SOLVED

User able to read and reply on behalf of shared mailbox, but is not a member of it

Copper Contributor

One of our global admins ended her employment this Friday. Before signing out she somehow gave one of our users access to one of our shared mailboxes. Everything works as expected, the shared mailbox can be read and replied on behalf of this user. 

 

BUT the new user of the mailbox is not listed as a member anywhere in the O365 admin gui. How is that possible? Even when querying using PowerShell as in https://o365reports.com/2020/01/03/shared-mailbox-permission-report-to-csv/, the new user is nowhere to be found.

Can anyone give an explanation for this?

6 Replies
Did you check folder-level permissions?

@VasilMichevI guess you mean permissions on the actual inbox, sent items and so on?

 

There are only two entries on all of those: Default and Anonymous. They both have no permissions.

 

Any other suggestions?

There are no other options. Does the Full access permission list any groups that he might be a member of? How is he accessing the shared mailbox, which client is he using? If using Outlook on the desktop, how is the shared mailbox added (File > Add account or File > Account settings > More > Advanced ...)
Full access lists only one account, no groups.

Shared mailbox is accessed from Outlook desktop client and mobile outlook. Even removing and readding the shared mailbox works perfect.

Shared mailbox is added using File > Add account.
best response confirmed by FredrikPalsson (Copper Contributor)
Solution
If added as additional account, there is a possibility that the user has directly entered the username/password for the shared mailbox. This is technically possible, all you need to do is generate a password for the shared mailbox account (as admin), however it is not a supported scenario,
You are most likely spot on. The previous admin who didn't understand the concept of shared mailboxes must have done exacly that (created pw for shared mailbox, and hand it out). After blocking login to the shared mailbox, there were no longer access. It seems the credentials was cached in outlook and therefore I did not realize what happened. Thanks for the suggestion. All shared mailboxes are now blocked for login.
1 best response

Accepted Solutions
best response confirmed by FredrikPalsson (Copper Contributor)
Solution
If added as additional account, there is a possibility that the user has directly entered the username/password for the shared mailbox. This is technically possible, all you need to do is generate a password for the shared mailbox account (as admin), however it is not a supported scenario,

View solution in original post