared Mailbox Activities Using PowerShell

by AIMA

4 min read

No Comments

Shared mailboxes let multiple users manage emails, making them ideal for customer support, sales inquiries, or as a Catch-All mailbox for emails sent to nonexistent addresses. However, due to the shared access, monitoring activities is crucial to prevent misuse. To enhance security and reduce the risk of unauthorized access, it’s also advisable to block sign-ins for shared mailboxes. This ensures that only authorized users with delegated access can access the mailbox, preventing direct logins by bad actors.

In this blog, we’ll walk through various methods to audit a shared mailbox in Office 365, helping admins understand who accessed the shared mailbox, who sent email from the shared mailbox, and track other activities.

How to Track Shared Mailbox Activities in Microsoft 365?

Here are a few methods to view shared mailbox activity, helping you manage all shared mailboxes in M365:

Audit log search: You can search the audit logs to track mailbox activity, but filtering specifically for shared mailbox activities is not possible. While you can filter by user ID, along with other options like date and operation type, isolating shared mailbox activities remains a challenge.

PowerShell: When using the Search-UnifiedAuditLog cmdlet to retrieve shared mailboxes and their activity data, one major disadvantage is the challenge of filtering out only the activities relevant to shared mailboxes.

To make auditing shared mailbox activities easier, we’ve developed a script that focuses specifically on shared mailbox activities in Exchange Online, displaying the data in a simple, easy-to-read format.

Script Highlights

  • The script retrieves audit log for the last 180 days by default.
  • Helps to generate audit reports for custom periods.
  • Tracks activities from a specific shared mailbox.
  • Exports shared mailbox activities performed by admins and delegated users.
  • Exports report results to CSV file.
  • The script can be executed with an MFA-enabled account too.
  • Supports Certificate-based Authentication too.
  • Automatically installs the EXO Module (if not installed already) upon your confirmation.
  • The script is scheduler friendly.

Shared Mailbox Activity Report – Sample Output

The script exports Office 365 shared mailbox activities with the following attributes.

  • Activity Time
  • Shared Mailbox Name
  • Performed Operation
  • Performed by
  • Result Status
  • Logon Type
  • External Access
  • More Info

The exported report on shared mailbox activity tracking looks like the screenshot below.

Audit Shared Mailbox Activities using PowerShell

Audit Shared Mailbox Activities Script Execution Steps

  1. Download the script.
  2. Start the Windows PowerShell.
  3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account.

This method will export activity details for the specified shared mailbox over the past 180 days.

💡 Tip: To maintain seamless service and enhance security for a shared mailbox that processes a high volume of emails, it’s essential to regularly monitor shared mailbox size.

Method 2: Execute the script by explicitly mentioning credentials.

The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using the CA policy to make this method work.

Method 3: Execute the script using certificate-based authentication. This method is scheduler friendly.

To use certificate-based authentication, you must register app in Entra ID which help you connect Exchange Online PowerShell using certificate.

You can either use CA certificate or create a self-signed certificate which is cost effective.

Maximize the Script’s Capabilities

The script provides a variety of built-in filtering options tailored to meet different requirements. Here’s how you can make the most of its features:

Retrieve Shared Mailbox Activities Including External Access

The script excludes external access (actions performed by Microsoft datacenter administrators) by default. If you want to include them, run the script with -IncludeExternalAccess param as shown below.

Generate Audit Report for a Custom Period

By default, the script will help you see the activity of a shared mailbox for the past 180 days. If you wish to audit shared mailbox activities for a specific date range, you can use the –StartDate and –EndDate param.

The report will contain all activities of a shared mailbox between Aug 20 and Sep 24. In addition, regularly monitoring shared mailbox permissions and any permission changes will help maintain security and ensure proper access control.

Schedule ‘Audit Shared Mailbox Activities’ Script

Search-UnifiedAuditLog can retrieve shared mailbox activities for up to 180 days, but if you need older data for analysis, automating the script execution is essential. To maintain a continuous audit log for the required time frame, you can schedule the script using Task scheduler or Azure Automation. You can also use the Certificate-Based Authentication (CBA) method, which is scheduler-friendly.

Simplify Shared Mailbox Management with AdminDroid

Managing shared mailboxes in Microsoft 365 can be overwhelming for IT admins. Fortunately, AdminDroid simplifies this task with its comprehensive Exchange Online reporting tool, providing a wide range of shared mailbox reports to help you stay on top of mailbox usage and performance.

Key shared mailbox reports include:

  • All shared mailbox storage insights
  • Shared mailbox membership
  • Shared mailbox size growth
  • Shared mailbox permission details
  • Shared mailboxes with inbox rules
  • Shared mailboxes configured with email forwarding
  • Shared mailboxes with litigation/retention/in-place hold
  • Shared mailbox peak/slack hours by mail sent/received
  • Shared mailbox email traffic insights

AdminDroid Office 365 Reporter

AdminDroid Office 365 Reporter

In addition to shared mailbox reports, AdminDroid’s Exchange Online auditing tool helps you track mailbox permission changes, configuration updates, and potential security threats. With over 180+ comprehensive reports, AdminDroid Exchange Online management tool provides a complete view of mailbox security — stopping here? Nah!

AdminDroid extends beyond Exchange, offering 1800+ pre-built reports and 30+ dashboards across Microsoft 365 services like Azure AD, SharePoint, Teams, OneDrive, and Stream.

Start managing your Microsoft 365 environment more efficiently today. Try AdminDroid free for 15 days and experience the benefits of seamless Exchange Online management. Download AdminDroid now and optimize your reporting strategy!

We hope this blog has provided you with the PS script to monitor user activities within a shared mailbox effectively. Thanks for reading! If you have any further queries, feel free to reach out to us through the comment section.

Share article