How to Detect Who Was Accessing Shared Mailbox in Office 365

Native Auditing vs. Netwrix Auditor for Exchange
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Exchange
Native Auditing
Netwrix Auditor for Exchange
  1. Open PowerShell → Run the following command to connect with Exchange Online instance and enter your credentials in the pop-up window:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

  1. To enable mailbox auditing run:
  • For a single mailbox:

Set-Mailbox –Identity "TestUser" -AuditEnabled $true

  • For all mailboxes:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  • To check what mailboxes have auditing enabled run:

Get-Mailbox  | FL Name,AuditEnabled

  1. Open Exchange Administration Center → Navigate to "Compliance Management" Auditing.
  2. Click "Run a non-owner mailbox access report". You will get the report on non-owner access to all mailboxes with enabled auditing over the past two weeks.
  3. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.
Sample Report - How to Detect Who Was Accessing Shared Mailbox in Office 365
  1. Run Netwrix Auditor → Click "Reports" → Choose Exchange Online → Choose "All Exchange Non-Owner Mailbox Access Events" → Click "View".
  2. In order to save a report, click "Export" button → PDF → Save as → Choose a location to save it.
Netwrix Report - How to Detect Who Was Accessing Shared Mailbox in Office 365

See What Users Who Were Granted Full Access to a Shared Mailbox in Office 365 Have Been Up to

Users who have been granted Office 365 full access permissions to a shared mailbox or another user’s mailbox can do far more than read messages; they can delete emails, alter or copy mailbox content, and even forward sensitive emails to third parties — any of which could threaten your data security or result in data loss. Therefore, it’s critical for IT administrators to know whenever someone in Office 365 accesses another user’s mailbox or a shared mailbox, and also be able to track exactly what they did during each access session. 

Netwrix Auditor for Exchange enables you to stay abreast of all changes and access events across your Exchange Server and Exchange Online, including events when someone opens another user’s mailbox. The solution does not simply report that an Office 365 user gained access to another mailbox; it also shows exactly which items the user viewed, edited or deleted. By subscribing to these detailed reports or generating them on demand, you can proactively stay on top of what’s going on across your both Exchange Server and Exchange Online and quickly spot and investigate threatening actions, thereby shielding your critical assets from a breach. 

Related How-tos