Identify Non-Compliant Shared Mailboxes in Microsoft 365

Shared mailboxes in Microsoft 365 are essential for organizational communications, enabling multiple users to access a single mailbox. Commonly used for functions such as support, reception desks or a Catch-All mailbox, they provide flexibility and efficiency. Shared mailboxes don’t usually require Exchange license unless features like archiving, storage over 50 GB, or retention policies are enabled. However, if you sign in directly to an unlicensed shared mailbox, that’s illegal!

A shared mailbox becomes non-compliant under the following conditions:

• Have sign-in enabled – When you create a shared mailbox in Microsoft 365, sign-in is enabled by default. However, shared mailboxes are not intended for direct user login. So, admins should block sign-in for shared mailboxes.
• Lack Exchange Online licensing – If sign-in is enabled for a shared mailbox, assigning an Exchange Online license is a mandatory requirement.

So, if you allow sign-in for a shared mailbox without assigning an Exchange Online license, it is a straightforward violation of Microsoft’s licensing terms and compliance standards.

Non-compliant shared mailboxes introduce several risks, including:

1. Security Vulnerabilities: Every shared mailbox has a corresponding user account with system generated password, which remains unknown. However, an administrator could reset the password, or an attacker might gain access to the account credentials. If this happens, the user account could log in to the shared mailbox and send emails, potentially leading to security breaches.
2. Operational Issues: Without a license, a shared mailbox storage is capped at 50GB. When this limit is exceeded, the mailbox will stop receiving emails, disrupting communication.
3. Policy Violations: Failing to block sign-in for shared mailboxes violates Exchange Online best practices and security recommendations.

So, it becomes necessary to identify the non-compliant shared mailboxes in the organization for efficient shared mailbox management.

In Microsoft 365, identifying non-compliant shared mailboxes can be challenging, as there are no direct methods.

To find unlicensed shared mailbox with enabled sign-in status in Microsoft 365 admin center, follow the below-mentioned steps.

1. Sign in to the Microsoft 365 Admin Center.
2. Go to the Active Users.
3. Review each shared mailbox manually one by one.
4. For each shared mailbox, check the sign-in status and verify that it is a licensed shared mailbox.

Repeat the process for every shared mailbox in the organization. This process can be tedious, especially when dealing with numerous shared mailboxes.

PowerShell cmdlets can retrieve shared mailbox details, but they don’t directly identify non-compliant ones. The process involves connecting to two different PowerShell modules: Exchange Online PowerShell to list shared mailboxes and MS Graph module to verify sign-in status and license assignments. This approach can be inefficient and time-consuming.

To address this gap, we’ve created a PowerShell script that simplifies the process of identifying non-compliant shared mailboxes. The script scans for unlicensed shared mailboxes with enabled sign-in statuses.

Download Script: FindNonCompliantSharedMailboxes.ps1

• Generates all non-compliant shared mailboxes in Microsoft 365.
• Exports report results to CSV file.
• The script automatically verifies and installs the MS Graph PowerShell SDK and Exchange Online PowerShell modules (if they are not already installed) upon your confirmation.
• The script can be executed with an MFA-enabled account too.
• The script supports Certificate-based authentication (CBA).
• The script is scheduler-friendly.

The script exports unlicensed shared mailboxes that allow sign-ins with the following attributes.

• Shared Mailbox Name
• Primary SMTP Address
• Sign-in Status
• Exchange License
• Last Sign-in Time
• Creation Time

The exported non-compliant shared mailbox report looks like the screenshot below.

1. Download the script.
2. Start the Windows PowerShell
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account.

The script connects to both Microsoft Graph and Exchange Online, so you’ll be asked for your credentials twice. After execution, the script will export all the shared mailboxes that are non-compliant in Microsoft 365. Once identified, you can block sign-in or assign licenses to the shared mailboxes to ensure compliance.

Pro Tip – Apart from these, it is also recommended to keep control over the shared mailbox permissions such as FullAccess, SendAs, and SendOnBehalf to ensure that the right people hold the right permissions on your resources.

Method 2: Execute the script by explicitly mentioning credentials to connect Exchange Online PowerShell.

You will be prompted again to connect to the Microsoft Graph PowerShell module.

Note: The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy to make this work.

Method 3: Execute the script using certificate-based authentication.

To use certificate-based authentication, you must register app in Entra ID that helps you connect both MS Graph and Exchange Online using certificate. This method is schedular-friendly.

Note: Depending on your requirements, you can create a self-signed certificate.

We have explored how to find non-compliant shared mailboxes using PowerShell script. But do you believe if I say there is a lot easier way to get all Microsoft 365 non-compliant shared mailboxes without using PowerShell?! AdminDroid provides a wide range of shared mailbox reports to manage them efficiently.

Shared mailbox reports are categorized based on

• Shared mailbox info report – Lists all shared mailboxes and their details.

• Shared mailbox permission reports – Provides reports on shared mailbox members, delegates, and permission details.

• Shared mailbox email configurations – Shows shared mailbox with inbox rules, forwarding configurations, external forwarding, etc.

• Shared mailbox hold reports – Describes shared mailboxes’ hold details, such as litigation hold, in-place hold, and retention hold.

• Shared mailbox size report – Displays mailbox used size, used percentage, Item count, etc.

• Shared mailbox email report – Lists all emails that are sent from shared mailbox and who sent the email to whom.

• Shared mailbox email analytics report – This category provides reports on sent and received emails count by hour of the day & day by the week, email traffic reports on shared mailboxes’ peak/slack hours & days, shared mailboxes’ active and inactive analysis report based on email activity, etc.

Apart from shared mailbox details, AdminDroid Exchange Online reporting tool provides detailed reports and valuable insights on user mailboxes, mailbox configurations, mailbox auditing, mailbox permissions, and more.

Additionally, AdminDroid offers 1900+ pre-built reports and 30+ Office 365 dashboards on various Microsoft 365 services, such as Azure AD, SharePoint, Teams, OneDrive, Stream, etc. Effortlessly manage your Microsoft 365 environment with extensive set of reports and dashboards. From reporting and auditing to alerting, AdminDroid offers comprehensive solution. Download AdminDroid Microsoft 365 reporter to discover how it can benefit your organization.

I hope this blog is useful for identifying non-compliant shared mailboxes in your organization. If you have any queries, you can reach us through the comment section.