Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to investigate shared mailbox activity by using the Microsoft Purview audit log and Exchange Online PowerShell. It describes practical search patterns and remediation steps to find deletions, sent‑as activity, folder browsing, mailbox rule and forwarding changes, and other delegate actions.
Use these methods to investigate:
- Email deletions from shared mailboxes
- Who sent emails from shared mailboxes
- Delegate access activities
- Email moves between folders
- Forwarding and rule configurations
- Missing emails in shared mailboxes
Before you begin
To investigate shared mailbox activities, you need:
- The Audit Logs role assigned in Microsoft Purview
- To connect to Exchange Online PowerShell by using Connect-ExchangeOnline
How to investigate shared mailbox activities
Use these methods to investigate activities in shared mailboxes. Choose the method based on the type of activity you're investigating.
Search for deleted emails in shared mailboxes
To search for audit records of email deletions from a shared mailbox, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -FreeText <shared-mailbox@domain.com> -Operations SoftDelete,HardDelete,MoveToDeletedItems -ResultSize 500
This command searches for:
- SoftDelete: Items moved to Deleted Items folder.
- HardDelete: Items permanently removed from mailbox.
- MoveToDeletedItems: Items moved to Deleted Items by user action.
Search for emails sent from shared mailboxes
To identify who sent emails from a shared mailbox using delegate permissions, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -FreeText <shared-mailbox@domain.com> -Operations SendAs -ResultSize 500
Search for email moves between folders
To search for move operations in a shared mailbox, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -FreeText <shared-mailbox@domain.com> -Operations Move,MoveToDeletedItems -ResultSize 300
Monitor delegate folder access (FolderBind)
To track when delegates browse specific folders in shared mailboxes, use the following steps:
Check FolderBind configuration:
Get-Mailbox <shared-mailbox@domain.com> | Select AuditDelegate | Where-Object {$_.AuditDelegate -contains "FolderBind"}
Enable FolderBind auditing:
Set-Mailbox <shared-mailbox@domain.com> -AuditDelegate @{Add="FolderBind"}
Search for folder browsing activities:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -FreeText <shared-mailbox@domain.com> -Operations FolderBind -ResultSize 500
Important
FolderBind tracks delegate and admin folder access only. It doesn't log shared mailbox owners browsing folders. Enable it proactively for compliance and security monitoring.
Common use cases:
- Monitor access to confidential folders in executive shared mailboxes
- Compliance audit trails for regulatory requirements
- Security investigations of unauthorized folder browsing
- Delegate behavior analysis for governance
Investigate delegate access activities
To identify users with delegate permissions to a shared mailbox, run the following command:
Get-MailboxPermission <shared-mailbox@domain.com> | Where-Object {$_.AccessRights -eq "FullAccess"}
To search for activities performed by a specific delegate, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <delegate@domain.com> -ResultSize 500
Important
Use -UserIds to find activities performed BY a specific delegate user. Don't use -UserIds with the shared mailbox address, as this action doesn't return delegate activities performed IN the shared mailbox. For activities performed in the shared mailbox by any user (including delegates), use the -FreeText parameter as shown in other sections.
Monitor email access activities
To search for email access activities in shared mailboxes, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -FreeText <shared-mailbox@domain.com> -Operations MailItemsAccessed -ResultSize 200
Note
This command requires Microsoft 365 E5 licensing to capture MailItemsAccessed operations.
Search for email forwarding configuration
To find who configured email forwarding on a shared mailbox, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -FreeText <shared-mailbox@domain.com> -Operations Set-Mailbox -ResultSize 200
Search for mailbox rule modifications
To search for inbox rule creation or modification activities, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -FreeText <shared-mailbox@domain.com> -Operations New-InboxRule,Set-InboxRule -ResultSize 100
Tip
For comprehensive mailbox rule investigation, see Identify who modified mailbox rules for detailed guidance on identifying who created, modified, or deleted mailbox rules that might be affecting email delivery.
What to do when searches return no results
If your audit log searches don't find shared mailbox activity records, try these steps to verify the auditing configuration.
- Check if auditing is enabled at the organization level.
Get-OrganizationConfig | Select AuditDisabled
- Check if auditing is enabled for the specific shared mailbox.
Get-Mailbox <shared-mailbox@domain.com> | Select AuditEnabled
- Enable auditing if it's disabled.
Set-OrganizationConfig -AuditDisabled $false
Set-Mailbox <shared-mailbox@domain.com> -AuditEnabled $true
Advanced procedures
The following procedures show how to export audit results and apply common shared mailbox fixes:
To enable sent items copying to shared mailbox (so sent emails appear in shared mailbox Sent Items), run the following command:
Set-Mailbox <shared-mailbox@domain.com> -MessageCopyForSentAsEnabled $true
To remove email forwarding from a shared mailbox, run the following command:
Set-Mailbox <shared-mailbox@domain.com> -ForwardingSmtpAddress $null
Quick reference
Common audit operations for shared mailboxes
| Operation | Description | Investigation Focus |
|---|---|---|
| Create | Emails created or sent | Email creation activities |
| FolderBind | Delegate folder access/browsing | Monitor who accessed specific folders |
| HardDelete | Items permanently deleted | Permanent deletions from shared mailbox |
| MailItemsAccessed | Mailbox items accessed | Email access tracking (E5 required) |
| Move | Items moved between folders | Folder organization changes |
| New-InboxRule | Inbox rules created | Rule creation investigation |
| SendAs | Emails sent using delegate permissions | Identify who sent from shared mailbox |
| Set-Mailbox | Mailbox settings modified | Forwarding and configuration changes |
| SoftDelete | Items moved to Deleted Items folder | User deletions from shared mailbox |
Key search parameters
| Parameter | Description | Example |
|---|---|---|
| -FreeText | Activities performed in a specific mailbox | <shared-mailbox@domain.com> |
| -Operations | Filter by operation type | SoftDelete,HardDelete,SendAs |
| -ResultSize | Limit results (max 5000) | 500 (standard), 1000 (comprehensive) |
| -StartDate/-EndDate | Define investigation timeframe | 01/06/2020, 01/20/2020 |
| -UserIds | Activities performed by a specific user | <delegate@domain.com> |
Important
Replace <shared-mailbox@domain.com> and <delegate@domain.com> with actual email addresses before running commands.