Forum Discussion
Microsoft 365 E5 Compliance license creating mailboxes for mail users (which we do not want)
I'm not aware of which services exactly those SKUs contain, and it doesn't make much sense to me for them to have the Exchange Online plans included (although there are few features in the compliance stack that require you to have a mailbox). Can you paste the relevant details here? Something like this should do:
(Get-MsolAccountSku | ? {$_.AccountSkuId -eq "tenant:SKUNAME"}).ServiceStatus
rene_weber - Thank you very much for your reply. Unfortunately these user's that have outside mailboxes are not in the O365 environment. Some are Gmail, some are Exchange on-prem, one might even be Domino. Since they do not have O365 in their other companies I do not believe B2B will work in this instance.
VasilMichev - Per your instructions, here are the services that are part of E5 Compliance (along with their more user-friendly names. Let me know if there is anything else I can provide, thank you for your assistance!
ServicePlans
M365_ADVANCED_AUDITING - Microsoft 365 Advanced Auditing
INFORMATION_BARRIERS - Information Barriers
PREMIUM_ENCRYPTION - Premium Encryption in Office 365
MIP_S_CLP2 - Information Protection for Office 365 - Premium
PAM_ENTERPRISE - Office 365 Privileged Access Management
EQUIVIO_ANALYTICS - Office 365 Advanced eDiscovery
LOCKBOX_ENTERPRISE - Customer Lockbox
RMS_S_PREMIUM2 - Azure Information Protection Premium P2
Brandon Hofmann None of these should result in provisioning a mailbox. Yes, some of the services listed do *require* an Exchange Online license to be assigned, but no mailbox should be provisioned without such license assigned by you.
I assume you have some spare licenses that include Exchange Online and one of those got assigned for some reason. Do you handle assignments via the O365 Admin center, or via group-based licensing or some other method?
rene_weber - Sorry, I didn't clearly explain - these users need accounts in our on-prem Active Directory environment as well, as some of them have computers assigned to them, while others may use a shared computer. So I believe in order for that we need to create them in AD, and then sync them to O365/Azure, which is why we have them as Mail Users.
So in this instance we wouldn't be able to do this solution, correct? Again, thank you very much for your assistance!
VasilMichev - I've been using a test account that was created as an on-prem AD user, then mail enabled it and sync'd it to our O365/EXO. I then applied licenses directly to the user (we usually use group-based licensing).
If I remove the E5 Compliance license the EXO properties show up correctly, with the gmail.com address as the primary. But as soon as I add the E5 Compliance license back (even if I only enable 1 feature of it - and I tried each feature individually), the primary SMTP get's changed back to @domain.org (again only in EXO, it remains correct in our on-Prem Exchange, and AD, but it's wrong in the Address Book).
I also have a ticket with MS opened, they thought it might be our Address Book Policies that were causing the issue, but I turned them off for that mail user and it still changes. It's quite perplexing. I appreciate the assistance though!
I'm getting confused now, you originally spoke about mailboxes, now you mention mail user. There's no way you can have a mailbox with gmail.com address, so I suppose MEUs is what you are indeed creating. If you apply an Exchange license to those, any non-accepted-domain aliases will be stripped out of them, even if no mailbox is actually provisioned for the user. But that should only happen with an actual Exchange Online license assigned, not the compliance SKU.
Unfortunately I don't have the actual SKU to verify/reproduce this, but pining Nino_Bilic to confirm.
Brandon Hofmann This isnt a problem. It works perfectly with google (Just needed as Identity provider) and other aad.
For everyone not using google or microsoft, there is a preview feature in aad. Use one time passcode, so your users will get a one time password and cat authenticate with this password in your azure ad.
