Exchange Online

How to Find Non-Compliant Shared Mailboxes in Microsoft 365

Did you know that sign-ins are enabled by default when a shared mailbox is created in Microsoft 365? Yes, this default setting can lead to two significant issues: a violation of Microsoft’s licensing policies and increased risk of unauthorized access to your environment. Don’t worry, this guide will help you identify and manage unlicensed shared mailboxes that have enabled sign-ins in your Microsoft 365 environment.

Using PowerShell Script

Microsoft 365 Permission Required

View-only Audit Logs Least Privilege

Global Admin Most Privilege

Identifying non-compliant shared mailboxes using admin portals is tedious, as it requires navigating through each shared mailbox to verify Exchange Online licensing, and sign-in status.
Fortunately, there is a PowerShell script to simplify the process with the help of the Exchange Online module and Microsoft Graph cmdlets.
With this script, you can quickly identify sign-in enabled shared mailboxes without an Exchange Online license and their properties.
Download and run the following script in the Administrator PowerShell.

FindNonCompliantSharedMailboxes.ps1

The output provides a list of all non-compliant shared mailboxes, including their shared mailbox display name, primary SMTP address, last sign-in time, and creation time.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Office 365 reporter.
Navigate to the Non-Compliant Shared Mailboxes report under Reports»Exchange»Shared Mailbox Info.

AdminDroid Exchange Online Reporter

Streamline the Exchange Online environment by identifying and managing non-compliant shared mailboxes effectively

AdminDroid's Exchange Online reporting tool lets you monitor and manage non-compliant shared mailboxes that require licensing across your organization. The following capabilities offer comprehensive control over shared mailboxes in your Exchange Online environment, ensuring license optimization.

Real-time Alerts for M365 Shared Mailbox Permission Changes

With AdminDroid's alerting feature, receive instant notifications for unexpected changes to shared mailbox permissions in Microsoft 365. Customize thresholds to improve detection of unauthorized modifications.

Microsoft 365 Shared Mailbox Members with Full Access

Get a list of members with full access to M365 shared mailboxes to verify that access permissions are appropriate, align with organizational policies, and revoke any unnecessary permissions to enhance security.

Identifying Inactive Shared Mailboxes in Microsoft 365

Use the inactive M365 shared mailboxes report to check details like the last email activity and inactive days. Identify unused mailboxes to reassign or deactivate licenses for better resource use.

Visualization of Recently Created M365 Shared Mailboxes

Effortlessly monitor newly created M365 shared mailboxes to identify and remove unwanted mailboxes and ensure that only active shared mailboxes remain in your organization.

M365 Shared Mailbox Size Analysis for License Allocation

Analyze shared mailbox size trends to find the storage usage of shared mailboxes and determine when an Exchange Online license is required to extend mailbox limits.

Detailed Monitoring of M365 Shared Mailbox Access Activities

Leverage AdminDroid's detailed report on Microsoft 365 shared mailbox access to detect unauthorized actions and safeguard sensitive information.

In conclusion, identifying and managing shared mailboxes that violate Microsoft’s licensing policies is vital for maintaining compliance, adhering to regulatory requirements, and ensuring efficient communication within the Exchange Online environment.

Explore a full range of reporting options

Download Live Demo

Important Tips

Regularly monitor email forwarding rules for Exchange Online shared mailboxes to identify any malicious external forwarding configured by users in your Microsoft 365 organization.

Block sign-ins for Microsoft 365 shared mailboxes to strengthen security and prevent unauthorized access while adhering to Microsoft's licensing requirements.

When enabling sign-ins for a Microsoft 365 shared mailbox, it is recommended to configure multi-factor authentication to enhance security.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when tracking Microsoft 365 non-compliant shared mailboxes.

Error You've exceeded the storage limit for your mailbox. Delete some items from your mailbox.

This error signifies that the shared mailbox usage is full, and it has exceeded its assigned storage limit.

Fix To resolve this issue, increase the shared mailbox storage by assigning an Exchange Online license. To assign an EXO license to a shared mailbox, use the admin portal or connect to Microsoft Graph PowerShell and run the following cmdlet.

Set-MgUserLicense -UserId <MailboxUPN> -AddLicenses <LicenseSkuId>

Error Your account has been locked. Contact your support person to unlock it, then try again.

This error occurs when attempting to sign in directly to a shared mailbox that has sign-in disabled.

Fix Although signing in to a shared mailbox without a license is not recommended, you can assign an Exchange Online license and unblock access for direct sign-in if required. To do so, connect to Microsoft Graph PowerShell and enable sign-in to the user account using the following cmdlet.

Update-MgUser -UserId <MailboxUPN> -AccountEnabled:$true

Error ./NonCompliantSharedMailboxes.ps1 cannot be loaded because running scripts is disabled on this system.

The script encounters this error because the current execution policy is set to "Restricted", which blocks script execution.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when the MS Graph module does not have permission to audit the sign-in events.

Fix Connect to the MS Graph PowerShell using the below cmdlet and allow permission to access sign-in logs.

Connect-Graph -Scopes "AuditLog.Read.All"

Exchange Online

Frequently Asked Questions

Detect and Fix Non-Compliant Shared Mailboxes to Ensure Compliance in Microsoft 365

Why is it important to identify non-compliant shared mailboxes in Microsoft 365?

Identifying and addressing non-compliant shared mailboxes in Microsoft 365 is crucial for several reasons:

Understanding licensing requirements for M365 shared mailboxes

Shared mailboxes with direct sign-ins violate Microsoft's licensing policies. While shared mailboxes typically don’t require licenses, any shared mailbox that requires direct sign-in access must be licensed.

Limitations of shared mailboxes due to lack of an Exchange Online license:

No Access to Premium Features: Features like archiving, compliance tools (e.g., litigation hold), and advanced security options require licensing.
No Mobile Access: Exchange Online ActiveSync cannot be enabled, making email synchronization on mobile devices unavailable.
Limited Storage: An unlicensed M365 shared mailbox has a storage limit of only 50 GB, whereas licensed shared mailboxes support larger storage capacities.

Security risks of non-compliant Microsoft 365 shared mailboxes

Direct sign-ins to shared mailboxes expose vulnerabilities, which increases the risk of unauthorized access and potential data breaches.
Implementing robust security controls, such as conditional access and multi-factor authentication, helps safeguard organizational data.

Data management of Microsoft 365 shared mailbox

Instead of signing into a shared mailbox after an employee leaves, grant Full Access permissions to another user for better efficiency.
This allows the user to access the former employee's mailbox data.

Audit and monitoring of M365 shared mailboxes

Regularly monitoring shared mailboxes by reviewing sign-in logs and auditing permissions enhances transparency and accountability.
This helps ensure adherence to organizational policies and licensing agreements.

Handy-Tip: To conserve the data of a former employee, convert the user mailbox to an inactive mailbox instead of a shared mailbox. This ensures data preservation, enhances security, and prevents unauthorized access. Inactive mailboxes also block the delivery of new emails, providing a secure solution for safeguarding the ex-employee's email data.

How to disable login for a shared mailbox in Microsoft 365?

Disabling sign-in for a shared mailbox is crucial to strengthen security in Microsoft 365. Sign-in enabled shared mailboxes can create potential security risks, especially if they are not properly managed or licensed.

Block shared mailbox sign-in using Microsoft 365 admin center

Sign in to the Microsoft 365 admin center and navigate to Users»Active users.
Find and select the shared mailbox for which you want to block the sign-in.
Disable sign-in for the shared mailbox by clicking on Block sign-in.
Then click Save changes to apply the updates.

Block Microsoft 365 shared mailbox sign-in using PowerShell

Connect to the Microsoft Graph PowerShell with required permission using the below cmdlet.

Connect-MgGraph -Scopes "User.ReadWrite.All"

Run the below cmdlet in PowerShell to block sign-in for a shared mailbox in Microsoft 365.

Update-MgUser -UserId  -AccountEnabled:$false

Tip: Make sure that only authorized users have access and remove any unnecessary Microsoft 365 shared mailbox delegations to reduce potential risks.

How to monitor direct sign-in activities for shared mailboxes in Microsoft 365?

Monitoring direct sign-in logs for shared mailboxes in Microsoft 365 is crucial for security. It allows admins to detect unauthorized access, identify risks, and take prompt action to protect organizational data.

Monitor logins to M365 shared mailboxes in Entra admin center

Sign-in to the Microsoft Entra admin center and navigate to Identity»Users»All users.
Select the sign-in enabled shared mailbox from the Entra ID account list.
Within the user properties, select Sign-in logs under the overview pane.

Retrieve direct logins of M365 shared mailboxes using PowerShell

Since the portal method is time-consuming and requires manual monitoring of each user's sign-in logs, this PowerShell script allows you to efficiently retrieve the direct sign-in logs for all shared mailboxes in your M365 tenant at once.

Connect to the 'Exchange Online' PowerShell module using the below cmdlet.

Connect-ExchangeOnline

Run the following cmdlet with the appropriate start date and end date to retrieve the M365 shared mailboxes' direct sign-ins.

Get-Mailbox -RecipientTypeDetails SharedMailbox | ForEach-Object { 

Search-UnifiedAuditLog -UserIds $_.UserPrincipalName -Operations userloggedin -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY 
} | ft

What is the purpose of direct sign-in to shared mailboxes in Exchange Online?

Enabling sign-in for a Microsoft 365 shared mailbox is generally discouraged, as it can lead to compliance and security issues. However, there are specific scenarios where enabling sign-in is acceptable:

Third-Party Application Integration Certain third-party applications may need direct access to a shared mailbox. In such cases, enabling sign-in and assigning a license ensures the application functions correctly.
Automated Processes and Service Accounts Some automated processes or service accounts may need direct access to a shared mailbox for tasks like processing incoming emails or system integrations, which require direct sign-in to the shared mailbox.

Note: Allocate an EXO license to enable direct sign-in to a shared mailbox and regularly check M365 licensed shared mailboxes to manage assignments effectively.