How to Detect Who Was Accessing Shared Mailbox in Office 365

Native Auditing vs. Netwrix Auditor for Office 365
We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Office 365
  1. Open PowerShell → Run the following command to connect with Exchange Online instance and enter your credentials in the pop-up window:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

  1. To enable mailbox auditing run:
  • For a single mailbox:

Set-Mailbox –Identity "TestUser" -AuditEnabled $true

  • For all mailboxes:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  • To check what mailboxes have auditing enabled run:

Get-Mailbox  | FL Name,AuditEnabled

  1. Open Exchange Administration Center → Navigate to "Compliance Management" Auditing.
  2. Click "Run a non-owner mailbox access report". You will get the report on non-owner access to all mailboxes with enabled auditing over the past two weeks.
  3. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.
  1. Run Netwrix Auditor → Click "Reports" → Choose Exchange Online → Choose "All Exchange Non-Owner Mailbox Access Events" → Click "View".
  2. In order to save a report, click "Export" button → PDF → Save as → Choose a location to save it.

See What Users Who Were Granted Full Access to a Shared Mailbox in Office 365 Have Been Up to

Users who have been granted Office 365 full access permissions to a shared mailbox or another user’s mailbox can do far more than read messages; they can delete emails, alter or copy mailbox content, and even forward sensitive emails to third parties — any of which could threaten your data security or result in data loss. Therefore, it’s critical for IT administrators to know whenever someone in Office 365 accesses another user’s mailbox or a shared mailbox, and also be able to track exactly what they did during each access session. 

Netwrix Auditor for Office 365 enables you to stay abreast of all changes and access events across your SharePoint Online, OneDrive for Business and Exchange Online, including events when someone opens another user’s mailbox. The solution does not simply report that an Office 365 user gained access to another mailbox; it also shows exactly which items the user viewed, edited or deleted. By subscribing to these detailed reports or generating them on demand, you can proactively stay on top of what’s going on across your Exchange Online and quickly spot and investigate threatening actions, thereby shielding your critical assets from a breach.