Blog Post

Exchange Team Blog
3 MIN READ

How to work with Inactive Mailboxes

The_Exchange_Team's avatar
Jan 29, 2019

It usually starts with the following question: Is there a way to release the license of an Exchange Online user that left the company, but at the same time, keep the mailbox content? To get this done, we have a feature called Inactive mailboxes, but as we have seen some of our customers being a bit confused about the sequence of steps that needs to be taken to do this correctly, I wanted to cover this scenario.

Scenario

David is a cloud-only user. David currently has an Office 365 Enterprise E5 license. David leaves the company, so as an Admin, I’ll need to remove his account, but I still need to have access to his emails.

Note: In this article, we will provide the steps that have to be taken in order to correctly move a mailbox from the Active state to the Inactive state. Details about how to access the content of an inactive mailbox can be found here.

Before you begin

You have to be connected with PowerShell to Azure Active Directory / Microsoft Online Directory Service (MSODS) and to Exchange Online in order to complete tasks mentioned on this article.

Steps to take

1. Put the mailbox on a hold (which will also place the Archive on the hold, if it is present). For this scenario I’ve used LitigationHold, but, any hold from Exchange Online, or Security and Compliance can be used:

Set-Mailbox David -LitigationHoldEnabled $True -LitigationHoldDuration Unlimited

Note: The hold setting may take up to 60 minutes to take effect.

2. Ensure the mailbox has Litigation Hold enabled:

Get-Mailbox David | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned

User properties should now show:

PrimarySmtpAddress : David@contoso.com
Identity : David
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
PersistedCapabilities : {BPOS_S_O365PAM, BPOS_S_ThreatIntelligenceAddOn, BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
SKUAssigned : True

3. Check the number of licenses you have in total/assigned:

Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits

Example of what you might get:

AccountSkuId : contoso:ENTERPRISEPREMIUM
ActiveUnits : 25
ConsumedUnits : 3

ConsumedUnits represents the number of licenses that are currently assigned.

4. Remove the Azure Active Directory user, which will move the mailbox to inactive state:

Remove-MsolUser -UserPrincipalName David@contoso.com

5. Check if the mailbox was deleted and become an inactive mailbox:

Get-Mailbox David -InactiveMailboxOnly | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, SKUAssigned, IsInactiveMailbox, IsSoftDeletedByRemove, WhenSoftDeleted

The results should be similar to:

PrimarySmtpAddress : David@contoso.com
Identity : Soft Deleted Objects\David
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
SKUAssigned : False
IsInactiveMailbox : True
IsSoftDeletedByRemove : True
WhenSoftDeleted : 6/4/2018 6:42:11 AM

6. Check if the Azure Active Directory user was deleted (you should be able to see it in the list of Deleted users, or you can run a command similar to the one below):

Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"} | fl UserPrincipalName, IsLicensed, Licenses

The results should be similar to:

UserPrincipalName : David@contoso.com
IsLicensed : True
Licenses : {contoso:ENTERPRISEPREMIUM}

7. Check the number of licenses you have in total/assigned (the license for the user that is now deleted should be released):

Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits

The results should be similar to:

AccountSkuId : contoso:ENTERPRISEPREMIUM
ActiveUnits : 25
ConsumedUnits : 2

Optional (if you want to remove the Azure Active Directory user for good):

8. Wait for 30 days to have the Azure Active Directory user deleted from the Deleted Users list, or run a command similar to the below in order to permanently remove the user:

Get-MsolUser –ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"} | Remove-MsolUser -RemoveFromRecycleBin

9. Check if the user still exists in the Active Users, or in Deleted Users (for both commands no results should be returned and you should not see the user within Deleted users anymore):

Get-MsolUser -All | where {$_.ProxyAddresses –match “David@contoso.com”}
Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"}

10. Verify that the mailbox is still in the inactive state, and the Litigation Hold is still enabled:

Get-Mailbox David -InactiveMailboxOnly | fl PrimarySMTPAddress, LitigationHoldEnabled, LitigationHoldDuration, SKUAssigned, IsInactiveMailbox

The result should be similar to:

PrimarySmtpAddress : David@contoso.com
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
SKUAssigned : False
IsInactiveMailbox : True

References; additional information / more details on:

Thanks to Mark Johnson, Nino Bilic and Murali Natarajan for their support and contribution to this blog post!

Cristian Dimofte

Updated Jul 01, 2019
Version 3.0
  • The_Exchange_Team I have a question about Inactive Mailboxes and how to create them.  I have read and am familiar with the typical approach which involves ensuring a hold is present before then deleting the associated user account.  Is it possible to do it this way:

    1. Ensure a retention policy (M365 Retention Policy, with retention settings set) is applied (e.g., org-wide policy).
    2. Remove licenses from and disable Entra ID account.
      1. With intent to never delete the Entra ID account.

    We're going to test this, but will take 30 days to see what will happen.  My assumption is that nothing will happen and the mailbox will remain as Soft Deleted rather than convert into Inactive Mailbox.  I don't really see this as an issue though, and recovery would be super simple (re-license Entra ID account).

     

    It seems too easy to be true, so wanted to check-in on this one.  The client where I'm working at has Microsoft engaged to help with user provisioning via HR system integration with Entra ID, and one of the complexities involved is that Inactive Mailboxes are in use here, for all users who leave, and currently we un-sync the AD account, leading to a permanent deletion of the Entra ID account.  There've been some people suggesting we just don't UN-sync the AD accounts, rather keep them synced and just disable them and remove their licenses.  Since we're relying on an org-wide policy, seems like the mailboxes should be retained, but may never switch from Soft Deleted to Inactive Mailbox.

  • SeanCarter you probably figured this out already but I think just about any RBAC role which grants access to Get-Mailbox along with the -InactiveMailboxOnly and/or -IncludeInactiveMailboxes parameters.  This page - Find the permissions required to run any Exchange cmdlet | Microsoft Learn - is good for finding the existing roles that will work.  In the tenant I just tried, I found these:

     

    $Perms = Get-ManagementRole -Cmdlet Get-Mailbox
    $Perms | % {Get-ManagementRoleEntry "$($_.Name)\Get-Mailbox" | where {$_.Parameters -like '*InactiveMailbox*'}} | select Role
    
    Role
    ----
    Mail Recipients
    Compliance Admin
    View-Only Recipients
    Mailbox Search
  • SeanCarter's avatar
    SeanCarter
    Copper Contributor

    Is there a way to allow a junior admin to view the list of Inactive Mailboxes without granting Global Admin, Global Reader, or Compliance Admin role to the junior admin?  If so, what role or permissions are required?

  • ANAND_SUNKA's avatar
    ANAND_SUNKA
    Copper Contributor

    Hello MSFT team,


    At step5 already we have delete the mailbox and Azure AD account as well for David.

    Then why it's showing IsLicensed : True for David.

     

    UserPrincipalName : David@contoso.com
    IsLicensed : True
    Licenses : {contoso:ENTERPRISEPREMIUM}

     

     

    Regards

    Anand Sunka

  • Thanks, that's a good step by step guide. Now the second part of this blog is in order! :)

    How to work with users who returned and now need to reactivate their license and get their account and mailbox back.

    No I am not kidding. It's a typical task at many customers (think medical or research institutions where doctors or researchers come to work for a year or two, then leave to another institution, then come back).

    We have had to develop this process for my customer.

    • Deleted's avatar
      Deleted
      Hi Boris,

      Thanks for asking!

      If the MSOLUser still exists (this means that the date on which you moved the MBX to Inactive state is less than 30 days ago), you should restore it, assign an EXO license and the magic will happen.

      If the MSOLUser do not exist anymore (soft-deleted more than 30 days ago, or manually hard-deleted), the answer to your question is documented on:

      - Recover --- https://docs.microsoft.com/en-us/office365/securitycompliance/recover-an-inactive-mailbox

      - Restore --- https://docs.microsoft.com/en-us/office365/securitycompliance/restore-an-inactive-mailbox

      My recommendation will be to try first with the recover option (New-Mailbox -InactiveMailbox). In the situation in which customer is in Hybrid, they should do the recover, and after that do a Hard-Match of the MSODS user with the On-Prem user (set the correct ImmutableID on the MSODS user), and just after that sync the user from On-Prem, using AADConnect tool.

      If the recover will not work, you should try the restore one (New-MailboxRestoreRequest). In the situation in which customer is in Hybrid, I assume that the steps that they are taking are: create the On-Prem user (enabled as RemoteMailbox), sync it to MSODS (this will create the new MBX in EXO), restore the content of the old MBX to the new one (using New-MailboxRestoreRequest command)

      Even so, based on the customer needs, it is up to them which method will use to reaccess data from the old mailbox (recover or restore).

  • I wrote a companion article to this for hybrid customers. Please see http://www.expta.com/2019/01/how-to-work-with-inactive-mailboxes-in.html
    • Deleted's avatar
      Deleted
      You should maybe update the guidance on Shared Mailboxes since the *-RemoteMailbox cmdlets now accordingly deal with the -Type Shared parameter/value. No longer needed to fiddle AD attribute.
      • Deleted's avatar
        Deleted
        @Benoit, you are right, but, not totally right.

        The "-Type Shared" can be used on the *-RemoteMailbox just for specific versions of Exchange (Exchange 2013 CU21 or later and Exchange 2016 CU10 or later).

        More details on:

        https://support.microsoft.com/en-us/help/4133605/cmdlets-to-create-modify-remote-shared-mailbox-in-on-premises-exchange

        https://docs.microsoft.com/en-us/powershell/module/exchange/federation-and-hybrid/set-remotemailbox?view=exchange-ps

        In case customer's environment is on Exchange 2010, or unsupported versions of Exchange 2013/2016, we recommend what Jeff mentioned in his blog. More details on https://support.microsoft.com/en-us/help/2710029/shared-mailboxes-are-unexpectedly-converted-to-user-mailboxes-after-di, but, in this situation, the steps provided by Jeff are right and enough. Different than the Microsoft official article, Jeff mentioned, as well, to disable the On-Premises AD object's account, as this is now a RemoteSharedMailbox/SharedMailbox, and the AD account of it should not be active, like for the RemoteUserMailbox/UserMailbox object.

  • When being in hybrid mode with AAD connect. Could we achieve the same thing when moving the AD account to an OU that is not synced to O365 instead of removing the AD account?
    • Deleted's avatar
      Deleted
      Please see my companion article, How to work with Inactive Mailboxes in a Hybrid Environment. http://www.expta.com/2019/01/how-to-work-with-inactive-mailboxes-in.html
    • Deleted's avatar
      Deleted
      I agree with Benoit on this.

      So, the first checks, that will confirm you the MBX is on Hold, have to be done. When you have this confirmation, in order to soft-delete the MSODS / Azure AD user (move it into Deleted Users view), you can remove the On-Premises AD user (or, at least to remove if from the AADConnect sync scope).

    • Deleted's avatar
      Deleted
      Hybrid or just sync'd identities, you can. However you'll need to ensure the Mailbox has been put in Legal Hold before (and therefore have E3+ or ExO Archiving license assigned before). Filtering is a convenient way to remove in AAD w/ providing a fast way to recover. Your AD become a 1st level of tombstone and you can recover easily before 30 days (after this delay, a moving back to synce'd OU will only create a fresh new user).
  • The UI (PowerShell) states that it may take an hour to kick-in, so we've always measured this time window before removing an account (such as moving to the cloud immediately before off-boarding). Can we ignore that 60 minute warning/SLA and rely only on LitigationHoldEnabled?

    Also, yes, as Coert K said, Microsoft has recommended we use retention policies in the security and compliance center instead, so please discuss the recommended best practices with these policies as well.

    • Deleted's avatar
      Deleted
      Policies are Best Practice but a pain to manage with automation. There is still a requirement to split bunches of 10K users (was 5K before) across policies. I use a modulus on the Guid's HashCode to provide as much as randomness and balance as possible.

      Indeed, LegalHold is far easier to manage however it's the old-school way to do it (and the question is why is the Exchange Team recommending a legacy pathinstead of the a modern path :))

      • Deleted's avatar
        Deleted
        Even if you wouldn't have a message like that (wait for 60 minutes), you have to understand that Exchange Online is a huge environment, in which replication of settings may not be done instantly. Because of this, even if you are not informed that you have to wait, as a best practice my advice will be to wait.

        Related to the question about which Hold option should be recommended (legacy from Exchange Online, or new ones from Security & Compliance), indeed, Microsoft recommends the new ones. Even so, it is up to you (until the time you'll be forced to use just the new ones) which one is most suitable for you, when speaking about moving a mailbox into the Inactive state.

  • Are there any advantages in making the mailbox inactive vs converting the mailbox to shared?

    I think when the mailbox is inactive you cannot gain access without first attaching it or restoring it elsewhere.

    Where as a shared mailbox you can access via RBAC & you also get to free up your license.

    • Deleted's avatar
      Deleted
      @Steve_Lindsey - Shared mailboxes have a 50GB limit vs 100GB limit for regular user mailboxes (disabled or not). Shared mailboxes can still be used to send and receive email by users who have been given full access. Unlicensed or deleted users with mailboxes on lit hold cannot be accessed by anyone except those with Discovery Management rights.
      • Deleted's avatar
        Deleted
        I agree with Jeff in this, but, I would like to enter in some more details on this topic.

        You have to understand the pros and cons for both scenarios. Below I'll try to provide few of them (might be others, as well):

        Shared Mailbox:

        Pros:

        - The content of the mailbox can be used at any certain point in time, directly, from clients like Outlook/OWA;

        - The mail-flow is still functional. So, in case you still want to receive or send emails from this MBX, you can do it;

        - If the MBX is not bigger than 50 GB in size, if you do not have an Archive mbx attached to it, and you do not need to use Hold related features on it, no Exchange Online licenses need to be assigned to it.

        Cons:

        - If the Primary MBX has more than 50 GB in size, if it has an Archive attached to it or if you want to benefit of the Hold features, a proper license has to be assigned to it;

        - The MBX might still be visible in GAL

        Inactive Mailbox:

        Pros:

        - The mail-flow to this MBX will not work anymore;

        - Doesn't matter the size of the mailbox, or if it had an Archive MBX attached to it, or not (properly licensed at the time the MBX was moved into the Inactive state), the entire content (Primary MBX, Archive MBX, AUXArchives) will be retained until the time the hold will expire, without a need to have a license assigned (this is something that may change in the future, but, at this time, there is no cost attached to an Inactive mailbox).

        Cons:

        - The content of the mailbox is available only through eDiscovery searches;

  • Is there a good reason to choose Litigation Hold instead of an organization-wide retention policy? We use an automatically assigned retention policy so the first two steps are not needed and every deleted user's mailbox is accessible.
    • Deleted's avatar
      Deleted
      @Coert K, the answer can be found on https://docs.microsoft.com/en-us/office365/securitycompliance/create-and-manage-inactive-mailboxes:

      "A mailbox becomes inactive when a Litigation Hold or an Office 365 retention policy (created in the Office 365 Security & Compliance Center) is applied to the mailbox before the corresponding Office 365 user account is deleted."

      It is up to you which one is most suitable for you to use. Even so, if you'll use Organization-Wide Retention policies from Security & Compliance do not exclude the double-check that you have to take, in order to ensure that the MBX in question is under the governance of that policy, and is not excluded from it.

      More details about this on https://docs.microsoft.com/en-us/office365/securitycompliance/identify-a-hold-on-an-exchange-online-mailbox:

      "

      Excluded from an organization-wide Office 365 retention policy

      -mbxe9b52bf7ab3b46a286308ecb29624696

      If a mailbox is excluded from an organization-wide Office 365 retention policy, the GUID for the retention policy the mailbox is excluded from is displayed in the InPlaceHolds property and is identified by the -mbx prefix.

      "