Microsoft 365 shared mailbox cleanup checklist

Practical shared mailbox checklist

Review shared mailboxes by purpose and owner, not just by display name. A shared mailbox should have a current business owner and a short list of people who still need the access.

• Confirm the mailbox has a current owner who can approve access changes.
• Review Full Access delegates and remove former employees, old contractors, and users who changed roles.
• Review Send As and Send on Behalf permissions separately from read access.
• Check whether access is assigned directly or inherited through a group, and confirm the group is still maintained.
• Review forwarding rules, inbox rules, aliases, and external forwarding that could keep data moving after access changes.
• Check whether the mailbox was created from a former user's mailbox and whether ownership, retention, and license decisions were documented.
• Confirm whether the mailbox is tied to Teams, SharePoint, distribution lists, forms, workflows, or customer-facing addresses.
• Remove unused licenses from shared mailboxes where a license is not required for the current use case.
• Document exceptions, especially mailbox access retained for finance, legal, HR, or operational continuity.
• Schedule a recurring review for shared mailboxes used by high-turnover teams.

When to get help

Get help when shared mailboxes have many delegates, no clear owner, former users in access lists, unexplained forwarding, or dependencies nobody wants to change without evidence. Shared mailbox cleanup often connects to broader offboarding, file ownership, and license cleanup work.

VXSec reviews shared mailbox access as part of the Microsoft 365 access and admin audit and the focused Microsoft 365 offboarding audit.