Vocabulossary

⌘K
  2. Home
  4. Docs
  6. Vocabulossary
  8. Microsoft Exchange
  10. Shared Mailbox

Shared Mailbox

Short Description

A non-user mailbox intended to be used by multiple people.

Details and Remarks

A Shared Mailbox is a special type of mailbox offered by Microsoft Exchange and has existed since Exchange 2007. Prior to Exchange 2007 organizations simply used a regular mailbox in the same way but had no way to classify the mailbox in the Exchange system other than by its display name.

A shared mailbox is also dependent on an Active Directory user account the in same way as that of a regular mailbox. A key difference with a shared mailbox is that the Active Directory user account must be a disabled user, which prevents the account from being used for logons. Users gain access to a shared mailbox through the Full Access permission.

Microsoft added the ability for shared mailboxes to automatically appear in users’ outlook profiles whenever the user was explicitly given Full Access permissions to the shared mailbox. The feature was added with Exchange 2010 and Outlook 2010 and work via AutoDiscover.

Quirks and Oddities

Full Access permission can only be given to mail-enabled user accounts, mailbox-enabled user accounts, and mail-enable security groups. Adding Full Access permission to a shared mailbox using a Mail-Enabled Security Group will not cause the shared mailbox to show up automatically in Outlook. Only explicit user assignments trigger this reaction.

A Mail User can be given Full Access permission to a shared mailbox. However, since a mail user does not have a mailbox there is no automatic reaction to the assignment. A mail user can create an Outlook profile to the shared mailbox directly with this permission.

Shared mailboxes are not designed for large teams of users and the quantity of users of that open the same shared mailbox should be limited to 10 to 15 connections. Microsoft suggests no more than 25 connections, but real-world experience shows that even that can be too many. Issues range from slow browsing of the mailbox to failed connections, to duplicated messages. Large teams should use Public Folders.

An Office 365 shared mailbox can exist either with or without a license. A shared mailbox without a license is limited to 50GB of total storage, cannot have an online archive mailbox, and cannot use features like eDiscovery, compliance, and governance. These features can be used only when a related enterprise license is applied to the shared mailbox. Applying a license to the shared mailbox will also increase the total storage capacity to 100GB.

An Office 365 shared mailbox is not supported for use as a journaling recipient. Microsoft’s terms-of-service prohibit such usage and Exchange Online’s throttling policies limit delivery to 3600 items per hour which can cause issues for journaling as well.

Enabling the Active Directory user of a shared mailbox can cause issues with accessing the shared mailbox. Exchange checks the state of mailboxes at logon and such inconsistencies can cause checks to fail and prevent access. If direct logon to the shared mailbox is needed by its related user account, it should be converted to a user mailbox.

Granting the Full Access permission to a user doesn’t allow the user to send mail out from the shared mailbox. The authenticated user must also be granted the Send-As permission for such actions. The granting of the Send-As permission requires a separate action from an Exchange administrator.

Common and Interesting Powershell Commands

Get all shared mailboxes

Returns a list of Shared Mailboxes. Uses the -Filter operator to cause the filtering to occur on the server.
Office 365 and On-Premises 
Get-Mailbox -Filter "RecipientTypeDetails -eq 'SharedMailbox'" -ResultSizeUnlimited

Get all users with Full Access to Shared Mailboxes

Returns a list of shared mailboxes and for each a list of users and groups that have Full Access permissions to them. Note the use of the -Filter operator which causes the Exchange server to filter the results before returning them to the requester.
Office 365 and On-Premises 
  Invoke-Command {
    $mbxs = Get-Mailbox -Filter "RecipientTypeDetails -eq 'SharedMailbox'" -ResultSize Unlimited
    $perms = $mbxs | Get-MailboxPermission
    $fullAccess = $perms | ? { $_.AccessRights -match 'FullAccess' -and $_.User -NotMatch '\\Self' }
    $fullAccessUsers = @{}
    foreach ($mem in $fullAccess) { if ( -not($fullAccessUsers[$mem.user]) ) { $recip = Get-Recipient $mem.User -EA SilentlyContinue; if ($recip) { $fullAccessUsers[$mem.User] = $recip } } }
    $fullAccessMailboxes = @()
    foreach ($fa in $fullAccess) { if ($fullAccessRecips[$fa.user]) { $fullAccessMailboxes += [PSCustomObject]@{Mailbox = ($mbxs | ? { $_.identity -eq $fa.identity }); FullAccessDelegate = $fullAccessRecips[$fa.user] } } }
    Return $fullAccessMailboxes
}

Get users that are Auto Mapped to mailboxes.

When granting the Full Access permission to a mailbox, Exchange will, by default, add a setting that maps the delegated mailbox to the user so that it automatically appears in their Outlook view. This is called AutoMapping. Using Exchange PowerShell it is possible to grant the Full Access permission without triggering the auto mapping.

A question often asked is how to get a list the auto mapped mailboxes for a given user? The following command will return the list of accounts that are auto mapped back to the mailbox. Behind the scenes the powershell command is reading the Active Directory user property named msExchDelegateListBL from the “shared” mailbox.

The Office 365 pattern is a bit convoluted because there’s no ability to get to the backlink property of a user. In this case all mailboxes in the organization must be collected and for each one the list of auto-mapping links must be collected. Once collected, a search of the results can be made for the mailbox in question. Please note that this will be quite slow if there are 100s or 1000s of mailboxes in the organization. The command will return all mappings to a variable named $allAutoMaps so that if future searches are needed you only need to filter the variable. Refer to the last line of the script below. The Office 365 script also uses a little-known trick of using the Get-CalendarNotification command with -ReadFromDomainController to get some key properties of a user that cannot be retrieved in any other way.

For the on-premises version it is much easier. The use of Get-ADUser is employed which allows for direct access to the backlink property of any given user. Note that you’ll need to be able to run the Get-ADUser powershell command in your session.
Office 365 On-Premises
$allAutoMaps = Invoke-Command {
    $allMailboxes = Get-Recipient -RecipientType UserMailbox -ResultSize Unlimited
    $linkCache = @{}
    $allDelegates = foreach ($mbx in $allMailboxes) {
        $delegates = (Get-CalendarNotification -Identity $mbx.Guid -ReadFromDomainController).DelegateListLink
        if ($delegates) {
            foreach ($link in $delegates) {
                if (!$linkCache.$link) { $linkCache.$link = (Get-Recipient -Identity $link) }
                [PSCustomObject]@{Mailbox = $linkCache.$link; AutoMapsTo = $mbx }
            }
        }
    }
    return $allDelegates | sort { $_.Mailbox.Identity }
}
$check = Read-Host -Prompt "Enter the Identity of a mailbox to check"; $allAutoMaps | ?{$_.Mailbox -match $check}

#uses Active Directory Powershell (Get-ADUser) in addition to Exchange.
(get-ADUser (get-mailbox $(read-host -Prompt "Enter the identity of a mailbox to check")).Guid -Properties msExchDelegateListBL).msExchDelegateListBL | Get-Mailbox

How can we help?