How to Monitor Who Accessed a Shared Mailbox

Native Auditing vs. Netwrix Auditor for Exchange
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Exchange
Native Auditing
Netwrix Auditor for Exchange
Steps
  1. To enable auditing for a specific mailbox, run the following command in Exchange Management Shell:

Set-Mailbox –Identity "TestUser" -AuditEnabled $true

  1. To audit all mailboxes, enter this:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  1. To check which mailboxes have the mailbox audit enabled, run the following command:

Get-Mailbox | FL Name,AuditEnabled

  1. To retrieve the audit log entries, run the following command:

Search-MailboxAuditLog -Identity "TestUser" -LogonTypes Admin,Delegate -ShowDetails -StartDate 1/1/2014 -EndDate 12/31/

  1. To send the mailbox audit log entries to a specified mailbox, run the following command:

New-MailboxAuditLogSearch "smtp.server.name" -Mailboxes "TestUser","TestUser1" -LogonTypes Admin,Delegate -StartDate 1/1/2014 -EndDate 12/31/2014 –ShowDetails -StatusMailRecipients auditors@test.local

          Report Sample: 

Exchange Management Shell for monitoring who accessed a shared mailbox
  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Exchange" section → Select "All Exchange Server Non-Owner Mailbox Access Events" → Click "View".
Netwrix Auditor Report for monitoring who accessed a shared mailbox
  1. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
Learn more about Netwrix Auditor for Exchange

Regularly Review Shared Mailbox Access to Avoid Loss or Leakage of Business-Critical Data

Shared mailboxes are a great way for a specific group of people to perform certain tasks from a common account; at the same time, however, they introduce a high risk of security incidents. Non-owners with privileged rights can access shared mailboxes, and there’s always a chance that they might improperly handle email with sensitive information. Whether accidentally or maliciously, a message could be deleted, sent to a wrong recipient, or moved to another location, any of which may result in data loss or leaks. In order to avoid security incidents, it is highly recommended that users regularly monitor non-owner access to shared mailboxes.

Related How-tos
How to Monitor User Logоns in a Domain How to Detect Who Granted Full Access Permissions to Another User’s Mailbox How to Export Members of a Particular AD Group How to Export Active Directory Objects to CSV How to Export Group Policy Settings in Minutes How to Track Who Deleted a File from Your Windows File Servers