diff --git a/scripts/m365-get-shared-mailboxes-without-owners/README.md b/scripts/m365-get-shared-mailboxes-without-owners/README.md new file mode 100644 index 000000000..9e5c894ac --- /dev/null +++ b/scripts/m365-get-shared-mailboxes-without-owners/README.md @@ -0,0 +1,113 @@ + + +# Get Shared Mailboxes Without Owners + +## Summary + +This script identifies **shared mailboxes that have no assigned owners or members** by analysing mailbox permissions in Exchange Online. It detects shared mailboxes where no user (other than system accounts) has **FullAccess** permissions, indicating the mailbox is effectively unmanaged. + +The output can be used for **governance reviews, access audits, compliance reporting, and remediation planning** in large Microsoft 365 tenants. + +## Why It Matters + +In many organisations, shared mailboxes are created for teams, projects, or business functions. Over time, users leave, teams are restructured, or ownership is never formally assigned. + +Unowned shared mailboxes can: +- Contain sensitive or regulated data +- Remain accessible to unintended users +- Fail internal access control or audit requirements +- Become unmanaged attack surfaces + +This script enables administrators to **proactively identify and remediate orphaned shared mailboxes** before they become a security or compliance risk. + +## Benefits +- Improves mailbox ownership governance +- Supports security and compliance audits +- Reduces risk of unauthorised data access +- Helps maintain least-privilege access +- Scales efficiently for large Microsoft 365 tenants + + +# [Exchange](#tab/exc) + +```powershell + +Connect-ExchangeOnline -ShowBanner:$false + +$sharedMailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited +$results = @() + +foreach ($mailbox in $sharedMailboxes) { + + $permissions = Get-MailboxPermission -Identity $mailbox.Identity | + Where-Object { + $_.AccessRights -contains "FullAccess" -and + $_.IsInherited -eq $false -and + $_.User -notlike "NT AUTHORITY\SELF" + } + + if ($permissions.Count -eq 0) { + $results += [PSCustomObject]@{ + DisplayName = $mailbox.DisplayName + PrimarySmtpAddress = $mailbox.PrimarySmtpAddress + MailboxGuid = $mailbox.Guid + } + } +} + +$results + + +``` + + +# [Usage](#tab/pnpps) + +1. Connect to Exchange Online with sufficient permissions: + - Exchange Administrator or Global Administrator +2. Run the script +3. Review the output in the console or pipe it to export formats, for example: + +```powershell + +$results | Export-Csv ".\SharedMailboxesWithoutOwners.csv" -NoTypeInformation + + +``` + +[!INCLUDE [More about PnP PowerShell](../../docfx/includes/MORE-PNPPS.md)] +*** + + +## Output +The script returns objects with the following properties: +- **DisplayName** +- **PrimarySmtpAddress** +- **MailboxGuid** + +Each row represents a shared mailbox with **no assigned owners or members**. + +## Notes +- The script evaluates **explicit FullAccess permissions only** +- Mailboxes managed exclusively via groups will appear as owned only if group permissions are assigned directly +- Designed for large tenants using server-side filtering and minimal object expansion +- Can be safely scheduled or integrated into governance reporting workflows + +## Contributors + +| Author(s) | +|-----------| +| [Josiah Opiyo](https://github.com/ojopiyo) | + +*Built with a focus on automation, governance, least privilege, and clean Microsoft 365 tenants—helping M365 admins gain visibility and reduce operational risk.* + + +## Version history + +Version|Date|Comments +-------|----|-------- +1.0|Jan 11, 2026|Initial release + + +[!INCLUDE [DISCLAIMER](../../docfx/includes/DISCLAIMER.md)] + \ No newline at end of file diff --git a/scripts/m365-get-shared-mailboxes-without-owners/assets/example.png b/scripts/m365-get-shared-mailboxes-without-owners/assets/example.png new file mode 100644 index 000000000..9feb18d96 Binary files /dev/null and b/scripts/m365-get-shared-mailboxes-without-owners/assets/example.png differ diff --git a/scripts/m365-get-shared-mailboxes-without-owners/assets/preview.png b/scripts/m365-get-shared-mailboxes-without-owners/assets/preview.png new file mode 100644 index 000000000..72a9255df Binary files /dev/null and b/scripts/m365-get-shared-mailboxes-without-owners/assets/preview.png differ diff --git a/scripts/m365-get-shared-mailboxes-without-owners/assets/sample.json b/scripts/m365-get-shared-mailboxes-without-owners/assets/sample.json new file mode 100644 index 000000000..1a4deca7e --- /dev/null +++ b/scripts/m365-get-shared-mailboxes-without-owners/assets/sample.json @@ -0,0 +1,52 @@ +[ + { + "name": "m365-get-shared-mailboxes-without-owners", + "source": "pnp", + "title": "Get Shared Mailboxes Without Owners", + "shortDescription": "This script identifies shared mailboxes that have no assigned owners or members by analysing mailbox permissions in Exchange Online.", + "url": "https://pnp.github.io/script-samples/m365-get-shared-mailboxes-without-owners/README.html", + "longDescription": [ + "" + ], + "creationDateTime": "2026-01-11", + "updateDateTime": "2026-01-11", + "products": [ + "Office" + ], + "metadata": [ + { + "key": "POWERSHELL", + "value": "7.2.0" + } + ], + "categories": [ + "Report" + ], + "tags": [ + "Connect-ExchangeOnline" + ], + "thumbnails": [ + { + "type": "image", + "order": 100, + "url": "https://raw.githubusercontent.com/pnp/script-samples/main/scripts/m365-get-shared-mailboxes-without-owners/assets/preview.png", + "alt": "Preview of the sample Get Shared Mailboxes Without Owners" + } + ], + "authors": [ + { + "gitHubAccount": "ojopiyo", + "company": "", + "pictureUrl": "https://github.com/ojopiyo.png", + "name": "Josiah Opiyo" + } + ], + "references": [ + { + "name": "Want to learn more about Microsoft Graph PowerShell SDK and the cmdlets", + "description": "Check out the Microsoft Graph PowerShell SDK documentation site to get started and for the reference to the cmdlets.", + "url": "https://learn.microsoft.com/graph/powershell/get-started" + } + ] + } +]