Shared mailboxes often hold the messages you least want to expose. One stale delegate can open invoices, HR files, legal threads, or customer records without drawing attention.

That is why a shared mailbox permissions audit matters. You need to know who can read the mailbox, who can send as it, who can send on behalf, and which access no longer belongs there. The cleanest review uses the Exchange admin center, PowerShell, and audit logs together.

Table of contents

• Why shared mailbox permissions create exposure
• Audit who has Full Access, Send As, and Send on Behalf
• Review delegated access and permission history
• Spot over-permissioned mailboxes before they expose data
• What evidence to document for an audit trail
• FAQs

Why shared mailbox permissions create exposure

Shared mailboxes are useful because they centralize team communication. They become risky when teams treat them like open group inboxes instead of controlled data stores.

The three permission types sound similar, but they create different exposure paths. Use the table below to separate them during review.

Permission	What it lets a user do	Main exposure risk	What to check
Full Access	Open, read, delete, and manage mailbox items	Broad data exposure	Direct users, groups, and stale former staff
Send As	Send mail that appears to come from the mailbox	Hidden sender and spoof-like impact	Recipient permissions and group-based access
Send on Behalf	Send mail that shows both names	Confusion and weaker accountability	GrantSendOnBehalfTo and delegate lists

Full Access is the widest door. Send As hides the sender. Send on Behalf is easier to spot, but it still gives away trust. If a mailbox carries payroll, legal, or customer data, even one extra delegate matters.

Audit who has Full Access, Send As, and Send on Behalf

Use the Exchange admin center for a spot check. Use PowerShell when you need a repeatable shared mailbox permissions audit across many mailboxes.

1. Open the Exchange admin center, then go to Recipients > Mailboxes > Shared and open Mailbox delegation. Capture the current names listed under Full Access, Send As, and Send on Behalf.
2. Connect to Exchange Online with Connect-ExchangeOnline, then pull the current permissions. For Full Access, use Get-MailboxPermission. For Send As, use Get-RecipientPermission. For Send on Behalf, inspect GrantSendOnBehalfTo.
3. Filter out defaults such as NT AUTHORITYSELF and inherited entries. Otherwise, the results get noisy fast.
4. Compare the export with your HR roster or owner list. Former employees, contractors, and test accounts should stand out right away.
5. Repeat the same check for every mailbox that holds sensitive data, especially finance, HR, legal, executive support, and shared service desks.

A mailbox with three named AP clerks may be normal. A mailbox with those clerks plus managers and two former staff is not.

For one mailbox, the admin center is fine. For dozens, PowerShell is faster and gives you cleaner evidence to save.

Review delegated access and permission history

Current access tells only part of the story. Permission history shows who granted access, removed it, or changed it after a role move.

Microsoft’s shared mailbox audit log guide shows how to trace mailbox activity in Purview and PowerShell, and Microsoft’s mailbox auditing guide explains what mailbox auditing records in Exchange Online.

If you want a quick history check, search the unified audit log for permission changes over a date range. A query built around Search-UnifiedAuditLog and the add or remove permission operations can show exactly when access changed.

A current permission list is only half the story. The audit log tells you who changed it, when they changed it, and whether the change matched a ticket.

Also review delegated access through groups. A security group can hide a wide set of users behind one assignment. That can be fine, but only when the group itself has tight membership controls.

Spot over-permissioned mailboxes before they expose data

Over-permissioned mailboxes usually look ordinary at first glance. The problem shows up when the access list is longer than the business need.

Watch for these signals:

• Former employees or contractors still appear in Full Access, Send As, or Send on Behalf.
• A group grants access to a mailbox that only a few named users need.
• The mailbox has read access for many users, but no one can explain why.
• A sensitive mailbox is shared across departments without a clear owner.

Strip access down to named users or tightly controlled groups. Separate read rights from send rights unless both are needed. If the mailbox carries sensitive data, pair the cleanup with DLP, retention, and mailbox auditing.

If a review turns up broad access, stale delegates, or unclear ownership, Book a Discovery Call with Bud Consulting to map the cleanup and review process.

What evidence to document for an audit trail

Auditors care about proof, not memory. Keep a simple evidence pack for each mailbox so the next review does not start from zero.

A useful evidence set usually includes:

• The mailbox name and business owner
• A current export of Full Access, Send As, and Send on Behalf permissions
• Audit log entries for permission adds and removals
• The review date, reviewer name, and approval notes
• Remediation ticket numbers for removed access

Screenshots help, but exports are easier to sort and compare later. Teams that already track mailbox audit logging or Microsoft 365 access reviews can reuse the same format here.

A small, consistent evidence pack is better than a pile of random screenshots. It shows control, not just effort.

FAQs

What’s the difference between Full Access, Send As, and Send on Behalf?

Full Access lets a user open and manage the mailbox. Send As makes messages look like they came from the mailbox itself. Send on Behalf shows both the delegate and the mailbox name.

That difference matters during a review because each permission creates a different risk. Full Access is the broadest. Send As is the hardest to trace after the fact.

Can the Exchange admin center show everything I need?

It shows the current assignments, which is useful for spot checks. It does not give you a good history trail by itself.

For a quick review, the admin center works well. For exports, bulk checks, and evidence, PowerShell is the better path.

How do I find who changed mailbox permissions?

Use the Microsoft Purview audit log or Search-UnifiedAuditLog with permission-related events. Look for changes such as Add-MailboxPermission, Remove-MailboxPermission, Add-RecipientPermission, and Remove-RecipientPermission.

That history helps you tie the change to a ticket, a request, or an exception. If there is no match, treat it as a finding.

How often should I audit shared mailbox permissions?

Sensitive mailboxes should get reviewed on a regular schedule, often monthly or quarterly. Mailboxes tied to finance, HR, legal, or executive work deserve closer attention.

Also rerun the review after role changes, departures, or any incident that touches access.

Conclusion

Shared mailboxes become risky when nobody can explain who has access or why. A solid review starts with current permissions, then checks permission history, then removes access that no longer fits the business need.

Keep the evidence pack small, current, and easy to repeat. That makes the next shared mailbox permissions audit faster, and it closes the gap before an old delegate turns into a data exposure problem.