Mailboxes associated with a single user are suitable for most situations, but there are times when several users or specific group members need to have access to a shared mailbox. This could be, for example, to read and send emails on behalf of an organization or to share a common work calendar. Shared mailboxes are available in both Exchange Online and on-premise Exchange and these are distinguished by their special RecipientType of “SharedMailbox”.
What are Shared Mailboxes?
A shared mailbox is a type of user mailbox that doesn’t have its own username and password so users can’t log into them directly. To access a shared mailbox, users must first be granted ‘Send As’ or ‘Full Access’ permissions to the mailbox. Once that has been done, users sign into their own mailboxes and then access the shared mailbox by adding it to their Outlook profile.
However, although shared mailboxes provide an efficient way of working, they can lead to some users having unauthorized access to sensitive data. It is essential, therefore, to have tracking mechanisms in place to ensure that this doesn’t happen.
In this article we will look at two ways to get a list of shared mailboxes, members, and permissions. First using PowerShell and then using the Lepide Data Security Platform which is a more straightforward method and does not require any PowerShell scripting knowledge
List Shared Mailboxes Members and Permissions Using PowerShell
Please follow below steps:
- Connect to Office 365 PowerShell, run the PowerShell ISE as Administrator and execute the following command:
Set-ExecutionPolicy RemoteSigned
$Cred = Get-Credential
- Type your user ID and password in the Windows PowerShell Credential Request and click OK
- Create a session using the following command, modifying –ConnectionUri parameter based on your Exchange Online location:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic –AllowRedirection - Connect to Exchange Online:
Import-PSSession $Session –DisableNameChecking - Copy and run the following script, adjusting the filters for the specific user you want to report on and specifying the desired path for the CSV file output:
Connect-ExchangeOnline
$sharedMailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox
foreach ($mailbox in $sharedMailboxes) {
Write-Host "Shared Mailbox: $($mailbox.DisplayName)"
$mailboxPermissions = Get-MailboxPermission -Identity $mailbox.Identity
foreach ($permission in $mailboxPermissions) {
Write-Host " User: $($permission.User.DisplayName), Permissions: $($permission.AccessRights)"
}
}
Disconnect-ExchangeOnline -Confirm:$false
- Review the resulting CSV report:
Using the Lepide Data Security Platform
The Lepide Data Security Platform includes a wide range of Exchange Online reports – both on premise and online – which can be run with no requirement for PowerShell scripting. The following example is the Mailbox Accessed by Non Owners report:
To run the report:
- From the States & Behavior screen, select Exchange Online, Mailbox Accessed by Non Owners
- Click Generate Report
- The report includes Action Performed By, Action Performed On, Operation, When and What
- The report can be grouped, filtered, saved and exported
