Microsoft 365 admins can set mailbox delegation to access other mailboxes. The delegates can view and send emails based on the given permission level. You can view delegated mailbox permissions using the Exchange admin center or PowerShell.
SendAs vs SendOnBehalf:
Before starting the email tracking, I want to clarify a few things which confuse most users.
Send As – Allows delegates to send email as a delegated mailbox. The recipient will not get the clue that the email was sent by the delegate.
Send on Behalf – Allows delegates to send emails on behalf of the delegated mailbox. The recipient can identify who sent the email from which mailbox by seeing the ‘From’ email address. It will look similar to <Delegate> on behalf of <Delegated User>.
When it comes to Send As permission, it is challenging to track the source of the emails. Often, admins need to find who sent an email from the shared mailbox or any mailbox”. This blog will help find the sender of an email using Office 365 audit logs.
Identify Who Sent Email from a Mailbox:
Office 365 audit logs can be obtained through audit log search or PowerShell.
- Audit log search: It will show the activity name “Sent message using Send As permissions” and the sender info. However, you can’t see the accessed mailbox at a glance. You need to click each audit record to view the ‘SendAsUserSmtp’.
- PowerShell: You can use the Search-UnifiedAuditLog cmdlet to audit emails sent using Send As permission. But it has a few limitations, which may cause partial data retrieval.
By considering all the challenges, we have created a PowerShell script to ‘audit Send As emails’ and export the report to the CSV file.
Script Download: AuditSendAsEmails.ps1
Script Highlights:
- The script uses modern authentication to retrieve audit logs.
- The script can be executed with MFA enabled account too.
- Exports report results to CSV file.
- Helps to find out who sent email from a shared mailbox.
- Allows you to generate send as email audit report for a custom period.
- Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
- The script is scheduler-friendly. i.e., Credential can be passed as a parameter instead of saving inside the script.
Audit Send As Emails Report – Sample Output:
The exported Send As email audit report contains following attributes: Mail Sent Time, Sent By, Sent As, Email Subject, Result, and More Detailed Audit Info.
Audit Send As Emails – Script Execution Methods:
To run the script, you can choose any one of the methods below.
Method 1: Execute script with MFA and non-MFA account
1 |
.\AuditSendAsEmails.ps1 |
The exported email audit report contains all the emails sent through SendAs permission in the last 90 days.
Method 2: Execute script by explicitly mentioning the credentials (Scheduler friendly).
1 |
.\AuditSendAsEmails.ps1 -UserName admin@contoso.com -Password XXX |
If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
More Use-cases:
By using our script, admins can generate fine-grained audit reports. I have listed a few use cases below.
- Export Send As activity report for a custom period.
- Find who sent an email from a shared mailbox.
- Schedule ‘Send As audit report.’
- Get a monthly report on emails sent using Send As.
Export Send As Activity Report for a Custom Period:
By default, the script will generate the audit report for the past 90 days. If you want to audit ‘Send As‘ emails for a specific time range, you can run the script with –StartDate and –EndDate params.
1 |
.\AuditSendAsEmails.ps1 -StartDate 3/10/22 -EndDate 3/24/22 |
The above format retrieves all the emails sent using Send As between Mar 10, 2022, and Mar 24, 2022.
Find Who Sent Email from a Shared Mailbox:
Shared mailboxes can be accessed by many users. So, it is a critical task to identify who sent an email from a specific shared mailbox. To find the sender of an email, open the report with Excel and filter the desired shared mailbox from the ‘Sent As’ column.
1 |
.\AuditSendAsEmails.ps1 |
To audit who deleted emails from a shared mailbox, you can download the dedicated script to export the email deletion audit report.
Schedule ‘Send As Audit Report’:
Since the ‘Search-UnifiedAuditLog‘ can keep an audit log for 90 days (for E3 license), you may require old data for analysis. In that case, scheduling will help you keep the audit log for a longer period.
To automate the PowerShell script, you can use the below format in the Windows Task Scheduler.
1 |
.\AuditSendAsEmails.ps1 -UserName admin@contoso.com -Password XXX |
If the admin account has MFA, you need to disable MFA based on the Conditional Access policy to make it work.
Get a Monthly Report on Send As Emails:
To get a monthly report on emails sent using Send As permission, run the script as follows.
1 |
.\AuditSendAsEmails.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserName admin@contoso.com -Password XXX |
This example will retrieve the last 30-days audit data. You can also use this format to automate monthly reports.
Audit Emails in a More Effective Way:
By using PowerShell, admins can customize the script based on their needs. But it requires a lot of time and PowerShell knowledge. With AdminDroid Office 365 email monitoring tool, you can get the reports in a few mouse clicks. Also, you can slice and dice the data by using contextual filters and graphs.
For example,
- When was the mail sent? – You can select a specific date or week or a custom period.
- Who sent emails? – You can filter out emails that are sent by a specific user or list of users.
- Which mailbox was used to send? – You can find who sent the email from a specific shared mailbox.
- View email details – You can find out who sent an email from which mailbox and what was sent.
AdminDroid provides 250+ pre-built email reports and smart dashboards to know more about your organization’s email activities at a glance. By using the ‘Views’ and ‘Advanced Filter’ options, you can create custom reports.
The reports provide AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner,
Additionally, AdminDroid provides 1500+ reports on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business, Stream, OneNote, Yammer, etc.
Besides, AdminDroid offers 100+ reports and a handful of dashboards for free to manage your organization’s users, licenses, groups, group membership, membership changes, user logins, password changes, etc. The free version allows you to perform customization, scheduling and exporting too. Download the Free Office 365 reporting software by AdminDroid and see how it helps you.
I hope this blog will help you identify who sent emails from the delegated mailbox and audit emails efficiently.