Find Account That Sent Emails From Shared Mailbox using PowerShell

In a world where email is one of our main methods of communication for business use, having the ability to send emails as a “generic user” or shared mailbox helps us hide behind a proxy when needed. While this is great in most cases, sometimes we need to know who is the actual person that is sending emails as the shared mailbox. Today we’re going to go over the method on how to find the account that sent emails from shared mailbox.


In order to have successful results, you will need the following.

  • Exchange Administrator Permissions -or Global Administrator Permissions
  • Audit Logs Enabled. Specifically Mailbox Audit logs
  • Exchange Online Management PowerShell Module


Get Recipient Permissions to See Who Has Access

Before we dive deep into the logs, I always like to narrow down my search by simply seeing who has access to send as that specific account. If there are only 1-2 users who have access, this narrows things down pretty well. If there are a dozen or more, then things might get a little tricky and we’ll need to go into logs.

Let’s check to see who has permissions and see if we get lucky. To find this, we’re going to use the Get-RecipientPermission cmdlet from the ExchageOnlineManagement module.

Get-RecipientPermission testmailbox -AccessRights SendAs | Where-Object {$_.Trustee -ne 'NT AUTHORITY\SELF'}

Identity     Trustee                     AccessControlType AccessRights Inherited
--------     -------                     ----------------- ------------ ---------
Test Mailbox [email protected] Allow             {SendAs}     False

Get Recipient Permissions

In some scenarios it very well may be possible that the account itself sent the email, but for the sake of this article we’re going to assume someone sent an email with the sendas permissions. Therefore we added the where clause to not include SELF.

Find Account That Sent Emails From Shared Mailbox

In the example above, we can see that only one account has access to send as the shared mailbox so it’s pretty much a no brainer in this scenario. However, as I mentioned before, some shared mailboxes (or regular mailboxes for that matter) can have multiple people with this access right.

In order to find the exact user, let’s look to the logs and see what they say. Logs never lie!

$SendAs = Search-MailboxAuditLog -Identity testmailbox -Operations SendAs -ShowDetails
$Sendas | select LogonUserDisplayName, ClientProcessName, ItemSubject, OperationResult, LastAccessed

LogonUserDisplayName : Paul Contreras
ClientProcessName    :
ItemSubject          : The Force
OperationResult      : Succeeded
LastAccessed         : 9/14/2023 8:37:38 PM

Search Mailbox Audit Log - Sent Emails From Shared Mailbox


In this case the recipient permissions pretty much gave it away as I was the only one with permissions. However, being able to search in the mailbox audit logs will show us EXACTLY which was the account that sent this email. Hopefully this was informative for you and you’re able to find out who sent emails from shared mailbox.

5/5 - (4 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

Leave a Reply

Your email address will not be published.