How to Detect Who Was Accessing A Shared Mailbox in Office 365 with PowerShell

In this blog post, I’ll show you how to enable auditing on an Exchange Online shared mailbox and how to see who has accessed it.

Shared mailboxes are useful resources but are not audited by default. To enable auditing, you need to use PowerShell. The first step is to authenticate to your Exchange Online tenant using an account that has permission to change audit settings, like an Office 365 Global Administrator account.

Connect to Exchange Online

The code below gets the user credential and then creates a session using Import-PSSession. If you want to use multifactor authentication to connect to Exchange Online, you’ll need to use the Exchange Online Remote PowerShell Module, which can be downloaded from the Exchange Admin Center.

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Enable Auditing

Once you’ve connected to Exchange Online, use the Set-Mailbox cmdlet to enable auditing on a mailbox. The command below enables auditing on a mailbox called SharedMail.

Set-Mailbox –Identity SharedMail -AuditEnabled $True

Alternatively, you can enable auditing on all mailboxes using Get-Mailbox and Set-Mailbox together:

$Mailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $Mailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $True}

You can verify that you enabled auditing on the selected mailboxes by using the Get-Mailbox cmdlet:

Get-Mailbox | Format-List Name,AuditEnabled

Once you’ve finished running PowerShell commands, use Remote-PSSession to disconnect from Exchange Online.

Remove-PSSession $Session

Run a Mailbox Access Report in the Exchange Admin Center

Now that auditing is enabled, you can run a report in the Exchange Admin Center to list who is accessing audited mailboxes.

  • Log in to the Exchange Admin Center (EAC) here.
  • On the left of EAC, click compliance management.
  • Click auditing.
    Figure 1
  • Click Run a non-owner mailbox access report.
  • Set the search criteria in the ‘search for mailboxes accessed by non-owners’ dialog window, like start and end date.
  • Click search to run the report.

Conclusion

If you need an easier way to detect shared mailbox access in Exchange Online or audit Office 365 in general, come and take a look at LepideAuditor. It will help to overcome the limitations of the above native method by automating much of the process and allowing you to continuously audit and monitor changes.

Download LepideAuditor for Exchange Online