Shared mailboxes in Microsoft 365 let teams collaborate efficiently, such as when handling customer inquiries from your company’s support team. However, without tight access controls, such as shared mailbox security groups and monitoring, they risk data leaks or misuse.
This guide can help you secure critical mailbox resources by using audit logging and DLP policies to track activity and block data exfiltration.
Add security groups to shared mailboxes in Office 365
Assigning security groups to shared mailboxes streamlines access management and enhances accountability.
📌Use case: Adding security groups can help avoid manual user-by-user permission updates, make auditing access easier since permissions are group-based, and provide consistent control across mailboxes that handle sensitive data.
📌Prerequisites: Before proceeding, ensure you have the following:
- Licensing for Microsoft 365 E3/E5 for advanced features like audit logging (audit shared mailbox Office 365) and DLP
- Administrator roles like global administrator, compliance admin, or Exchange admin permission
- Tools such as ExchangeOnlineManagement and Microsoft.Graph modules for PowerShell, as well as device management software for hybrid-join or Intune enrollment.
We recommend checking ⚠️ Things to look out for before proceeding.
📌 Deployment strategies:
Method 1: Enable audit logging for shared mailboxes (via PowerShell)
Audit logging tracks user actions in shared mailboxes, providing essential visibility into activity.
📌 Use case: This is ideal if your license lacks default auditing ability, you need targeted control over logged actions, and enterprise compliance requires detailed audit logs for shared mailboxes.
Step-by-step procedure:
- Open PowerShell (Admin) or Windows Terminal ( press Win + X).
- Run the following scripts:
- Run this script to connect to Exchange Online:
Connect-ExchangeOnline -UserPrincipalName [email protected]
💡 Note: This uses modern authentication and works in Windows 10/11.
- Enable Mailbox Auditing:
Set-Mailbox "[email protected]" -AuditEnabled $true
- Configure key actions:
Set-Mailbox "[email protected]" -AuditDelegate SendOnBehalf, SendAs, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems
💡 Tip: Focus on high-risk actions like deletions or sends.
- View recent activity:
Search-MailboxAuditLog -Identity "[email protected]" -ShowDetails -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
💡 Tip: For modern environments, use Search-UnifiedAuditLog instead.
After enabling, Office 365 will record specified actions (e.g., emails moved to Deleted Items).
Method 2: Enable unified audit logging via Microsoft Purview
Unified audit logging provides tenant-wide visibility into Office 365 shared mailbox activities, simplifying compliance and threat detection.
📌 Use case: Ideal when you need centralized monitoring across all mailboxes, auditing is disabled by default, and when you need to investigate incidents like a suspicious SendAs or deletions that require broad context.
Step-by-step procedure:
- Access Microsoft Purview:
- Go to compliance.microsoft.com > Solutions > Audit. This can be done on any Windows 11 browser (e.g., Edge, Chrome).
- Enable Logging (if disabled).
- If prompted, click Start recording user and admin activity.
💡 Note: This can take around 60 minutes to activate.
- Search Activities:
- In Operations, select SendAs, SendOnBehalf, SoftDelete, or HardDelete.
- For Users, enter the delegate usernames (not the shared mailbox).
- In Data Range, filter for specific incidents.
- Export Logs:
- Click Export results for compliance reports or deeper analysis.
Once enabled, you can audit shared mailbox Office 365 activity directly from Purview. Use the logs to check shared mailbox activity during breaches or compliance audits.
Method 3: Apply DLP policies to shared mailboxes
Data Loss Prevention (DLP) blocks sensitive data from leaving your Office 365 shared mailbox, such as customer credit card numbers or employee records.
📌 Use case: Deploy DLP when shared mailboxes handle regulated data, you need automated blocking of accidental leaks, and compliance requires proof of protection.
⚠️ Important: Shared mailboxes require Exchange Online Plan 2 (via E3/E5) licensing for DLP. Basic mailboxes won’t enforce policies.
Step-by-step procedure:
- Create a policy:
- Go to Purview Portal > Dalata Loss Prevention > Policies > Create Policy.
- Select a template:
- Choose Financial or Pll, or build a custom policy.
- Target locations:
- Enable Exchange email.
- Under Advanced settings, add specific shared mailboxes.
- 💡 Tip: Avoid applying to all mailboxes, and focus on high-risk shared boxes.
- Define the rules:
- Conditions: Add sensitive types (e.g., credit card numbers).
- Actions: Block messages, notify admins, or allow user overrides.
- User alerts: Enable policy tips to educate senders.
- Deploy and monitor:
- Activate the policy and track matches under DLP > Policy Matches.
After deploying the policies, users will get policy tips warning them for attempting to send restricted data. Blocked emails will also trigger alerts in Purview’s Policy Matches report.
Method 4: Configure mailbox permissions and access restrictions
Tightly controlling who can access and send from your Office 365 shared mailbox prevents insider threats and accidental leaks.
📌Use case: Apply this when employees are changing roles and their access is outdated. You can also do this when audits reveal excessive permissions, and security incidents occur.
Step-by-step procedure:
- Open PowerShell (Admin) or Windows Terminal (Win + X).
- Run these scripts to:
- Remove excessive permissions:
- Script to revoke full access:
- Remove excessive permissions:
Remove-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess
- Script to revoke Send-As rights:
Remove-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs
- Audit current access:
- Script to check full access delegates:
- Audit current access:
Get-MailboxPermission -Identity "[email protected]" | Where-Object {$_.AccessRights -eq "FullAccess"}
- Script to check Send-As permissions:
Get-RecipientPermission -Identity "[email protected]"
After executing these scripts, unauthorized users will immediately lose access, and make sure to run an audit regularly to maintain proper privileges per user.
Supporting method 1: Use Registry and GPO to enforce local access policy
While cloud tools secure Office 365 shared mailboxes, endpoint controls prevent data leaks through Outlook on Windows 11 devices.
📌 Use case: Apply this procedure when users access shared mailboxes on unmanaged devices, as preventing PST exports or auto-archiving is critical for compliance, and you need defense against local data exfiltration.
⚠️ Important: This method cannot apply or replace cloud auditing and DLP, but they can prevent unauthorized local mail profile usage and add critical endpoint hardening.
Step-by-step procedures:
(a) Disable PST Operations (Registry)
- Open Registry Editor (Win + R, then type regedit).
- Navigate to this address: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Preferences
- Create two DWORD values:
- Create DisablePST, then set its Value data to 1.
- This blocks PST creation.
- Create DisablePSTExport, then set its Value data to 1.
- This blocks email exports to PST.
- Create DisablePST, then set its Value data to 1.
(b) Block Auto-Archiving (Group Policy)
- Open Group Policy Management Editor (gpedit.msc).
- Go to User Configuration > Administrative Templates > Microsoft Outlook 2016+ > Outlook Options > Other.
- Enable the following:
- Prevent users from adding new PSTs
- Disable AutoArchive
After deployment, users cannot export emails to PST files from shared mailboxes anymore. They also can’t auto-archive, ensuring data retention in audit-friendly Office 365. It also reduces the risk of “shadow copies” outside Microsoft Purview’s DLP scope.
Supporting Method 2: Use CMD and AuditPol for local activity logging
Supplement cloud auditing by tracking Outlook file access and PST handling on Windows 11 endpoints.
📌 Use case: Deploy when you need to investigate suspicious local data exports, adhere to compliance that requires endpoint-level activity tracking, and need more visibility on offline actions outside the cloud.
Step-by-step procedure:
- Open Command Prompt (Admin).
- Run these command lines:
:: Enable handle/file system trackingauditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enableauditpol /set /subcategory:"File System" /success:enable /failure:enable
- Monitor events in Event Viewer (click Win + R, then type eventvwr.msc).
- Go to Windows Logs > Security.
- Filter for:
- Event ID 4663 (File access attempts).
- Event ID 4656 (Handle creation).
After implementation, all PST/OST access attempts start logging into the security logs. It will also correlate timestamps with audit shared mailbox Office 365 events during investigations and detect unauthorized data exports.
⚠️ Things to look out for
This section highlights potential challenges to keep in mind while following this guide.
| Risks | Potential Consequences | Reversals |
| 1. Overwriting Default Auditing | Accidental loss of critical events like UpdateInboxRules or FolderBind | Run:
Reapply only essential actions. |
| 2. Purview GUID Search Failures | Missed shared mailbox events due to incorrect GUID | Verify GUID first:
Search with -FreeText parameter. |
| 3. DLP Over-Blocking | Legitimate emails blocked; business disruption | Switch policy to Test Mode: Purview > DLP > Edit policy > “Test without blocking”. |
| 4. Excessive Permission Removal | Entire teams lose access to the shared mailbox. | Restore access immediately:
|
| 5. Broken Outlook via Registry | Outlook crashes or fails to launch. | Revert registry keys: Set DisablePST and DisablePSTExport to 0 Or delete the values. |
| 6. Security Log Overload | Critical events buried in noise; storage exhaustion | Refine auditing:
Increase log size in Event Viewer. |
Troubleshooting shared mailbox security groups
Resolve common issues quickly when securing Office 365 shared mailboxes with these targeted fixes.
Audit logs not generated
If audit shared mailbox Office 365 events aren’t appearing:
- Verify auditing is enabled:
Get-Mailbox "[email protected]" | Select AuditEnabled
If False, run Set-Mailbox -AuditEnabled $true.
- Confirm licensing:
- E1/E3 users: Enable tenant-wide auditing via Purview.
- Business licenses: Manual mailbox auditing required (not enabled by default).
DLP policy not applying
When policies ignore sensitive data, check the scoping via Purview > DLP policy to ensure specific share mailboxes are added under Advanced Settings. You should also adjust confidence levels by editing rule > increase “Match accuracy” to reduce false negatives.
Another important note is to make sure that you have the proper licensing (Exchange Online Plan 2).
Key considerations when securing your shared mailboxes
Fortify Office 365 shared mailbox security with these non-negotiable layers of protection.
Enforce multi-factor authentication (MFA)
Require MFA for every user accessing shared mailboxes—no exceptions. This blocks 99.9% of credential theft attacks. Go to Azure AD > Security > MFA > Enable per-user or Conditional Access policy. You can also use Windows Hello or the Authenticator app for frictionless access.
Block legacy authentication and app passwords
Disable outdated protocols (POP3/IMAP) that bypass MFA and expose shared mailboxes:
- Go to Azure AD, then select Security > Conditional Access > New Policy:
- Conditions: Client apps = select Exchange ActiveSync, IMAP, etc.
- Access controls: Block access.
- Revoke existing app passwords:
- In PowerShell (Admin), run this script:
Set-MsolUser -UserPrincipalName [email protected] -AppPasswordsEnabled $false
Implement conditional access controls
Restrict access by IP, location, or device compliance. For example, ensure your policy allows access only from Hybrid-joined or Untune-compliant Windows 11 devices and corporate IP ranges. This will block risky logins from unfamiliar locations or personal devices.
Add mail flow rules for alerting/encryption
Automatically flag or encrypt sensitive emails from shared addresses via Exchange Admin Center > Mail flow > Rules, then set Condition to Sender = [email protected] + keywords like “confidential”. You should also set Action to notify admins or encrypt with Office 365 message encryption.
You can also pair this with a DLP that triggers rules when sensitive data is detected.
How can NinjaOne help secure shared mailboxes?
Streamline protection for Office 365 shared mailboxes with these key integrations:
| Features | How it helps |
| Automate scripts | Deploy PowerShell at scale to enable audit logging, revoke permissions, and add security groups to shared mailboxes. |
| Block PST Risks | Enforce registry/GPO policies to disable PST creation/exports and override user tampering. |
| Monitor Anomalies | Detect suspicious activity like unusual shared mailbox access times and PST exports from unauthorized devices. |
| Alert and Report | Flag violations instantly, such as DLP bypass attempts and permission changes to sensitive mailboxes. |
| Sync with Intune | Enhance endpoint compliance via real-time device checks before mailbox access and auto-remediate non-compliant systems. |
Secure Shared Mailboxes with Security Groups
Locking down shared mailbox security groups prevents costly breaches, like customer data leaks from your support@company inbox. This guide armed you with audit logging (PowerShell/Purview), DLP policies, and least-privilege access controls to track who did what and block sensitive data exfiltration.
By implementing these layers, from cloud to endpoint, you transform risky shared mailboxes into compliant, auditable assets.
Related topics
