🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Find Non-Compliant Shared Mailboxes in Microsoft 365

Did you know that sign-ins are enabled by default when a shared mailbox is created in Microsoft 365? Yes, this default setting can lead to two significant issues: a violation of Microsoft’s licensing policies and increased risk of unauthorized access to your environment. Don’t worry, this guide will help you identify and manage unlicensed shared mailboxes that have enabled sign-ins in your Microsoft 365 environment.

Solution 1
Solution 2
Important Tips
Errors and Resolution Steps
FAQs

Using PowerShell Script

Microsoft 365 Permission Required
View-only Audit Logs Least Privilege
Global Admin Most Privilege
  • Identifying non-compliant shared mailboxes using admin portals is tedious, as it requires navigating through each shared mailbox to verify Exchange Online licensing, and sign-in status.
  • Fortunately, there is a PowerShell script to simplify the process with the help of the Exchange Online module and Microsoft Graph cmdlets.
  • With this script, you can quickly identify sign-in enabled shared mailboxes without an Exchange Online license and their properties.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
FindNonCompliantSharedMailboxes.ps1
  • The output provides a list of all non-compliant shared mailboxes, including their shared mailbox display name, primary SMTP address, last sign-in time, and creation time.
AdminDroid Exchange Online Reporter

Streamline the Exchange Online environment by identifying and managing non-compliant shared mailboxes effectively

AdminDroid's Exchange Online reporting tool lets you monitor and manage non-compliant shared mailboxes that require licensing across your organization. The following capabilities offer comprehensive control over shared mailboxes in your Exchange Online environment, ensuring license optimization.

Real-time Alerts for M365 Shared Mailbox Permission Changes

With AdminDroid's alerting feature, receive instant notifications for unexpected changes to shared mailbox permissions in Microsoft 365. Customize thresholds to improve detection of unauthorized modifications.

Microsoft 365 Shared Mailbox Members with Full Access

Get a list of members with full access to M365 shared mailboxes to verify that access permissions are appropriate, align with organizational policies, and revoke any unnecessary permissions to enhance security.

Identifying Inactive Shared Mailboxes in Microsoft 365

Use the inactive M365 shared mailboxes report to check details like the last email activity and inactive days. Identify unused mailboxes to reassign or deactivate licenses for better resource use.

Visualization of Recently Created M365 Shared Mailboxes

Effortlessly monitor newly created M365 shared mailboxes to identify and remove unwanted mailboxes and ensure that only active shared mailboxes remain in your organization.

M365 Shared Mailbox Size Analysis for License Allocation

Analyze shared mailbox size trends to find the storage usage of shared mailboxes and determine when an Exchange Online license is required to extend mailbox limits.

Detailed Monitoring of M365 Shared Mailbox Access Activities

Leverage AdminDroid's detailed report on Microsoft 365 shared mailbox access to detect unauthorized actions and safeguard sensitive information.

In conclusion, identifying and managing shared mailboxes that violate Microsoft’s licensing policies is vital for maintaining compliance, adhering to regulatory requirements, and ensuring efficient communication within the Exchange Online environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Regularly monitor email forwarding rules for Exchange Online shared mailboxes to identify any malicious external forwarding configured by users in your Microsoft 365 organization.

Block sign-ins for Microsoft 365 shared mailboxes to strengthen security and prevent unauthorized access while adhering to Microsoft's licensing requirements.

When enabling sign-ins for a Microsoft 365 shared mailbox, it is recommended to configure multi-factor authentication to enhance security.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when tracking Microsoft 365 non-compliant shared mailboxes.

Error You've exceeded the storage limit for your mailbox. Delete some items from your mailbox.

This error signifies that the shared mailbox usage is full, and it has exceeded its assigned storage limit.

Fix To resolve this issue, increase the shared mailbox storage by assigning an Exchange Online license. To assign an EXO license to a shared mailbox, use the admin portal or connect to Microsoft Graph PowerShell and run the following cmdlet. 
Set-MgUserLicense -UserId <MailboxUPN> -AddLicenses <LicenseSkuId>

Error Your account has been locked. Contact your support person to unlock it, then try again.

This error occurs when attempting to sign in directly to a shared mailbox that has sign-in disabled.

Fix Although signing in to a shared mailbox without a license is not recommended, you can assign an Exchange Online license and unblock access for direct sign-in if required. To do so, connect to Microsoft Graph PowerShell and enable sign-in to the user account using the following cmdlet. 
Update-MgUser -UserId <MailboxUPN> -AccountEnabled:$true

Error ./NonCompliantSharedMailboxes.ps1 cannot be loaded because running scripts is disabled on this system.

The script encounters this error because the current execution policy is set to "Restricted", which blocks script execution.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script. 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when the MS Graph module does not have permission to audit the sign-in events.

Fix Connect to the MS Graph PowerShell using the below cmdlet and allow permission to access sign-in logs. 
Connect-Graph -Scopes "AuditLog.Read.All"
Exchange Online
Frequently Asked Questions

Detect and Fix Non-Compliant Shared Mailboxes to Ensure Compliance in Microsoft 365

Why is it important to identify non-compliant shared mailboxes in Microsoft 365?
How to disable login for a shared mailbox in Microsoft 365?
How to monitor direct sign-in activities for shared mailboxes in Microsoft 365?
What is the purpose of direct sign-in to shared mailboxes in Exchange Online?

1. Why is it important to identify non-compliant shared mailboxes in Microsoft 365?

Identifying and addressing non-compliant shared mailboxes in Microsoft 365 is crucial for several reasons:

Understanding licensing requirements for M365 shared mailboxes

Shared mailboxes with direct sign-ins violate Microsoft's licensing policies. While shared mailboxes typically don’t require licenses, any shared mailbox that requires direct sign-in access must be licensed.

Limitations of shared mailboxes due to lack of an Exchange Online license:

  • No Access to Premium Features: Features like archiving, compliance tools (e.g., litigation hold), and advanced security options require licensing.
  • No Mobile Access: Exchange Online ActiveSync cannot be enabled, making email synchronization on mobile devices unavailable.
  • Limited Storage: An unlicensed M365 shared mailbox has a storage limit of only 50 GB, whereas licensed shared mailboxes support larger storage capacities.

Security risks of non-compliant Microsoft 365 shared mailboxes

  • Direct sign-ins to shared mailboxes expose vulnerabilities, which increases the risk of unauthorized access and potential data breaches.
  • Implementing robust security controls, such as conditional access and multi-factor authentication, helps safeguard organizational data.

Data management of Microsoft 365 shared mailbox

  • Instead of signing into a shared mailbox after an employee leaves, grant Full Access permissions to another user for better efficiency.
  • This allows the user to access the former employee's mailbox data.

Audit and monitoring of M365 shared mailboxes

  • Regularly monitoring shared mailboxes by reviewing sign-in logs and auditing permissions enhances transparency and accountability.
  • This helps ensure adherence to organizational policies and licensing agreements.

Handy-Tip: To conserve the data of a former employee, convert the user mailbox to an inactive mailbox instead of a shared mailbox. This ensures data preservation, enhances security, and prevents unauthorized access. Inactive mailboxes also block the delivery of new emails, providing a secure solution for safeguarding the ex-employee's email data.

2. How to disable login for a shared mailbox in Microsoft 365?

Disabling sign-in for a shared mailbox is crucial to strengthen security in Microsoft 365. Sign-in enabled shared mailboxes can create potential security risks, especially if they are not properly managed or licensed.

Block shared mailbox sign-in using Microsoft 365 admin center

  • Sign in to the Microsoft 365 admin center and navigate to Users»Active users.
  • Find and select the shared mailbox for which you want to block the sign-in.
  • Disable sign-in for the shared mailbox by clicking on Block sign-in.
  • Then click Save changes to apply the updates.
m365-admin-center-license-assigning

Block Microsoft 365 shared mailbox sign-in using PowerShell

Connect to the Microsoft Graph PowerShell with required permission using the below cmdlet.

Connect-MgGraph -Scopes "User.ReadWrite.All"

Run the below cmdlet in PowerShell to block sign-in for a shared mailbox in Microsoft 365.

Update-MgUser -UserId  -AccountEnabled:$false

Tip: Make sure that only authorized users have access and remove any unnecessary Microsoft 365 shared mailbox delegations to reduce potential risks.

3. How to monitor direct sign-in activities for shared mailboxes in Microsoft 365?

Monitoring direct sign-in logs for shared mailboxes in Microsoft 365 is crucial for security. It allows admins to detect unauthorized access, identify risks, and take prompt action to protect organizational data.

Monitor logins to M365 shared mailboxes in Entra admin center

  • Sign-in to the Microsoft Entra admin center and navigate to Identity»Users»All users.
  • Select the sign-in enabled shared mailbox from the Entra ID account list.
  • Within the user properties, select Sign-in logs under the overview pane.
entra-admin-center-sm-direct-signin

Retrieve direct logins of M365 shared mailboxes using PowerShell

Since the portal method is time-consuming and requires manual monitoring of each user's sign-in logs, this PowerShell script allows you to efficiently retrieve the direct sign-in logs for all shared mailboxes in your M365 tenant at once.

Connect to the 'Exchange Online' PowerShell module using the below cmdlet.

Connect-ExchangeOnline

Run the following cmdlet with the appropriate start date and end date to retrieve the M365 shared mailboxes' direct sign-ins.

Get-Mailbox -RecipientTypeDetails SharedMailbox | ForEach-Object { 

Search-UnifiedAuditLog -UserIds $_.UserPrincipalName -Operations userloggedin -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY 
} | ft
direct-signin-shared-mailboxes-output

4. What is the purpose of direct sign-in to shared mailboxes in Exchange Online?

Enabling sign-in for a Microsoft 365 shared mailbox is generally discouraged, as it can lead to compliance and security issues. However, there are specific scenarios where enabling sign-in is acceptable:

  • Third-Party Application Integration Certain third-party applications may need direct access to a shared mailbox. In such cases, enabling sign-in and assigning a license ensures the application functions correctly.
  • Automated Processes and Service Accounts Some automated processes or service accounts may need direct access to a shared mailbox for tasks like processing incoming emails or system integrations, which require direct sign-in to the shared mailbox.

Note: Allocate an EXO license to enable direct sign-in to a shared mailbox and regularly check M365 licensed shared mailboxes to manage assignments effectively.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Find Non-Compliant Shared Mailboxes in Microsoft 365
Exchange Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo