🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Audit Shared Mailbox Sign-Ins in Microsoft 365

Exchange Online shared mailboxes are commonly used for team communication. However, if direct sign-ins are allowed, anyone with the credentials can access and use the mailbox to read or send emails, thereby leading to potential data security risks. Tracking shared mailbox sign-ins helps you quickly detect such access and protect your organization’s shared resources. This guide explains how to track shared mailbox sign-ins and implement the right security measures to effectively prevent direct sign-ins in your Microsoft 365 organization.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Get Shared Mailbox Sign-Ins Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Sign in to the Microsoft Entra admin center and navigate to Entra ID»Monitoring & Health»Sign-in logs»User sign-ins (interactive).
  • Apply the “User Principal Name” filter for the target shared mailbox to view all its sign-in activities.
  • By default, this displays the shared mailbox sign-ins from the last 24 hours. You can adjust the Date range filter to view data up to 30 days.
  • It provides details, such as username, application used, IP address, sign-in status, applied Conditional Access, required authentication factor, and more.
Get Shared Mailbox Sign-Ins Using Microsoft Entra Admin Center

List Shared Mailbox Sign-In Activities Using PowerShell

Microsoft Graph API Permissions Required
AuditLog.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell using the cmdlet below:
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes AuditLog.Read.All
  • Use the following cmdlet after replacing <SharedMailboxUPN> with the user principal name of the shared mailbox to retrieve its sign-in logs from Microsoft Entra ID.
  • Windows PowerShell Windows PowerShell 
     Get-MgBetaAuditLogSignIn -All -Filter "userPrincipalName eq '<SharedMailboxUPN>'" |
Select-Object CreatedDateTime, Id, UserPrincipalName, AppDisplayName, IPAddress, ResourceDisplayName, ResourceId |
Format-Table -AutoSize
  • The above cmdlet will retrieve all the sign-in logs of the specified shared mailbox within the last 30 days. The output includes key details like sign-in time, request ID, username, application name, IP address, resource ID, and resource name of the shared mailbox sign-ins.
List Shared Mailbox Sign-In Activities Using PowerShell
AdminDroid Entra ID Reporting

Track Shared Mailbox Sign-Ins to Block its Direct Logins in Microsoft Entra ID!

AdminDroid’s sign-in activity monitoring tool offers deep visibility into shared mailbox sign-in activities through detailed reports and interactive dashboards. It helps admins easily track sign-in enabled shared mailboxes, detect direct login attempts, and act swiftly on any sign-in risks to keep your environment secure and compliant.

Get a List of All Shared Mailboxes in Microsoft 365

Gain complete visibility into all Microsoft 365 shared mailboxes to ensure better monitoring, management, and compliance. It includes details, such as mailbox names, send/receive quotas, license, sign-in status and more.

Audit Shared Mailbox Delegated Permission Changes

Audit shared mailbox permission changes to ensure only authorized users have access and promptly revoke high-privilege permissions for suspicious accounts.

Find Non-Compliant Shared Mailboxes in Microsoft 365

Identify non-compliant shared mailboxes that have sign-in enabled without an Exchange Online license to stay compliant with Microsoft policies and avoid security threats.

Find Unused Shared Mailboxes in Microsoft 365

Review inactive shared mailboxes based on the user’s last activity to identify unused ones and remove them to optimize security and compliance.

Remove Unnecessary Shared Mailbox Licenses

Analyze inactive accounts with licensed shared mailboxes to reclaim unused Exchange Online licenses and reduce costs for efficient license management.

View Shared Mailbox Membership and Access

Monitor the shared mailbox members report to identify users with full access permissions and remove unnecessary permissions to prevent misuse and secure mailbox access.

AdminDroid's Entra ID management tool provides actionable insights on shared mailbox sign-ins and helps you take quick, informed actions. Beyond monitoring, you can manage permissions, configure alerts for every sign-in, track license details, and gain full visibility over your Microsoft 365 environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Remove shared mailbox access and update its password immediately during user offboarding to prevent unauthorized use of credentials.

Set up alerts on shared mailbox sign-ins to get notified instantly and stop suspicious access before it becomes a threat.

Avoid assigning Exchange Online license to shared mailboxes unless you specifically need features like storage above 50 GB or an archive mailbox option.

Common Errors and Resolution Steps

Encountering issues with shared mailbox sign-in auditing? Here are some common errors and troubleshooting tips to help you resolve them quickly.

Error The term 'Get-MgBetaAuditLogSignIn' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the ‘Microsoft.Graph.Beta’ module hasn’t been installed in your machine.

Fix Install and import the ‘Microsoft.Graph.Beta’ module in your machine using the following PowerShell cmdlets. 
Install-Module Microsoft.Graph.Beta -Scope CurrentUser
Import-Module Microsoft.Graph.Beta

Error Get-MgBetaAuditLogSignIn : User is not in the allowed roles.

This error occurs when a user without at least the Security Reader role runs the ‘Get-MgBetaAuditLogSignIn' cmdlet to access sign-in logs.

Fix Ensure that you have assigned at least the Security Reader role to access shared mailbox sign-in logs.

Error Get-MgBetaAuditLogSignIn : Calling principal does not have required MSGraph permissions AuditLog.Read.All.

This error occurs in PowerShell when executing the ‘Get-MgBetaAuditLogSignIn’ cmdlet without having the necessary scope permissions for accessing sign-in logs.

Fix Ensure you have the necessary Microsoft Graph permissions, at least ‘AuditLog.Read.All’, to access shared mailbox sign-in logs. Also, make sure you are assigned at least the Security Reader role. 
Connect-MgGraph -Scopes “AuditLog.Read.All”

Error Insufficient privileges to complete the operation.

This error occurs in the Entra admin center when you attempt to read sign-in logs without being assigned at least the Security Reader role.

Fix Contact your Microsoft 365 administrator who manages Entra ID roles to grant assignment of the Security Reader role to access sign-in logs.

Error Get-MgBetaAuditLogSignIn : One or more errors occurred.

This error occurs when multiple versions of the Microsoft Graph Beta PowerShell module are installed on your machine.

Fix Use the following cmdlets to list all available versions of the Microsoft Graph Beta module and uninstall the specific old version. Replace <Version> with the desired version number when running the uninstallation cmdlet. 
# List all available versions of Microsoft.Graph.Beta installed on the system
Get-Module -Name Microsoft.Graph.Beta -ListAvailable
# Uninstall a specific version of Microsoft.Graph.Beta
Get-InstalledModule -Name Microsoft.Graph.Beta* | 
    Where-Object { $_.Version -eq "<Version>" } | 
    ForEach-Object { 
        Uninstall-Module -Name $_.Name -RequiredVersion $_.Version -Force }

1. What are the possible ways for shared mailbox direct sign-ins to occur in Microsoft 365?

Shared mailboxes are intended to be accessed through delegated permissions, not direct logins. However, if sign-in is accidentally left enabled or credentials are exposed, it can lead to unauthorized access and potential data compromise. The following examples illustrate the most common scenarios where Microsoft 365 shared mailbox sign-ins may occur.

1. Conversion of a user account to a shared mailbox

When a user account or a regular mailbox is converted to a shared mailbox, the original username (UPN) and password remain valid until sign-in is explicitly blocked. If the password isn’t reset and sign-in remains enabled, the account can still be accessed just like a normal mailbox.

2. Set or reset password for a shared mailbox

By default, shared mailboxes are created without a password. However, if an admin or licensed user sets or resets a password while converting a user mailbox to a shared mailbox, it can be accessed directly using those credentials.

3. Assigning license temporarily for a shared mailbox

Admins may sometimes assign an Exchange Online license temporarily for tasks like eDiscovery, retention, or converting a mailbox. During this period, the mailbox allows direct sign-in until the license is removed and sign-in is blocked.

2. How to block shared mailbox sign-ins in Microsoft 365?

Some shared mailboxes are enabled for direct sign-in, even though they are intended only for delegated access. For example, when a user mailbox is converted to a shared mailbox, direct sign-in may remain enabled. Such a setup allows any user or an attacker with mailbox credentials to sign in directly and access sensitive data.

To prevent this, it is critical to block direct sign-ins for shared mailboxes to prevent any unauthorized access and protect organizational data. The following are some effective methods for blocking shared mailbox sign-ins in Microsoft 365.

Block shared mailbox sign-ins using Microsoft 365 admin center

  • Sign in to the Microsoft 365 admin center.
  • Navigate to Users»Active Users and select the target shared mailbox.
  • Then, select Block sign-in from the flyout page that pops up.
  • Now, check Block this user from signing in and click Save changes.
block-shared-mailbox-sign-ins-in-admin-center

Block shared mailbox sign-ins using PowerShell

To simplify large-scale management, we’ve developed a custom PowerShell script below that efficiently handles the task.

BlockSigninForSharedAndResourceMailbox.ps1
block-shared-mailbox-sign-ins-using-powershell

The script first exports the sign-in status of all shared, room, and equipment mailboxes, and then blocks sign-in for all shared mailboxes upon your confirmation.

Easily block shared mailbox sign-in activities with AdminDroid’s simple point-and-click controls!

  • In the all users report, simply select the target shared mailbox. At the footer, click More Action, then under User Lifecycle Management, choose Disable User and you’re done!
  • Along with user management, you can also access a range of mailbox management actions such as disable email forwarding, soft delete mailbox, and so on.
  • You can also deploy shared mailbox sign-in alerts to get instant notifications on every shared mailbox sign-in for an enhanced protection.
block-shared-mailbox-sign-ins-in-admindroid

3. What are the best practices to manage shared mailbox sign-ins in Microsoft 365?

Shared mailboxes are a key part of communication in Microsoft 365. However, without proper monitoring and management, they can lead to security risks, compliance issues, and unnecessary license usage. Here are some best practices to manage shared mailboxes effectively.

1. Block sign-in for shared mailbox accounts

Shared mailboxes are not meant for direct sign-ins. If sign-in is enabled, someone could log in with the mailbox credentials and misuse the account. Always check the sign-in status in the Microsoft 365 admin center and disable it when not required.

2. Remove unnecessary licenses from shared mailbox

Shared mailboxes do not need an Exchange Online license unless the mailbox size exceeds 50 GB or you want to enable archiving. If a license is assigned without these requirements, you can remove the license from the shared mailbox to save costs and reduce misuse.

3. Grant delegated access to a shared mailbox

Users should access shared mailboxes using delegated permissions like Send As, Send on Behalf of, or Full Access. If logins appear in interactive or non-interactive sign-in logs, it indicates potential misuse of mailbox credentials. To prevent this, ensure that shared mailboxes allow delegated access only.

4. Find and remove inactive shared mailboxes

Inactive shared mailboxes often remain licensed and consume resources even when they are not in use. Review mailbox activity regularly, and if a shared mailbox is no longer needed, archive or delete it to maintain a clean environment.

5. Apply least privilege to shared mailbox permissions

Giving too many users Full Access or Send As permissions increases the chances of mistakes and data exposure. Apply the principle of least privilege by granting only the necessary permissions and reviewing them regularly.

Following these best practices will help you secure shared mailboxes, reduce unnecessary license costs, and maintain compliance in Microsoft 365.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Audit Shared Mailbox Sign-Ins in Microsoft 365
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo