Using ExcludeFromAllHolds to Remove Holds from Inactive Mailboxes

Retention support for inactive mailboxes is now available in Public Cloud. We’re excited to announce that the rollout for Government Cloud will begin next week. For more details and future milestones, check out the roadmap here: https://www.microsoft.com/en-us/microsoft-365/roadmap?id=537204.

Introduction

When managing inactive mailboxes in Microsoft Exchange Online, administrators often need to remove holds to allow for permanent deletion while maintaining compliance requirements. The ExcludeFromAllHolds parameter provides an enhanced and comprehensive solution for removing multiple types of holds from inactive mailboxes in a single operation.

This article explains how to use the ExcludeFromAllHolds parameter, what holds it removes, its prerequisites, and how it relates to the RemoveComplianceTagHold switch. Together, these options help you efficiently manage the inactive mailbox lifecycle while preserving compliance integrity.

Overview and purpose

The ExcludeFromAllHolds parameter is a cmdlet switch that removes all applicable holds from inactive mailboxes except for eDiscovery holds, litigation hold, and restrictive retention policies. This parameter is intended for scenarios where unnecessary retention holds need to be removed so that mailboxes can be permanently deleted, provided no legal holds or restrictive retention holds are applied as the cmdlet continues to respect legal holds required for regulatory compliance.

The RemoveComplianceTagHold switch, in contrast, removes only the Compliance Tag–based hold (ComplianceTagHoldApplied) from a mailbox, giving you more granular control when you only want to adjust Compliance Tag enforcement without excluding the mailbox from other holds.

Key capabilities

• Comprehensive coverage: ExcludeFromAllHolds handles both organization-level AND user-level retention policies
• Scope flexibility: Works with static and adaptive scopes
• Compliance preservation: Maintains eDiscovery holds, Inplaceholds(eDiscovery-ComplianceSearch), litigation hold and restrictive retention policies
• Automated processing: Single command removes multiple hold types simultaneously
• Removes orphan holds: This command removes orphan holds scoped at organization and user level.
• Granular tag control: RemoveComplianceTagHold clears only the Compliance Tag hold without touching other holds

Primary use case

The primary use case for ExcludeFromAllHolds is the ability to permanently delete inactive mailboxes by removing holds while preserving compliance requirements. This is particularly useful when:

• Decommissioning user accounts after litigation periods end
• Streamlining compliance posture while maintaining legal requirements
• Bulk processing of inactive mailboxes during organizational changes

RemoveComplianceTagHold is used when you specifically need to remove only the Compliance Tag hold (for example, to allow tag logic to be recalculated or changed) while keeping all other holds intact. RemoveComplianceTagHold can be used for active mailboxes as well and is primarily used for migration related scenarios.

What holds does ExcludeFromAllHolds remove?

The ExcludeFromAllHolds parameter provides selective hold removal based on compliance requirements and policy types.

Holds that ARE removed:

Holds that are NOT removed:

Important: ExcludeFromAllHolds does not modify the policies themselves, it only creates exemptions for the specific mailbox while leaving the policies intact for other mailboxes.

Prerequisites

1. PowerShell environment

• Exchange Online PowerShell is required – cannot use Exchange Admin Center (EAC) or Microsoft Purview portal (SCC).
• Must have active PowerShell session to Exchange Online

2. Mailbox state

• Mailbox must be in inactive state (soft-deleted with holds)
• Cannot be used on active/inactive publicfolder/scheduling/room mailboxes , fully deleted mailboxes, active mailusers, active group mailboxes.
• Verify inactive status before proceeding

# Verify inactive mailbox status
Get-Mailbox -InactiveMailboxOnly -Identity "user@contoso.com" | 
    Select-Object Name, IsInactiveMailbox, InPlaceHolds

3. RBAC permissions

Required role-based access control permissions include:

• Mailbox Import Export role
• Retention Management role
• eDiscovery Manager role (for viewing eDiscovery holds)

4. Compliance verification

• Document current holds before removal
• Verify legal and compliance requirements
• Ensure no active litigation or regulatory requirements

Syntax and examples

Basic syntax

Set-Mailbox -Identity <inactive-mailbox-identity> -ExcludeFromAllHolds

Example 1: Remove holds from a single inactive mailbox

Set-Mailbox -Identity "john.doe@contoso.com" -ExcludeFromAllHolds

Get-Mailbox -InactiveMailboxOnly -Identity "john.doe@contoso.com" | 
    Select-Object Name, InPlaceHolds, IsInactiveMailbox

Example 2: Bulk processing multiple inactive mailboxes

$InactiveMailboxes = Get-Mailbox -InactiveMailboxOnly

foreach ($Mailbox in $InactiveMailboxes) {
    Write-Host "Processing: $($Mailbox.DisplayName)"
    $CurrentHolds = $Mailbox.InPlaceHolds
    Write-Host "Current holds: $($CurrentHolds.Count)"
    Set-Mailbox -Identity $Mailbox.Guid -ExcludeFromAllHolds
    $UpdatedMailbox = Get-Mailbox -InactiveMailboxOnly -Identity $Mailbox.Guid
    Write-Host "Remaining holds: $($UpdatedMailbox.InPlaceHolds.Count)"
}

Example 3: Selective processing with pre-validation

function Test-HaseDiscoveryHolds {
    param($Mailbox)
    foreach ($Hold in $Mailbox.InPlaceHolds) {
        if ($Hold -match "^cld|^skp|^unih") {
            return $true
        }
    }
    return $false
}

$InactiveMailboxes = Get-Mailbox -InactiveMailboxOnly
foreach ($Mailbox in $InactiveMailboxes) {
    if (!(Test-HaseDiscoveryHolds -Mailbox $Mailbox)) {
        Write-Host "Safe to process: $($Mailbox.DisplayName)"
        Set-Mailbox -Identity $Mailbox.DistinguishedName -ExcludeFromAllHolds
    } else {
        Write-Warning "eDiscovery holds detected on: $($Mailbox.DisplayName)"
    }
}

Verification and monitoring

Immediate verification

Verify the stamped exclusions on the mailbox.

Get-Mailbox - SoftDeletedMailbox -Identity "user@contoso.com" | 
    Select-Object Name, InPlaceHolds, ComplianceTagHoldApplied, 
                  DelayHoldApplied, DelayReleaseHoldApplied

Monitor state transitions

Validate that state of mailbox has transitioned from inactive to soft-deleted mailbox.

Get-Mailbox -SoftDeletedMailbox -Identity "user@contoso.com" | 
    Select-Object Name, IsInactiveMailbox, WasInactiveMailbox, 
                  InactiveMailboxRetireTime, WhenSoftDeleted

Audit trail review

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
    -RecordType ExchangeAdmin -Operations "Set-Mailbox" `
    -FreeText "ExcludeFromAllHolds"

Using ExcludeFromAllHolds For Other Exchange Objects

Example 4: Use ExcludeFromAllHolds for Inactive Mail User

# Get the inactive mail user

$MailUser = Get-MailUser -Identity "user@contoso.com" -SoftDeletedMailUser

# Exclude the associated inactive mailbox from all applicable holds

Set-MailUser -Identity $MailUser.ExchangeGuid -ExcludeFromAllHolds

# Verify the inactive mailbox state and holds

Get-MailUser -SoftDeletedMailUser -Identity $MailUser.ExchangeGuid | Select-Object Name, IsInactiveMailbox, InPlaceHolds

Example 5: Use ExcludeFromAllHolds for Inactive Group Mailbox

# Get the inactive group mailbox
$Group = Get-Mailbox -Identity "user@contoso.com" -SoftDeletedMailbox -GroupMailbox

# Exclude the associated inactive mailbox from all applicable holds
Set-Mailbox -Identity $MailUser.ExchangeGuid -ExcludeFromAllHolds -GroupMailbox

# Verify the inactive mailbox state and holds
Get-Mailbox -Identity "user@contoso.com" -SoftDeletedMailbox -GroupMailbox | Select-Object Name, IsInactiveMailbox, InPlaceHolds

Using RemoveComplianceTagHold

In some scenarios, you may want to remove only the Compliance Tag–based hold from a mailbox, without excluding the mailbox from all applicable retention policies and other holds. The RemoveComplianceTagHold switch on Set-Mailbox provides this more granular control.

Example 6: Remove only compliance tag hold from inactive mailbox

# Remove only the Compliance Tag hold from an inactive mailbox
Set-Mailbox -Identity "john.doe@contoso.com" -RemoveComplianceTagHold

# Verify that ComplianceTagHoldApplied is cleared while other holds remain
Get-Mailbox -InactiveMailboxOnly -Identity "john.doe@contoso.com" |Select-Object Name, InPlaceHolds, ComplianceTagHoldApplied, DelayHoldApplied, DelayReleaseHoldApplied

Example 7: Remove compliance tag hold from active mailbox with consent

# Remove only Compliance Tag hold from an active mailbox (requires explicit consent)
Set-Mailbox -Identity "active.user@contoso.com" -RemoveComplianceTagHold -ProvideConsent

# Verify updated hold state on the active mailbox
Get-Mailbox -Identity "active.user@contoso.com" | Select-Object Name, InPlaceHolds, ComplianceTagHoldApplied

Best practices and considerations

• Document current state before removal
• Verify compliance and legal requirements
• Process in small batches
• Enable audit logging and approval workflows
• Monitor and track progress

Troubleshooting common Issues

ExcludeFromAllHolds has no effect

Causes:

• Only eDiscovery or restrictive holds exist
• Insufficient permissions
• Mailbox is not inactive

Get-Mailbox -InactiveMailboxOnly -Identity "user@contoso.com" | 
    Select-Object InPlaceHolds | Format-List

Partial hold removal

Expected: Inplaceholds(eDiscovery-ComplianceSearch), eDiscovery, litigation hold, and restrictive holds are preserved

$Mailbox = Get-Mailbox -InactiveMailboxOnly -Identity "user@contoso.com"
foreach ($Hold in $Mailbox.InPlaceHolds) {
    $HoldType = switch -Regex ($Hold) {
        '^cld' { "eDiscovery Hold (Preserved)" }
        '^unih' { "eDiscovery Hold (Preserved)" }
        '^mbx' { "Retention Policy (Should be removed, check if restrictive policy)" }
        default { "ComplianceSearch (Preserved)" }
    }
    Write-Host "$Hold - $HoldType"
}

Related commands and tools

Get-Mailbox -InactiveMailboxOnly
Get-RetentionCompliancePolicy
Get-ComplianceSearch
Get-Mailbox -SoftDeletedMailbox
Set-Mailbox -Identity <mailbox> -RecalculateInactiveMailbox

Conclusion

The ExcludeFromAllHolds parameter provides a comprehensive and safe method for removing holds from inactive mailboxes while maintaining compliance integrity. The RemoveComplianceTagHold switch complements this capability by allowing you to remove only the Compliance Tag hold when needed.

Key takeaways:

• Comprehensive hold removal with compliance safety
• eDiscovery and restrictive holds are preserved
• Supports audit and compliance reporting
• Can be used for inactive mailusers and inactive group mailboxes as well.
• Granular removal of Compliance Tag hold using RemoveComplianceTagHold (with -ProvideConsent for active mailboxes)
  
  

FAQ

Q: How is this different from ExcludeFromAllOrgHolds?
A: ExcludeFromAllOrgHolds excludes from retention policies stamped in Organization Config. This switch excludes from all applicable retention policies (User + Organization scope) except policies with preservation lock enabled.

Q: Does this remove the applied retention labels also?
A: No, the retention labels are not removed from the items. It removes the compliance tag hold from the mailbox if no preservation lock policy is present. The hold will be reapplied by the Email Lifecycle Assistant if there are items in the mailbox with a retention label applied.

Q: Does excluding a mailbox result in immediate deletion of the mailbox?
A: No, the mailbox will be transitioned to a soft-deleted state and deleted as per the lifecycle of a soft-deleted mailbox.

Q: How do I revert the action?
A: Stamped exclusions and RemoveComplianceTagHold actions cannot be reverted via cmdlet. You must apply new policies going forward; previously excluded states are not automatically restored. The Compliance Tag hold will be reapplied by the Email Lifecycle Assistant if there are items in the mailbox with a retention label applied.

Q: Is there a delay before exclusion takes effect?
A: Expect propagation latency (< 5 minutes) across due to caching. For defensibility, record the timestamp of the change and allow the propagation window before performing irreversible deletion operations.

Q: Any limits or quotas?
A: No specific per-tenant exclusion cap is expected, but bulk automation may be throttled; stagger large batches and monitor service health messages.

Q: What is the expected behaviour for adaptive scoped policy?
A: The adaptive scoped policies which are stamped on the mailbox will be excluded. Once excluded, the mailbox can not be re-scoped to the policy.

Q: How is this different from RemoveComplianceTagHold?
A: ExcludeFromAllHolds removes multiple applicable holds (organization-level, user-level, delay holds, and Compliance Tag holds where allowed) while preserving Inplaceholds(eDiscovery-ComplianceSearch), eDiscovery, litigation, and restrictive retention policies. RemoveComplianceTagHold removes only the Compliance Tag hold from the mailbox and leaves all other holds unchanged.

Q: Does this remove the applied retention labels also?
A: No, the retention labels are not removed from the items. Both ExcludeFromAllHolds and RemoveComplianceTagHold remove the Compliance Tag–based hold from the mailbox if no preservation lock policy is present. The hold may be reapplied by the Email Lifecycle Assistant if there are items in the mailbox with a retention label applied and applicable policies.

Q: Can I remove the Compliance Tag hold from an active mailbox?
A: Yes. Use Set-Mailbox -Identity <active-mailbox> -RemoveComplianceTagHold -ProvideConsent. The -ProvideConsent switch is required on active mailboxes to acknowledge the compliance impact of removing the Compliance Tag hold.

Rishabh Kumar, Darshana Rana and Exchange Online Archiving Team