Forum Discussion
Microsoft 365 E5 Compliance license creating mailboxes for mail users (which we do not want)
We recently purchased Microsoft 365 E5 Compliance and E5 Security licenses to assign to our users (who already have the Microsoft 365 E3 license).
About 1/3 of our users do not have a mailbox hosted by us, and instead are mail users (as they have email accounts hosted by other companies they work for) - we are not assigning an Exchange Online license to them.
When assigning the E5 Security we found we had to turn off "Office 365 Advanced Threat Protection (Plan 2)" and "Office 365 SafeDocs" for those users, since they do not have a mailbox.
However, we cannot apply any features of E5 Compliance, as they all create a mailbox for the user automatically, and then change the users primary email to either @domain.onmicrosoft.com or @domain.org - which then updates our Address Book to list those emails, rather than the external email address they use.
E5 Compliance covers OneDrive/SharePoint and all Office 365 applications, and we want all of users to covered by this, even those without a mailbox. Is there a way we can apply this license without it creating a mailbox/changing the primary SMTP for mail users? If not, is there an alternative solution for us?
Thank you in advance!
11 Replies
I'm not aware of which services exactly those SKUs contain, and it doesn't make much sense to me for them to have the Exchange Online plans included (although there are few features in the compliance stack that require you to have a mailbox). Can you paste the relevant details here? Something like this should do:
(Get-MsolAccountSku | ? {$_.AccountSkuId -eq "tenant:SKUNAME"}).ServiceStatus
rene_weber - Thank you very much for your reply. Unfortunately these user's that have outside mailboxes are not in the O365 environment. Some are Gmail, some are Exchange on-prem, one might even be Domino. Since they do not have O365 in their other companies I do not believe B2B will work in this instance.
VasilMichev - Per your instructions, here are the services that are part of E5 Compliance (along with their more user-friendly names. Let me know if there is anything else I can provide, thank you for your assistance!
ServicePlans
M365_ADVANCED_AUDITING - Microsoft 365 Advanced Auditing
INFORMATION_BARRIERS - Information Barriers
PREMIUM_ENCRYPTION - Premium Encryption in Office 365MIP_S_CLP2 - Information Protection for Office 365 - Premium
PAM_ENTERPRISE - Office 365 Privileged Access Management
EQUIVIO_ANALYTICS - Office 365 Advanced eDiscovery
LOCKBOX_ENTERPRISE - Customer Lockbox
RMS_S_PREMIUM2 - Azure Information Protection Premium P2Brandon Hofmann None of these should result in provisioning a mailbox. Yes, some of the services listed do *require* an Exchange Online license to be assigned, but no mailbox should be provisioned without such license assigned by you.
I assume you have some spare licenses that include Exchange Online and one of those got assigned for some reason. Do you handle assignments via the O365 Admin center, or via group-based licensing or some other method?
- Hello Brandon,
Maybe the solution for this would be inviting the users from other company's as guest user in your azure ad. (Its called B2B collaboration, check here: https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b)
I dont think the features will work, without giving them access to exchange. As a workaround, you could change the GAL with powershell.
https://docs.microsoft.com/en-us/exchange/address-books/address-lists/configure-global-address-list-properties#use-the-exchange-online-powershell-to-modify-global-address-lists
