TenLens
Back to script library
Entra / Microsoft 365 · Exchange Online

Check shared mailboxes

Check if people are signing into shared mailboxes. If they are, check if the accounts for the mailboxes are licensed for Exchange Online (Plan 1 or Plan 2).

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -Scopes "AuditLog.Read.All", "User.Read.All" -NoWelcome

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-MgGraph -Scopes "AuditLog.Read.All", "User.Read.All" -NoWelcome
 
$Modules = Get-Module | Select-Object -ExpandProperty Name
If ('ExchangeOnlineManagement' -notin $Modules) {
    Write-Output "Connecting to Exchange Online..."
    Connect-ExchangeOnline -SkipLoadingCmdletHelp
}
Write-Output "Finding shared mailboxes..."
$Mbx = Get-ExoMailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited | Sort-Object DisplayName
If ($Mbx) {
    Write-Output ("{0} shared mailboxes found" -f $Mbx.Count)
} Else {
    Write-Output "No shared mailboxes found"
    Break
}
# Define the service plan IDs for Exchange Online (Plan 1) and Exchange Online (Plan 2)
$ExoServicePlan1 = "9aaf7827-d63c-4b61-89c3-182f06f82e5c"
$ExoServicePlan2 = "efb87545-963c-4e0d-99df-69c6916d9eb0"
$Report = [System.Collections.Generic.List[Object]]::new()
 
ForEach ($M in $Mbx) {
    $ExoPlan1Found = $false; $ExoPlan2Found = $false; $LogsFound = "No"
    Write-Output ("Checking sign-in records for {0}" -f $M.DisplayName)
    $UserId = $M.ExternalDirectoryObjectId
    [array]$Logs = Get-MgAuditLogSignIn -Filter "userid eq '$UserId' and Status/ErrorCode ne 0" -Top 1
    If ($Logs) {
        $LogsFound = "Yes"
        Write-Host ("Successful sign-in records found for shared mailbox {0}" -f $M.DisplayName) -ForegroundColor Red
        # Check if the shared mailbox is licensed
        $User = Get-MgUser -UserId $M.ExternalDirectoryObjectId -Property UserPrincipalName, AccountEnabled, Id, DisplayName, assignedPlans
        [array]$ExoPlans = $User.AssignedPlans | Where-Object {$_.Service -eq 'exchange' -and $_.capabilityStatus -eq 'Enabled'}
        If ($ExoServicePlan1 -in $ExoPlans.ServicePlanId) {
            $ExoPlan1Found = $true
 
        } ElseIf ($ExoServicePlan2 -in $ExoPlans.ServicePlanId) {
            $ExoPlan2Found = $true
        }
 
        If ($ExoPlan1Found -eq $true) {
            Write-Output ("Shared mailbox {0} has Exchange Online (Plan 1) license" -f $M.DisplayName)
        } ElseIf ($ExoPlan2Found -eq $true) {
            Write-Output ("Shared mailbox {0} has Exchange Online (Plan 2) license" -f $M.DisplayName)
        }  Else {
            Write-Host ("Shared mailbox {0} has no Exchange Online license" -f $M.DisplayName) -ForegroundColor Yellow
        }
    }
 
    $ReportLine = [PSCustomObject] @{
        DisplayName                 = $M.DisplayName
        ExternalDirectoryObjectId   = $M.ExternalDirectoryObjectId
        'Sign in Record Found'      = $LogsFound
        'Exchange Online Plan 1'    = $ExoPlan1Found
        'Exchange Online Plan 2'    = $ExoPlan2Found
    }
    $Report.Add($ReportLine)
}
 
$Report | Out-GridView -Title "Shared Mailbox Sign-In Records and Licensing Status"
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.